Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Ebook Store
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8002
Recommended Action: Update to version 5.8002, or a newer patched version
Plugin: Social Sharing Plugin – Social Warfare
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version
Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Site Title’ widget
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: jQuery Dropdown Menu
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LIVE TV
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Motors – Car Dealership & Classified Listings Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Listing Template Creation
Patched Version: 1.4.58
Recommended Action: Update to version 1.4.58, or a newer patched version
Plugin: ListingPro Plugin
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: Hacklog Remote Image Autosave
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Sensitive Information Exposure via Imported Subscribers CSV File
Patched Version: 4.3.7
Recommended Action: Update to version 4.3.7, or a newer patched version
Plugin: Nias course | دوره ساز نیاس
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Borderless – Elementor Addons and Templates
Vulnerability: Missing Authorization to Icon Font Deletion
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Instant Appointment
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Your Lightbox
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CRM and Lead Management by vcita
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: WP Featured Entries
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Compress – Instant Performance & Speed Optimization
Vulnerability: Unauthenticated Server-Side Request Forgery via init Function
Patched Version: 6.30.16
Recommended Action: Update to version 6.30.16, or a newer patched version
Plugin: Management-screen-droptiles
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Narnoo Operator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Export and Import Users and Customers
Vulnerability: Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: Easy Custom Admin Bar
Vulnerability: Reflected Cross-Site Scripting via msg Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 5.9.4.8
Recommended Action: Update to version 5.9.4.8, or a newer patched version
Plugin: CryoKey
Vulnerability: Reflected Cross-Site Scripting via ‘ckemail’ Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rizzi Guestbook
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AuMenu
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Zalo Live Chat
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Your Simple SVG Support
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Bitspecter Suite
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Buying Buddy IDX CRM – Real Estate MLS Plugin
Vulnerability: Cross-Site Request Forgery to PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Vulnerability: Authenticated (Admin+) Command Injection
Patched Version: 1.17.0
Recommended Action: Update to version 1.17.0, or a newer patched version
Plugin: Event Registration Calendar By vcita
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Google Plus
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Newsletters
Vulnerability: Reflected Cross-Site Scripting via To Parameter
Patched Version: 4.9.9.8
Recommended Action: Update to version 4.9.9.8, or a newer patched version
Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Vulnerability: Cross-Site Request Forgery to Cache Reset via ctf_clear_cache_admin Function
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: Skrill – WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.67
Recommended Action: Update to version 1.0.67, or a newer patched version
Plugin: Export and Import Users and Customers
Vulnerability: Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: WATI Chat and Notification
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Unauthenticated Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion
Patched Version: 4.25.0
Recommended Action: Update to version 4.25.0, or a newer patched version
Plugin: WPrequal
Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 8.3.1
Recommended Action: Update to version 8.3.1, or a newer patched version
Plugin: Order Export & Order Import for WooCommerce
Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Newsletters
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.9.9.8
Recommended Action: Update to version 4.9.9.8, or a newer patched version
Plugin: DesignThemes Core Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AppReview
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UTM tags + Landing page + “gclid” tracking for Contact Form 7
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Job Postings
Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: 2.7.12
Recommended Action: Update to version 2.7.12, or a newer patched version
Plugin: Frndzk Expandable Bottom Bar
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via text Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Secure Invites
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Multi Video Box
Vulnerability: Reflected Cross-Site Scripting via video_id and group_id Parameters
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultra Addons Lite for Elementor
Vulnerability: Authenticated (Contributor+) Restricted Post Disclosure
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Block Logic – Full Gutenberg Block Display Control
Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Export and Import Users and Customers
Vulnerability: Authenticated (Admin+) PHP Object Injection via form_data Parameter
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: A1POST.BG Shipping for WooCommerce
Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Order Export & Order Import for WooCommerce
Vulnerability: Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Vulnerability: Missing Authorization to Unauthenticated Post Trashing
Patched Version: 8.0.2
Recommended Action: Update to version 8.0.2, or a newer patched version
Plugin: ZenphotoPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ListingPro Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: NP Quote Request for WooCommerce
Vulnerability: Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure
Patched Version: 1.9.180
Recommended Action: Update to version 1.9.180, or a newer patched version
Plugin: Export and Import Users and Customers
Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.15.7
Recommended Action: Update to version 4.15.7, or a newer patched version
Plugin: File Away
Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress File Upload
Vulnerability: Unauthenticated Path Traversal to Arbitrary File Read in wfu_file_downloader.php
Patched Version: 4.24.14
Recommended Action: Update to version 4.24.14, or a newer patched version
Plugin: Plugin Name: GMO Font Agent
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Importer
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 0.8.4
Recommended Action: Update to version 0.8.4, or a newer patched version
Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.0.25
Recommended Action: Update to version 4.0.25, or a newer patched version
Plugin: ANAC XML Render
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ebook Store
Vulnerability: Reflected Cross-Site Scripting via ‘step’
Patched Version: 5.8002
Recommended Action: Update to version 5.8002, or a newer patched version
Plugin: WP Database Audit
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Missing Authorinzation to Authenticated (Subscriber+) Join Group Requests Management
Patched Version: 5.9.4.5
Recommended Action: Update to version 5.9.4.5, or a newer patched version
Plugin: Borderless – Elementor Addons and Templates
Vulnerability: Authenticated (Administrator+) Remote Code Execution
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version
Plugin: دکمه، شبکه اجتماعی خرید
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced iFrame
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2025.0
Recommended Action: Update to version 2025.0, or a newer patched version
Plugin: ZD Scribd iPaper
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Zielke Design Project Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Publishing
Patched Version: 8.3
Recommended Action: Update to version 8.3, or a newer patched version
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 5.9.4.6
Recommended Action: Update to version 5.9.4.6, or a newer patched version
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Missing Authorization
Patched Version: 12.4.08
Recommended Action: Update to version 12.4.08, or a newer patched version
Plugin: LTL Freight Quotes – FreightQuote Edition
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version
Plugin: Display Post Meta
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gotcha | Gesture-based Captcha
Vulnerability: Reflected Cross-Site Scripting via menu Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Active Products Tables for WooCommerce. Use constructor to create tables
Vulnerability: Unauthenticated Arbitrary Filter Call
Patched Version: 1.0.6.8
Recommended Action: Update to version 1.0.6.8, or a newer patched version
Plugin: GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.15.7
Recommended Action: Update to version 4.15.7, or a newer patched version
Plugin: WooCommerce Multivendor Marketplace – REST API
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CG Button
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Random Quotes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: STEdb Forms
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Course Material Sensitive Information Exposure via REST API
Patched Version: 4.2.7.4
Recommended Action: Update to version 4.2.7.4, or a newer patched version
Plugin: Easy 301 Redirects
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CBX Petition
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Your Friendly Drag and Drop Page Builder — Make Builder
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery via make_builder_ajax_subscribe Function
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: Service Finder Bookings
Vulnerability: Unauthenticated Privilege Escalation via Account Takeover
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: WordPress Theme Demo Bar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pixobe Cartography
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CAS Maestro
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Site Reviews
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.2.5
Recommended Action: Update to version 7.2.5, or a newer patched version
Plugin: Borderless – Elementor Addons and Templates
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
Vulnerability: Unauthenticated SQL Injection via ‘automationId’
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version
Plugin: ListingPro Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: GDPR Tools
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ListingPro Plugin
Vulnerability: Authenticated (Author+) Local File Inclusion
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: Event post
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: banner-manager
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: File Away
Vulnerability: Missing Authorization to Unauthenticated File Upload via upload Function
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Docpro
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Code Clone
Vulnerability: Authenticated (Administrator+) SQL Injection via snippetId Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Unauthenticated Private Post Title Disclosure
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version
Plugin: MemberSpace – Membership Plugin and Paid Subscriptions
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version
Plugin: WP Ghost (Hide My WP Ghost) – Security & Firewall
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 5.4.02
Recommended Action: Update to version 5.4.02, or a newer patched version
Plugin: Infugrator – Infusionsoft + WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Digital License Manager
Vulnerability: Reflected Cross-Site Scripting via remove_query_arg Function
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: WP Google Calendar Manager – Google Calendar Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fix Rss Feeds
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Browser Address Bar Color
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.15.30
Recommended Action: Update to version 1.15.30, or a newer patched version
Plugin: Ultimate Blocks – WordPress Blocks Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Off Page SEO
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FancyBox
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BWL Advanced FAQ Manager
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.22.2
Recommended Action: Update to version 3.22.2, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Unuathenticated Remote Code Execution
Patched Version: 4.24.14
Recommended Action: Update to version 4.24.14, or a newer patched version
Plugin: Are you robot google recaptcha for wordpress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: teachPress
Vulnerability: Cross-Site Request Forgery to Import Delete
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.15.9
Recommended Action: Update to version 4.15.9, or a newer patched version
Plugin: Advanced iFrame
Vulnerability: Unauthenticated Settings Update
Patched Version: 2025.0
Recommended Action: Update to version 2025.0, or a newer patched version
Plugin: Custom Smilies
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated SQL Injection via ‘c_fields’
Patched Version: 4.2.7.1
Recommended Action: Update to version 4.2.7.1, or a newer patched version
Plugin: Estatebud – Properties & Listings
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BoomBox Theme Extensions
Vulnerability: Authenticated (Subscriber+) Privilege Escalation via Password Reset/Account Takeover in boombox_ajax_reset_password
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Order Export & Order Import for WooCommerce
Vulnerability: Authenticated (Admin+) PHP Object Injection via form_data Parameter
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Simple Post Series
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LTL Freight Quotes – FreightQuote Edition
Vulnerability: Missing Authorization
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version
Plugin: Admin Dashboard RSS Feed
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version
Plugin: WP Contact Form III
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AHAthat Plugin
Vulnerability: Authenticated (Administrator+) SQL Injection via id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cookies Pro
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chartify – WordPress Chart Plugin
Vulnerability: Unauthenticated Local File Inclusion via source
Patched Version: 2.9.6
Recommended Action: Update to version 2.9.6, or a newer patched version
Plugin: Alert Box Block – Display notice/alerts in the front end.
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Alert Box Block
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Age Gate
Vulnerability: Unauthenticated Local PHP File Inclusion via ‘lang’
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version
Plugin: DICOM Support
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.10.7
Recommended Action: Update to version 0.10.7, or a newer patched version
Plugin: Custom Script Integration
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Order Export & Order Import for WooCommerce
Vulnerability: Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Church Donation
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: IP-Spoofing
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version
Plugin: custom-post-edit
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ebook Store
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.15.9
Recommended Action: Update to version 4.15.9, or a newer patched version
Plugin: Simple Rating
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated SQL Injection via ‘c_only_fields’
Patched Version: 4.2.7.1
Recommended Action: Update to version 4.2.7.1, or a newer patched version
Plugin: My Default Post Content
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login Redirect
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clink – WordPress Link Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts
Vulnerability: Cross-Site Request Forgery to Font Assignment Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
Vulnerability: Unauthenticated SQL Injection via orderby Parameter
Patched Version: 7.3.2
Recommended Action: Update to version 7.3.2, or a newer patched version
Plugin: EZ SQL Reports Shortcode Widget and DB Backup
Vulnerability: 5.25.08
Patched Version: 5.25.10
Recommended Action: Update to version 5.25.10, or a newer patched version
Plugin: SpatialMatch IDX
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ebook Store
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 5.8002
Recommended Action: Update to version 5.8002, or a newer patched version
Plugin: ZhinaTwitterWidget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin
Vulnerability: Missing Authorization to Unauthenticated Payment Status Update
Patched Version: 4.0.25
Recommended Action: Update to version 4.0.25, or a newer patched version
Plugin: En Masse WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Super Static Cache
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mobile Navigation
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Frontend Post Submission
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPres 同步微博
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.