Watch Out Wednesday – June 7, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: JS Job Manager

Vulnerability: Cross-Site Request Forgery via multiple functions
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation
Patched Version: 7.5.5
Recommended Action: Update to version 7.5.5, or a newer patched version

Plugin: TS Webfonts for さくらのレンタルサーバ

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Call Now Accessibility Button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WordPress Tables

Vulnerability: Reflected Cross-Site Scripting via error_msg
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Report Post

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ajax Pagination and Infinite Scroll

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CRM and Lead Management by vcita

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Aajoda Testimonials

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: bbPress Toolkit

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: VK Blocks

Vulnerability: Authenticated(Contributor+) Settings Update
Patched Version: 1.57.0.10
Recommended Action: Update to version 1.57.0.10, or a newer patched version

Plugin: Contact Form Builder by vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.1
Recommended Action: Update to version 4.10.1, or a newer patched version

Plugin: Floating Action Button

Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Missing Authorization
Patched Version: 1.8.16
Recommended Action: Update to version 1.8.16, or a newer patched version

Plugin: Kanban Boards for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.21
Recommended Action: Update to version 2.5.21, or a newer patched version

Plugin: Yandex Metrica Counter

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event Registration Calendar By vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Missing Authorization via handle_installation
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘type’
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version

Plugin: Event Registration Calendar By vcita

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Builder by vcita

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page Builder with Image Map by AZEXO

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping

Vulnerability: Cross-Site Request Forgery via enableDisable and deletePost
Patched Version: 1.6.4.6
Recommended Action: Update to version 1.6.4.6, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version

Plugin: Page Builder with Image Map by AZEXO

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Sensitive Information Exposure
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Donation Platform for WooCommerce: Fundraising & Donation Management

Vulnerability: Cross-Site Request Forgery to Survey Submission
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version

Plugin: WP Hide Post

Vulnerability: Cross-Site Request Forgery via save_bulk_edit_data
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Missing Authorization to Settings Update and Arbitrary File Upload
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: WooCommerce Box Office

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.51
Recommended Action: Update to version 1.1.51, or a newer patched version

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Missing Authorization on REST-API
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: Contact Form and Calls To Action by vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Dynamic Visibility for Elementor

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: WP Full Auto Tags Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cart2Cart: Magento to WooCommerce Migration

Vulnerability: Missing Authorization via setToken
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive CSS EDITOR

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Builder by vcita

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: USM Premium

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 16.3
Recommended Action: Update to version 16.3, or a newer patched version

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘Feed[title]’
Patched Version: 10.2.4
Recommended Action: Update to version 10.2.4, or a newer patched version

Plugin: WPC Smart Wishlist for WooCommerce

Vulnerability: Cross-Site Request Forgery via wishlist_add and wishlist_remove
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: Dynamic QR Code Generator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Uncanny Toolkit for LearnDash

Vulnerability: Open Redirect
Patched Version: 3.6.4.4
Recommended Action: Update to version 3.6.4.4, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Authentication Bypass
Patched Version: 5.15.2
Recommended Action: Update to version 5.15.2, or a newer patched version

Plugin: SpamReferrerBlock

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Improper Authorization via get_remote_templates REST endpoint
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.6.14
Recommended Action: Update to version 1.6.14, or a newer patched version

Plugin: FormCraft – Form Builder

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Missing Authorization to Account Logout
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: LWS Hide Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Kanban Boards for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.21
Recommended Action: Update to version 2.5.21, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Reflected Cross-Site Scripting via ‘search’
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Constant Contact Forms

Vulnerability: Missing Authorization via constant_contact_optin_ajax_handler
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WooCommerce Box Office

Vulnerability: Missing Authorization
Patched Version: 1.1.52
Recommended Action: Update to version 1.1.52, or a newer patched version

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Missing Authorization
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Bulk Order Form for WooCommerce

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: bbPress Toolkit

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons Pro for Elementor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.25
Recommended Action: Update to version 2.8.25, or a newer patched version

Plugin: WP Inventory Manager

Vulnerability: Cross-Site Request Forgery via delete_item
Patched Version: 2.1.0.14
Recommended Action: Update to version 2.1.0.14, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version

Plugin: Page Builder with Image Map by AZEXO

Vulnerability: Cross-Site Request Forgery to Post Creation/Modification/Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Brizy – Page Builder

Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 2.4.19
Recommended Action: Update to version 2.4.19, or a newer patched version

Plugin: B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Price Modification
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task
Patched Version: 7.5.5
Recommended Action: Update to version 7.5.5, or a newer patched version

Plugin: WP Brutal AI

Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Extended Post Status

Vulnerability: Missing Authorization via wp_insert_post_data
Patched Version: 1.0.20
Recommended Action: Update to version 1.0.20, or a newer patched version

Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Vulnerability: Insecure Direct Object Reference to Arbitrary Post Deletion
Patched Version: 1.11.12
Recommended Action: Update to version 1.11.12, or a newer patched version

Plugin: VK Blocks

Vulnerability: Authenticated(Contributor+) Settings Update
Patched Version: 1.58.0.0
Recommended Action: Update to version 1.58.0.0, or a newer patched version

Plugin: WordPress Social Login

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Reflected Cross-Site Scripting via ‘filterType’
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: CodeColorer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.10.1
Recommended Action: Update to version 0.10.1, or a newer patched version

Plugin: Visitor Traffic Real Time Statistics

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version

Plugin: Uncanny Toolkit for LearnDash

Vulnerability: Missing Authorization via review-banner-visibility REST route
Patched Version: 3.6.4.4
Recommended Action: Update to version 3.6.4.4, or a newer patched version

Plugin: WP Brutal AI

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Information Disclosure
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version

Plugin: Change WooCommerce Add To Cart Button Text

Vulnerability: Missing Authorization via rexvs_settings_submit
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 21.8
Recommended Action: Update to version 21.8, or a newer patched version

Plugin: WP Inventory Manager

Vulnerability: Cross-Site Request Forgery via delete_item
Patched Version: 2.1.0.14
Recommended Action: Update to version 2.1.0.14, or a newer patched version

Plugin: Kebo Twitter Feed

Vulnerability: Cross-Site Request Forgery via kebo_twitter_menu_render
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Catalyst Connect Zoho CRM Client Portal

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: SpamReferrerBlock

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Web Directory Free

Vulnerability: Authenticated (Contributor+) SQL Injection via post_id
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: TPG Redirect

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: Page Builder with Image Map by AZEXO

Vulnerability: Missing Authorization to Post Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution

Vulnerability: Marketing Automation For WordPress <= 2.8.01
Patched Version: 2.8.02
Recommended Action: Update to version 2.8.02, or a newer patched version

Plugin: Gravity Forms Google Sheet Connector

Vulnerability: Cross-Site Request Forgery via verify_code_integation_new
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: CRM and Lead Management by vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version

Plugin: WP User Switch

Vulnerability: Authenticated (Subscriber+) Authentication Bypass via Cookie
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: WordPress Social Login

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Cache.com

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Authenticated(Subscriber+) Server Side Request Forgery
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: File Manager Advanced Shortcode WordPress

Vulnerability: Unauthenticated Arbitrary File Upload to Remote Code Execution via Shortcode
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: User Email Verification for WooCommerce

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Editorial Calendar

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via edcal_saveoptions AJAX action
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Cross-Site Request Forgery to Account Logout
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: GDPR Cookie Consent Notice Box

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.