Login
Facebook-f Linkedin-in Youtube

Watch Out Wednesday – March 13, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Shariff Wrapper

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.11
Recommended Action: Update to version 4.6.11, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripiting via Registration Form Widget
Patched Version: 2.10.33
Recommended Action: Update to version 2.10.33, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Cross-Site Request Forgery to Plugin Deactivation and Data Erase
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Video Conferencing with Zoom

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Archive Title Widget
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version

Plugin: Themify – WooCommerce Product Filter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Auto Affiliate Links

Vulnerability: Missing Authorization via aalAddLink
Patched Version: 6.4.3.1
Recommended Action: Update to version 6.4.3.1, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Rubix Widget
Patched Version: 3.13.4
Recommended Action: Update to version 3.13.4, or a newer patched version

Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…

Vulnerability: Cross-Site Request Forgery via ladiflow_save_hook()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smart App Banner

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Cross-Site Request Forgery to Plugin Data Reset
Patched Version: 1.6.6.24
Recommended Action: Update to version 1.6.6.24, or a newer patched version

Plugin: HT Easy GA4 – Google Analytics WordPress Plugin

Vulnerability: Missing Authorization to Unauthenticated GA4 Email Update
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Pz-LinkCard

Vulnerability: Sever-Side Request Forgery
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Event Calendar
Patched Version: 5.9.10
Recommended Action: Update to version 5.9.10, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Missing Authorization
Patched Version: 1.0.263
Recommended Action: Update to version 1.0.263, or a newer patched version

Plugin: Wallet for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Email Export
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Missing Authorization
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…

Vulnerability: Cross-Site Request Forgery via init_endpoint
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Stock Quotes List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.9.12
Recommended Action: Update to version 2.9.12, or a newer patched version

Plugin: CBX Map for Google Map & OpenStreetMap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.0.33
Recommended Action: Update to version 9.0.33, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Link Wrapper
Patched Version: 4.0.18
Recommended Action: Update to version 4.0.18, or a newer patched version

Plugin: Premium Addons Pro for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Premium Magic Scroll Module
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.5.5
Recommended Action: Update to version 6.5.5, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Basic Information Exposure via REST route
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version

Plugin: Themify – WooCommerce Product Filter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: WPKoi Templates for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Heading Widget
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: Premium Addons Pro for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Global Badge Module
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Missing Authorization to Arbitrary Post Overwrite
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Mollie Forms

Vulnerability: Missing Authorization
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: WooCommerce Add to Cart Custom Redirect

Vulnerability: Authenticated(Contributor+) Missing Authorization to Limited Arbitrary Options Update
Patched Version: 1.2.14
Recommended Action: Update to version 1.2.14, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Missing Authorization to Unauthenticated Media Deletion
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.15.3
Recommended Action: Update to version 4.15.3, or a newer patched version

Plugin: Mollie Forms

Vulnerability: Missing Authorization to Arbitrary Post Duplication
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Backup Bolt

Vulnerability: Sensitive Information Exposure
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…

Vulnerability: Missing Authorization via ladiflow_save_hook()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Wistia Block
Patched Version: 3.9.11
Recommended Action: Update to version 3.9.11, or a newer patched version

Plugin: Premium Addons Pro for Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via widget link
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Missing Authorization via atkp_import_product
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version

Plugin: Mang Board WP

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: PDF Invoices and Packing Slips For WooCommerce

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Database for CF7

Vulnerability: Missing Authorization via wpcf7db_delete AJAX action
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Bulgarisation for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.15
Recommended Action: Update to version 3.0.15, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortocde
Patched Version: 7.1.8
Recommended Action: Update to version 7.1.8, or a newer patched version

Plugin: WP Lightbox 2

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 3.0.6.6
Recommended Action: Update to version 3.0.6.6, or a newer patched version

Plugin: SMTP Mail

Vulnerability: Cross Site Request Forgery
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget
Patched Version: 3.9.11
Recommended Action: Update to version 3.9.11, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Unauthenticated Stored Self-Based Cross-Site Scripting
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: WP-Members Membership Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.4.9.2
Recommended Action: Update to version 3.4.9.2, or a newer patched version

Plugin: Simple Restrict

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.0.33
Recommended Action: Update to version 9.0.33, or a newer patched version

Plugin: Grid Plus – Unlimited grid layout

Vulnerability: Reflected Cross-Site Scripting via grid_id
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Missing Authorization to Unauthenticated Media Upload
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…

Vulnerability: Missing Authorization on publish_lp()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons Pro for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Messenger Chat Widget
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version

Plugin: Responsive Pricing Table

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.1.11
Recommended Action: Update to version 5.1.11, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Unauthenticated Booking Payment Bypass
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Newsletter2Go

Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting via style
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Unauthenticated Stored Cross-Site Scripting via SVG Upload
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: f(x) Private Site

Vulnerability: Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Password Protected Store for WooCommerce

Vulnerability: Information Exposure via REST API
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Page Builder Gutenberg Blocks – CoBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Mercury Widget
Patched Version: 3.13.3
Recommended Action: Update to version 3.13.3, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Data Table
Patched Version: 5.9.10
Recommended Action: Update to version 5.9.10, or a newer patched version

Plugin: Site Reviews

Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting via display name
Patched Version: 6.11.7
Recommended Action: Update to version 6.11.7, or a newer patched version

Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.25
Recommended Action: Update to version 1.6.25, or a newer patched version

Plugin: Premium Addons Pro for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Mouse Cursor Module
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Digits: WordPress Mobile Number Signup and Login

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 8.4.2
Recommended Action: Update to version 8.4.2, or a newer patched version

Plugin: Shariff Wrapper

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.10
Recommended Action: Update to version 4.6.10, or a newer patched version

Plugin: WP Chat App

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Logo Widget
Patched Version: 1.3.92
Recommended Action: Update to version 1.3.92, or a newer patched version

Plugin: Easy Accordion – Responsive Accordion FAQ Builder and Product FAQ

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via titleTag
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via File Field CSS
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: SoundCloud Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Pz-LinkCard

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Carousel Widget
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Themify – WooCommerce Product Filter

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: CBX Map for Google Map & OpenStreetMap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.5.5
Recommended Action: Update to version 6.5.5, or a newer patched version

Plugin: Hubbub Lite – Fast, Reliable Social Sharing Buttons

Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.33.1
Recommended Action: Update to version 1.33.1, or a newer patched version

Plugin: News Announcement Scroll

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 9.1.0
Recommended Action: Update to version 9.1.0, or a newer patched version

Plugin: JM Twitter Cards

Vulnerability: Information Exposure via Meta Description
Patched Version: 14.1.0
Recommended Action: Update to version 14.1.0, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Author Meta Widget
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version

Plugin: Team Circle Image Slider With Lightbox

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: LogDash Activity Log

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.5.5
Recommended Action: Update to version 6.5.5, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via Header/Footer code
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Fiestar Widget
Patched Version: 3.13.2
Recommended Action: Update to version 3.13.2, or a newer patched version

Plugin: Social Sharing Plugin – Sassy Social Share

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.59
Recommended Action: Update to version 3.3.59, or a newer patched version

Plugin: Bulgarisation for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.0.15
Recommended Action: Update to version 3.0.15, or a newer patched version

Plugin: Add to Cart Text Changer and Customize Button, Add Custom Icon

Vulnerability: Cross-Site Request Forgery via wactc_text_form
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Booster Elite for WooCommerce

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 7.1.8
Recommended Action: Update to version 7.1.8, or a newer patched version

Plugin: Shariff Wrapper

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.6.10
Recommended Action: Update to version 4.6.10, or a newer patched version

Plugin: Envo's Elementor Templates & Widgets for WooCommerce

Vulnerability: Cross-Site Request Forgery via ajax_plugin_activation
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting Header Meta Content Widget
Patched Version: 5.4.1
Recommended Action: Update to version 5.4.1, or a newer patched version

Plugin: Restaurant Reservations

Vulnerability: Directory Traversal to Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)

Vulnerability: Authenticated(Contributor+) Stored Cross-site scripting via Wrapper Link URL
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via heading tag
Patched Version: 2.7.4.5
Recommended Action: Update to version 2.7.4.5, or a newer patched version

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 4.23.56
Recommended Action: Update to version 4.23.56, or a newer patched version

Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…

Vulnerability: Missing Authorization via save_config()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CWW Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: MakeStories (for Google Web Stories)

Vulnerability: Cross-Site Request Forgery via ‘ms_set_options’
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Schema Pro

Vulnerability: Authenticated (Contributor+) Custom Field Access
Patched Version: 2.7.16
Recommended Action: Update to version 2.7.16, or a newer patched version

Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…

Vulnerability: Cross-Site Request Forgery via publish_lp()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pz-LinkCard

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Coming Soon Page & Maintenance Mode

Vulnerability: Maintenance Mode Bypass
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 14.5.1
Recommended Action: Update to version 14.5.1, or a newer patched version

Plugin: Mang Board WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Hustle – Email Marketing, Lead Generation, Optins, Popups

Vulnerability: Sensitive Information Exposure via Exposed Hubspot API Keys
Patched Version: 7.8.4
Recommended Action: Update to version 7.8.4, or a newer patched version

Plugin: 1 click disable all

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Missing Authorization via atkp_create_list
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version

Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…

Vulnerability: Cross-Site Request Forgery via save_config()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Bootstrap Elements for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Premium Addons Pro for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multi Scroll Widget
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version

Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Referer
Patched Version: 1.6.22
Recommended Action: Update to version 1.6.22, or a newer patched version

Plugin: Visitor Traffic Real Time Statistics

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 7.3
Recommended Action: Update to version 7.3, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Burst Statistics – Privacy-Friendly Analytics for WordPress

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via burst_total_pageviews_count
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Information Exposure via get_posts API Endpoint
Patched Version: 2.2.69
Recommended Action: Update to version 2.2.69, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Insufficient Authorization via wpas_can_delete_attachments()
Patched Version: 6.1.7
Recommended Action: Update to version 6.1.7, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Picture of Odell Duppins Jr

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.

Recent Posts

WordPress

Login