Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: 2.8.2
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripiting via Registration Form Widget
Patched Version: 2.10.33
Recommended Action: Update to version 2.10.33, or a newer patched version
Plugin: Beaver Builder Addons by WPZOOM
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Beaver Builder Addons by WPZOOM
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box Widget
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: WPBITS Addons For Elementor Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Interactive World Map
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: Auto Affiliate Links
Vulnerability: Missing Authorization via aalAddLink
Patched Version: 6.4.3.1
Recommended Action: Update to version 6.4.3.1, or a newer patched version
Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Rubix Widget
Patched Version: 3.13.4
Recommended Action: Update to version 3.13.4, or a newer patched version
Plugin: Accordion
Vulnerability: Missing Authorization to Authenticated(Contributor+) Post Duplication
Patched Version: 2.2.97
Recommended Action: Update to version 2.2.97, or a newer patched version
Plugin: Scrollsequence – Cinematic Scroll Image Animation Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: oik
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.10.2
Recommended Action: Update to version 4.10.2, or a newer patched version
Plugin: WordPress Automatic Plugin
Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 3.92.1
Recommended Action: Update to version 3.92.1, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Event Calendar
Patched Version: 5.9.10
Recommended Action: Update to version 5.9.10, or a newer patched version
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: Authenticated (Editor+) Remote Code Execution
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: Free Downloads WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.8.3
Recommended Action: Update to version 3.5.8.3, or a newer patched version
Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.12.8
Recommended Action: Update to version 5.12.8, or a newer patched version
Plugin: Restrict User Access – Ultimate Membership & Content Protection
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: ElementsKit Elementor addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: Responsive Gallery Grid
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version
Plugin: Wallet for WooCommerce
Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Email Export
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: Missing Authorization
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: Easy Maintenance Mode
Vulnerability: Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9.1
Recommended Action: Update to version 2.6.9.1, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Missing Authorization to Sensitive Information Exposure in search_posts
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: Zippy
Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: 1.6.10
Recommended Action: Update to version 1.6.10, or a newer patched version
Plugin: UX Flat
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: Word Replacer Pro
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Inline Related Posts
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: Maintenance Page
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Site Reviews
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 6.11.7
Recommended Action: Update to version 6.11.7, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.0.33
Recommended Action: Update to version 9.0.33, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Directory Traversal to Local File Inclusion
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: User profile
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.21
Recommended Action: Update to version 2.0.21, or a newer patched version
Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.5.44.7212
Recommended Action: Update to version 7.5.44.7212, or a newer patched version
Plugin: Premium Addons Pro for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Premium Magic Scroll Module
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version
Plugin: Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress
Vulnerability: Reflected Cross-Site Scripting via cntctfrm_contact_subject
Patched Version: 4.2.9
Recommended Action: Update to version 4.2.9, or a newer patched version
Plugin: Stripe Payment forms for WordPress – WP Full Pay
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.0.6
Recommended Action: Update to version 7.0.6, or a newer patched version
Plugin: Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates
Vulnerability: Missing Authorization to Unauthenticated Information Exposure
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: WPBakery Page Builder Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version
Plugin: MainWP Dashboard: WordPress Management without the SaaS
Vulnerability: Cross-Site Request Forgery via posting_bulk
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version
Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Font Farsi
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: WPB Show Core
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Banner Link
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.11.8
Recommended Action: Update to version 2.11.8, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Dual Button Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: Premium Addons Pro for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Global Badge Module
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.15.3
Recommended Action: Update to version 4.15.3, or a newer patched version
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Missing Authorization
Patched Version: 1.0.99
Recommended Action: Update to version 1.0.99, or a newer patched version
Plugin: HT Easy GA4 – Google Analytics WordPress Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Event Export
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Widget for Social Page Feeds
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.4
Recommended Action: Update to version 6.4, or a newer patched version
Plugin: Post List Designer by Category – List Category Post Or Recent Post
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Testimonial – Testimonial Slider and Showcase Plugin
Vulnerability: Missing Authorization to Authenticated (Author+) Settings Update
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version
Plugin: ElementInvader Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Qi Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: Calculated Fields Form
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.1.57
Recommended Action: Update to version 5.1.57, or a newer patched version
Plugin: AFI – The Easiest Integration Plugin
Vulnerability: SQL Injection to Reflected Cross-Site Scripting via integration_id
Patched Version: 1.82.6
Recommended Action: Update to version 1.82.6, or a newer patched version
Plugin: WooThumbs for WooCommerce by Iconic
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version
Plugin: Coming Soon & Maintenance Mode by Colorlib
Vulnerability: Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Remove Add to Cart WooCommerce
Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.28
Recommended Action: Update to version 1.0.28, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: Unauthenticated Insecure Direct Object Reference to Form Submission Alteration
Patched Version: 2.10.2
Recommended Action: Update to version 2.10.2, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Modal Popup effet
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Vulnerability: Reflected Cross-Site Scripting via plugin
Patched Version: 3.1.42
Recommended Action: Update to version 3.1.42, or a newer patched version
Plugin: Wp Social Login and Register Social Counter
Vulnerability: Missing Authorization to Unauthenticated Social Login/Share Status Update
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Information Exposure to Potential Denial of Service
Patched Version: 9.0.35
Recommended Action: Update to version 9.0.35, or a newer patched version
Plugin: LA-Studio Element Kit for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7.5
Recommended Action: Update to version 1.3.7.5, or a newer patched version
Plugin: Specific Content For Mobile – Customize the mobile version without redirections
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.9.6
Recommended Action: Update to version 0.1.9.6, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via [reg-select-role] Shortcode
Patched Version: 4.15.1
Recommended Action: Update to version 4.15.1, or a newer patched version
Plugin: Sitekit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Interactive World Map
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: Related Posts for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress
Vulnerability: Reflected Cross-Site Scripting via cntctfrm_contact_address
Patched Version: 4.2.9
Recommended Action: Update to version 4.2.9, or a newer patched version
Plugin: WordPress Contact Forms by Cimatti
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Multislider Widget
Patched Version: 8.3.6
Recommended Action: Update to version 8.3.6, or a newer patched version
Plugin: WordPress Automatic Plugin
Vulnerability: Unauthenticated Arbitrary File Download and Server-Side Request Forgery
Patched Version: 3.92.1
Recommended Action: Update to version 3.92.1, or a newer patched version
Plugin: Builder for WooCommerce product reviews shortcodes – ReviewShort
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.01.4
Recommended Action: Update to version 1.01.4, or a newer patched version
Plugin: GenerateBlocks
Vulnerability: Sensitive Information Exposure
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Web Application Firewall – website security
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: RevivePress – Keep your Old Content Evergreen
Vulnerability: Missing Authorization
Patched Version: 1.5.6.1
Recommended Action: Update to version 1.5.6.1, or a newer patched version
Plugin: Maintenance Page
Vulnerability: Security Mechanism Bypass via REST API
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: SendPulse Free Web Push
Vulnerability: Cross-Site Request Forgery via sendpulse_config
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Simple Restrict
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: SupportCandy – Helpdesk & Customer Support Ticket System
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: WP Show Posts
Vulnerability: Information Exposure
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.0.33
Recommended Action: Update to version 9.0.33, or a newer patched version
Plugin: Contests by Rewards Fuel
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.0.63
Recommended Action: Update to version 2.0.63, or a newer patched version
Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 2.11.19
Recommended Action: Update to version 2.11.19, or a newer patched version
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget
Patched Version: 2.6.9.1
Recommended Action: Update to version 2.6.9.1, or a newer patched version
Plugin: WooCommerce Cart Abandonment Recovery
Vulnerability: Cross-Site Request Forgery to Templates/Abandoned Orders Deletion
Patched Version: 1.2.27
Recommended Action: Update to version 1.2.27, or a newer patched version
Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: List all posts by Authors, nested Categories and Titles
Vulnerability: Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: Beaver Builder Addons by WPZOOM
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Authenticated Stored Cross-Site Scripting via Video Embed
Patched Version: 9.3.0
Recommended Action: Update to version 9.3.0, or a newer patched version
Plugin: MyCurator Content Curation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.77
Recommended Action: Update to version 3.77, or a newer patched version
Plugin: Coming Soon, Under Construction & Maintenance Mode By Dazzler
Vulnerability: Maintenance Mode Bypass
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Banner, Team Members, and Image Scroll Widgets
Patched Version: 4.10.22
Recommended Action: Update to version 4.10.22, or a newer patched version
Plugin: Animated Headline
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Order Tip for WooCommerce
Vulnerability: Missing Authorization to Unauthenticated Data Export
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Premium Addons Pro for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Messenger Chat Widget
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Missing Authorization to Authenticated(Author+) Arbitrary Post Slug Modification
Patched Version: 2.4.3.2
Recommended Action: Update to version 2.4.3.2, or a newer patched version
Plugin: WP Coder – Code Snippets + HTML, CSS, JS and PHP Injection
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: Beaver Builder Addons by WPZOOM
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Team Members Widget
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.5.2
Recommended Action: Update to version 1.3.5.2, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 5.3.1.0
Recommended Action: Update to version 5.3.1.0, or a newer patched version
Plugin: Beaver Builder Addons by WPZOOM
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Heading Widget
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Relevanssi – A Better Search
Vulnerability: Missing Authorization to Unauthenticated Query Log Export
Patched Version: 4.22.1
Recommended Action: Update to version 4.22.1, or a newer patched version
Plugin: Profile Box Shortcode And Widget
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Slider Widget
Patched Version: 8.3.6
Recommended Action: Update to version 8.3.6, or a newer patched version
Plugin: Link Whisper Free
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.6.9
Recommended Action: Update to version 0.6.9, or a newer patched version
Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Mercury Widget
Patched Version: 3.13.3
Recommended Action: Update to version 3.13.3, or a newer patched version
Plugin: Crisp – Live Chat and Chatbot
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 0.45
Recommended Action: Update to version 0.45, or a newer patched version
Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Vulnerability: Information Exposure
Patched Version: 240315
Recommended Action: Update to version 240315, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Data Table
Patched Version: 5.9.10
Recommended Action: Update to version 5.9.10, or a newer patched version
Plugin: Site Reviews
Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting via display name
Patched Version: 6.11.7
Recommended Action: Update to version 6.11.7, or a newer patched version
Plugin: Premium Addons Pro for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Mouse Cursor Module
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version
Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: WP Popups – WordPress Popup builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.5.6
Recommended Action: Update to version 2.1.5.6, or a newer patched version
Plugin: Sell Tickets – Event Ticketing and Event Registration – Ticket Tailor for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version
Plugin: Easy Accordion – Responsive Accordion FAQ Builder and Product FAQ
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: Simple Job Board
Vulnerability: Unauthenticated PHP Object Injection via Job Application Fields
Patched Version: 2.11.1
Recommended Action: Update to version 2.11.1, or a newer patched version
Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.8.3.3
Recommended Action: Update to version 3.8.3.3, or a newer patched version
Plugin: Simple Membership
Vulnerability: Unauthenticated Stored Self-Based Cross-Site Scripting
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.12.11
Recommended Action: Update to version 1.12.11, or a newer patched version
Plugin: Sendle Shipping Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.18
Recommended Action: Update to version 5.18, or a newer patched version
Plugin: OxyExtras
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3.1
Recommended Action: Update to version 2.4.3.1, or a newer patched version
Plugin: Albo Pretorio On line
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.6.0
Recommended Action: Update to version 5.2.6.0, or a newer patched version
Plugin: FormFacade – WordPress plugin for Google Forms
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version
Plugin: WP Responsive Tabs horizontal vertical and accordion Tabs
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.18
Recommended Action: Update to version 1.1.18, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Carousel Widget
Patched Version: 8.3.6
Recommended Action: Update to version 8.3.6, or a newer patched version
Plugin: WEN Responsive Columns
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Contact Form 7 – PayPal & Stripe Add-on
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Currency Converter Calculator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: MJM Clinic
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.23
Recommended Action: Update to version 1.1.23, or a newer patched version
Plugin: Social Media Share Buttons
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contests by Rewards Fuel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via update_rewards_fuel_api_key
Patched Version: 2.0.65
Recommended Action: Update to version 2.0.65, or a newer patched version
Plugin: Elements Plus!
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via widget links
Patched Version: 2.16.3
Recommended Action: Update to version 2.16.3, or a newer patched version
Plugin: MJM Clinic
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.1.23
Recommended Action: Update to version 1.1.23, or a newer patched version
Plugin: Tracking Code Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: PowerPack Lite for Beaver Builder
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via element link
Patched Version: 1.3.0.1
Recommended Action: Update to version 1.3.0.1, or a newer patched version
Plugin: Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Database for Contact Form 7
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: WP Armour – Honeypot Anti Spam
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version
Plugin: Standout Color Boxes and Buttons
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Super Page Cache
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.7.6
Recommended Action: Update to version 4.7.6, or a newer patched version
Plugin: WordPress Automatic Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.92.1
Recommended Action: Update to version 3.92.1, or a newer patched version
Plugin: Visualizer: Tables and Charts Manager for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.10.6
Recommended Action: Update to version 3.10.6, or a newer patched version
Plugin: Passwordless Login
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Gum Elementor Addon
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Widget
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.11.16
Recommended Action: Update to version 2.11.16, or a newer patched version
Plugin: GamiPress – Button
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Knight Lab Timeline
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.9.3.4
Recommended Action: Update to version 3.9.3.4, or a newer patched version
Plugin: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.9.20
Recommended Action: Update to version 1.9.20, or a newer patched version
Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.11.9
Recommended Action: Update to version 2.11.9, or a newer patched version
Plugin: News Announcement Scroll
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 9.1.0
Recommended Action: Update to version 9.1.0, or a newer patched version
Plugin: Better Search – Relevant search results for WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: PDF Embedder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7.1
Recommended Action: Update to version 4.7.1, or a newer patched version
Plugin: Team Circle Image Slider With Lightbox
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Stripe Payment forms for WordPress – WP Full Pay
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.0.6
Recommended Action: Update to version 7.0.6, or a newer patched version
Plugin: Website Article Monetization By MageNet
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version
Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.7
Recommended Action: Update to version 7.6.7, or a newer patched version
Plugin: Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: Advanced Classifieds & Directory Pro
Vulnerability: Missing Authorization to Arbitrary Attachment Deletion
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Survey Maker
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version
Plugin: Backuply – Backup, Restore, Migrate and Clone
Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: ElementsKit Elementor addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion Widget
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version
Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version
Plugin: WooCommerce Google Feed Manager
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: Smart Online Order for Clover
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: YITH WooCommerce Product Add-Ons
Vulnerability: Unuathenticated Cross-Site Scripting
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: Live Sales Notification for Woocommerce – Woomotiv
Vulnerability: Cross-Site Request Forgery via ajax_cancel_review
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version
Plugin: Email Subscription Popup
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.21
Recommended Action: Update to version 1.2.21, or a newer patched version
Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Advanced Sermons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version
Plugin: Five Star Restaurant Menu and Food Ordering
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version
Plugin: WP Fusion Lite – Marketing Automation and CRM Integration for WordPress
Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 3.42.10
Recommended Action: Update to version 3.42.10, or a newer patched version
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Covid-19 Stats Widget
Patched Version: 2.6.9.1
Recommended Action: Update to version 2.6.9.1, or a newer patched version
Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!
Vulnerability: Unauthenticated Server-Side Request Forgery via font_url
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Calendarista Basic Edition – WordPress appointment booking system
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: The Moneytizer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.6.1
Recommended Action: Update to version 9.6.1, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.24
Recommended Action: Update to version 4.0.24, or a newer patched version
Plugin: Contact Form 7
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.9.2
Recommended Action: Update to version 5.9.2, or a newer patched version
Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)
Vulnerability: Authenticated(Contributor+) Stored Cross-site scripting via Wrapper Link URL
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: WooCommerce POS – Point of Sale
Vulnerability: Insufficient Verification of Data Authenticity to Authenticated (Customer+) Information Disclosure
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version
Plugin: WP SendFox
Vulnerability: Missing Authorization
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Translate WordPress and go Multilingual – Weglot
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Team Members Widget
Patched Version: 8.3.6
Recommended Action: Update to version 8.3.6, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.24
Recommended Action: Update to version 4.10.24, or a newer patched version
Plugin: wp-mpdf
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: Download Manager Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.85
Recommended Action: Update to version 3.2.85, or a newer patched version
Plugin: Premmerce Permalink Manager for WooCommerce
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: Information Exposure
Patched Version: 2.2.76
Recommended Action: Update to version 2.2.76, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text Widget
Patched Version: 8.3.6
Recommended Action: Update to version 8.3.6, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.2.3
Recommended Action: Update to version 8.2.3, or a newer patched version
Plugin: Cryptocurrency Widgets – Price Ticker & Coins List
Vulnerability: Missing Authorization
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
Plugin: WC Shop Sync – Square Payment Gateway for WooCommerce, Inventory Sync Between Square and WooCommerce, Ultimate WooCommerce Square Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 14.5.1
Recommended Action: Update to version 14.5.1, or a newer patched version
Plugin: Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates
Vulnerability: Cross-Site Request Forgery via process_bulk_action
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version
Plugin: WooCommerce License Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version
Plugin: AntiSpam for Contact Form 7
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.6.1
Recommended Action: Update to version 0.6.1, or a newer patched version
Plugin: ElementsKit Elementor addons
Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version
Plugin: SMS Alert Order Notifications – WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: Smart Custom Fields
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Post Content Disclosure
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version
Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.9.21
Recommended Action: Update to version 6.9.21, or a newer patched version
Plugin: Export Products, Order & Customers for WooCommerce
Vulnerability: Reflected Cross-Site Scripting via date parameters
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: WP Calameo
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Back To The Top Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Premium Addons Pro for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multi Scroll Widget
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version
Plugin: Visual Composer Website Builder
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 45.7.0
Recommended Action: Update to version 45.7.0, or a newer patched version
Plugin: DSGVO All in one for WP
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 6.8.7
Recommended Action: Update to version 6.8.7, or a newer patched version
Plugin: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 7.3.15
Recommended Action: Update to version 7.3.15, or a newer patched version
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget
Patched Version: 2.6.9.1
Recommended Action: Update to version 2.6.9.1, or a newer patched version
Plugin: WPB Show Core
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Plugin: Property Hive
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version
Plugin: JetWidgets For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Box Widget
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Burst Statistics – Privacy-Friendly Analytics for WordPress
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via burst_total_pageviews_count
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.26
Recommended Action: Update to version 3.2.26, or a newer patched version
Plugin: Create by Mediavine
Vulnerability: Unauthenticated SQL Injection via ‘id’
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.3.5.3
Recommended Action: Update to version 1.3.5.3, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
