Watch Out Wednesday – March 26, 2025

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Ebook Store

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8002
Recommended Action: Update to version 5.8002, or a newer patched version

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Site Title’ widget
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: jQuery Dropdown Menu

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LIVE TV

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Motors – Car Dealership & Classified Listings Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Listing Template Creation
Patched Version: 1.4.58
Recommended Action: Update to version 1.4.58, or a newer patched version

Plugin: ListingPro Plugin

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Hacklog Remote Image Autosave

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Sensitive Information Exposure via Imported Subscribers CSV File
Patched Version: 4.3.7
Recommended Action: Update to version 4.3.7, or a newer patched version

Plugin: Nias course | دوره ساز نیاس

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Borderless – Elementor Addons and Templates

Vulnerability: Missing Authorization to Icon Font Deletion
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Instant Appointment

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Your Lightbox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CRM and Lead Management by vcita

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: WP Featured Entries

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Compress – Instant Performance & Speed Optimization

Vulnerability: Unauthenticated Server-Side Request Forgery via init Function
Patched Version: 6.30.16
Recommended Action: Update to version 6.30.16, or a newer patched version

Plugin: Management-screen-droptiles

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Narnoo Operator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Export and Import Users and Customers

Vulnerability: Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Easy Custom Admin Bar

Vulnerability: Reflected Cross-Site Scripting via msg Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 5.9.4.8
Recommended Action: Update to version 5.9.4.8, or a newer patched version

Plugin: CryoKey

Vulnerability: Reflected Cross-Site Scripting via ‘ckemail’ Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rizzi Guestbook

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AuMenu

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Zalo Live Chat

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Your Simple SVG Support

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Bitspecter Suite

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Buying Buddy IDX CRM – Real Estate MLS Plugin

Vulnerability: Cross-Site Request Forgery to PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Vulnerability: Authenticated (Admin+) Command Injection
Patched Version: 1.17.0
Recommended Action: Update to version 1.17.0, or a newer patched version

Plugin: Event Registration Calendar By vcita

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Google Plus

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Newsletters

Vulnerability: Reflected Cross-Site Scripting via To Parameter
Patched Version: 4.9.9.8
Recommended Action: Update to version 4.9.9.8, or a newer patched version

Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget

Vulnerability: Cross-Site Request Forgery to Cache Reset via ctf_clear_cache_admin Function
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Skrill – WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.67
Recommended Action: Update to version 1.0.67, or a newer patched version

Plugin: Export and Import Users and Customers

Vulnerability: Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: WATI Chat and Notification

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Unauthenticated Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion
Patched Version: 4.25.0
Recommended Action: Update to version 4.25.0, or a newer patched version

Plugin: WPrequal

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 8.3.1
Recommended Action: Update to version 8.3.1, or a newer patched version

Plugin: Order Export & Order Import for WooCommerce

Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Newsletters

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.9.9.8
Recommended Action: Update to version 4.9.9.8, or a newer patched version

Plugin: DesignThemes Core Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AppReview

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UTM tags + Landing page + “gclid” tracking for Contact Form 7

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Job Postings

Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: 2.7.12
Recommended Action: Update to version 2.7.12, or a newer patched version

Plugin: Frndzk Expandable Bottom Bar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via text Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Secure Invites

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Multi Video Box

Vulnerability: Reflected Cross-Site Scripting via video_id and group_id Parameters
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultra Addons Lite for Elementor

Vulnerability: Authenticated (Contributor+) Restricted Post Disclosure
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Block Logic – Full Gutenberg Block Display Control

Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Export and Import Users and Customers

Vulnerability: Authenticated (Admin+) PHP Object Injection via form_data Parameter
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: A1POST.BG Shipping for WooCommerce

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Order Export & Order Import for WooCommerce

Vulnerability: Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Missing Authorization to Unauthenticated Post Trashing
Patched Version: 8.0.2
Recommended Action: Update to version 8.0.2, or a newer patched version

Plugin: ZenphotoPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ListingPro Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: NP Quote Request for WooCommerce

Vulnerability: Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure
Patched Version: 1.9.180
Recommended Action: Update to version 1.9.180, or a newer patched version

Plugin: Export and Import Users and Customers

Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.15.7
Recommended Action: Update to version 4.15.7, or a newer patched version

Plugin: File Away

Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress File Upload

Vulnerability: Unauthenticated Path Traversal to Arbitrary File Read in wfu_file_downloader.php
Patched Version: 4.24.14
Recommended Action: Update to version 4.24.14, or a newer patched version

Plugin: Plugin Name: GMO Font Agent

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Importer

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 0.8.4
Recommended Action: Update to version 0.8.4, or a newer patched version

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.0.25
Recommended Action: Update to version 4.0.25, or a newer patched version

Plugin: ANAC XML Render

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ebook Store

Vulnerability: Reflected Cross-Site Scripting via ‘step’
Patched Version: 5.8002
Recommended Action: Update to version 5.8002, or a newer patched version

Plugin: WP Database Audit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorinzation to Authenticated (Subscriber+) Join Group Requests Management
Patched Version: 5.9.4.5
Recommended Action: Update to version 5.9.4.5, or a newer patched version

Plugin: Borderless – Elementor Addons and Templates

Vulnerability: Authenticated (Administrator+) Remote Code Execution
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: دکمه، شبکه اجتماعی خرید

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced iFrame

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2025.0
Recommended Action: Update to version 2025.0, or a newer patched version

Plugin: ZD Scribd iPaper

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Zielke Design Project Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Publishing
Patched Version: 8.3
Recommended Action: Update to version 8.3, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 5.9.4.6
Recommended Action: Update to version 5.9.4.6, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Missing Authorization
Patched Version: 12.4.08
Recommended Action: Update to version 12.4.08, or a newer patched version

Plugin: LTL Freight Quotes – FreightQuote Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: Display Post Meta

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gotcha | Gesture-based Captcha

Vulnerability: Reflected Cross-Site Scripting via menu Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Active Products Tables for WooCommerce. Use constructor to create tables 

Vulnerability: Unauthenticated Arbitrary Filter Call
Patched Version: 1.0.6.8
Recommended Action: Update to version 1.0.6.8, or a newer patched version

Plugin: GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.15.7
Recommended Action: Update to version 4.15.7, or a newer patched version

Plugin: WooCommerce Multivendor Marketplace – REST API

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CG Button

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Random Quotes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: STEdb Forms

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Course Material Sensitive Information Exposure via REST API
Patched Version: 4.2.7.4
Recommended Action: Update to version 4.2.7.4, or a newer patched version

Plugin: Easy 301 Redirects

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CBX Petition

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Your Friendly Drag and Drop Page Builder — Make Builder

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery via make_builder_ajax_subscribe Function
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version

Plugin: Service Finder Bookings

Vulnerability: Unauthenticated Privilege Escalation via Account Takeover
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: WordPress Theme Demo Bar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pixobe Cartography

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CAS Maestro

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Site Reviews

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.2.5
Recommended Action: Update to version 7.2.5, or a newer patched version

Plugin: Borderless – Elementor Addons and Templates

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce

Vulnerability: Unauthenticated SQL Injection via ‘automationId’
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: ListingPro Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: GDPR Tools

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ListingPro Plugin

Vulnerability: Authenticated (Author+) Local File Inclusion
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Event post

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: banner-manager

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: File Away

Vulnerability: Missing Authorization to Unauthenticated File Upload via upload Function
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Docpro

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Code Clone

Vulnerability: Authenticated (Administrator+) SQL Injection via snippetId Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Unauthenticated Private Post Title Disclosure
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version

Plugin: MemberSpace – Membership Plugin and Paid Subscriptions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version

Plugin: WP Ghost (Hide My WP Ghost) – Security & Firewall

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 5.4.02
Recommended Action: Update to version 5.4.02, or a newer patched version

Plugin: Infugrator – Infusionsoft + WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Digital License Manager

Vulnerability: Reflected Cross-Site Scripting via remove_query_arg Function
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: WP Google Calendar Manager – Google Calendar Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fix Rss Feeds

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Browser Address Bar Color

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.15.30
Recommended Action: Update to version 1.15.30, or a newer patched version

Plugin: Ultimate Blocks – WordPress Blocks Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Off Page SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FancyBox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BWL Advanced FAQ Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.22.2
Recommended Action: Update to version 3.22.2, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Unuathenticated Remote Code Execution
Patched Version: 4.24.14
Recommended Action: Update to version 4.24.14, or a newer patched version

Plugin: Are you robot google recaptcha for wordpress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: teachPress

Vulnerability: Cross-Site Request Forgery to Import Delete
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.15.9
Recommended Action: Update to version 4.15.9, or a newer patched version

Plugin: Advanced iFrame

Vulnerability: Unauthenticated Settings Update
Patched Version: 2025.0
Recommended Action: Update to version 2025.0, or a newer patched version

Plugin: Custom Smilies

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Unauthenticated SQL Injection via ‘c_fields’
Patched Version: 4.2.7.1
Recommended Action: Update to version 4.2.7.1, or a newer patched version

Plugin: Estatebud – Properties & Listings

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BoomBox Theme Extensions

Vulnerability: Authenticated (Subscriber+) Privilege Escalation via Password Reset/Account Takeover in boombox_ajax_reset_password
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Order Export & Order Import for WooCommerce

Vulnerability: Authenticated (Admin+) PHP Object Injection via form_data Parameter
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Simple Post Series

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LTL Freight Quotes – FreightQuote Edition

Vulnerability: Missing Authorization
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: Admin Dashboard RSS Feed

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: WP Contact Form III

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AHAthat Plugin

Vulnerability: Authenticated (Administrator+) SQL Injection via id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cookies Pro

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chartify – WordPress Chart Plugin

Vulnerability: Unauthenticated Local File Inclusion via source
Patched Version: 2.9.6
Recommended Action: Update to version 2.9.6, or a newer patched version

Plugin: Alert Box Block – Display notice/alerts in the front end.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Alert Box Block
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Age Gate

Vulnerability: Unauthenticated Local PHP File Inclusion via ‘lang’
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: DICOM Support

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.10.7
Recommended Action: Update to version 0.10.7, or a newer patched version

Plugin: Custom Script Integration

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Order Export & Order Import for WooCommerce

Vulnerability: Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Church Donation

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: IP-Spoofing
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: custom-post-edit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ebook Store

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.15.9
Recommended Action: Update to version 4.15.9, or a newer patched version

Plugin: Simple Rating

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Unauthenticated SQL Injection via ‘c_only_fields’
Patched Version: 4.2.7.1
Recommended Action: Update to version 4.2.7.1, or a newer patched version

Plugin: My Default Post Content

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Login Redirect

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clink – WordPress Link Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts

Vulnerability: Cross-Site Request Forgery to Font Assignment Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Unauthenticated SQL Injection via orderby Parameter
Patched Version: 7.3.2
Recommended Action: Update to version 7.3.2, or a newer patched version

Plugin: EZ SQL Reports Shortcode Widget and DB Backup

Vulnerability: 5.25.08
Patched Version: 5.25.10
Recommended Action: Update to version 5.25.10, or a newer patched version

Plugin: SpatialMatch IDX

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ebook Store

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 5.8002
Recommended Action: Update to version 5.8002, or a newer patched version

Plugin: ZhinaTwitterWidget

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Missing Authorization to Unauthenticated Payment Status Update
Patched Version: 4.0.25
Recommended Action: Update to version 4.0.25, or a newer patched version

Plugin: En Masse WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Super Static Cache

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mobile Navigation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Frontend Post Submission

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPres 同步微博

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress