Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Shariff Wrapper
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.11
Recommended Action: Update to version 4.6.11, or a newer patched version
Plugin: Remove Duplicate Posts
Vulnerability: Missing Authorization to Post Deletion
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: GigPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Crypto Converter ⚡ Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version
Plugin: Rocket Maintenance Mode & Coming Soon Page
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Image Hover Effects – Elementor Addon
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘eihe_align’
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Church Admin
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.0.28
Recommended Action: Update to version 4.0.28, or a newer patched version
Plugin: Web3 – Crypto wallet Login & NFT token gating
Vulnerability: Authentication Bypass
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: CRM Memberships
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Lister Lite for Amazon
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Vulnerability: Missing Authorization via get_players
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version
Plugin: Video Conferencing with Zoom
Vulnerability: Sensitive Information Exposure
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version
Plugin: Themify Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 1.6.7.9
Recommended Action: Update to version 1.6.7.9, or a newer patched version
Plugin: Co-marquage service-public.fr
Vulnerability: Reflected Cross-Site Scripting via search_term
Patched Version: 0.5.73
Recommended Action: Update to version 0.5.73, or a newer patched version
Plugin: WP Smart Import : Import any XML File to WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Scrollsequence – Cinematic Scroll Image Animation Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: HT Easy GA4 – Google Analytics WordPress Plugin
Vulnerability: Missing Authorization to Unauthenticated GA4 Email Update
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: canvasio3D Light
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Reflected Cross-Site Scripting via ‘image_url’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version
Plugin: Olive One Click Demo Import
Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: WordPress Automatic Plugin
Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 3.92.1
Recommended Action: Update to version 3.92.1, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Reflected Cross-Site Scripting via ‘current_url’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version
Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version
Plugin: Podlove Web Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version
Plugin: Slider by Supsystic
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.8.11
Recommended Action: Update to version 1.8.11, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Reflected Cross-Site Scripting via ‘image_id’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version
Plugin: WP Ultimate Review
Vulnerability: Cross-Site Request Forgery via wur_settings_view
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: Authenticated (Editor+) Remote Code Execution
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.23
Recommended Action: Update to version 1.6.23, or a newer patched version
Plugin: WPFront Notification Bar
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Free Downloads WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.8.3
Recommended Action: Update to version 3.5.8.3, or a newer patched version
Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.12.8
Recommended Action: Update to version 5.12.8, or a newer patched version
Plugin: Restrict User Access – Ultimate Membership & Content Protection
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Photo Gallery by Supsystic
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.15.17
Recommended Action: Update to version 1.15.17, or a newer patched version
Plugin: Easy Maintenance Mode
Vulnerability: Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.29.1
Recommended Action: Update to version 1.29.1, or a newer patched version
Plugin: WP Crontrol
Vulnerability: Remote Code Execution
Patched Version: 1.16.2
Recommended Action: Update to version 1.16.2, or a newer patched version
Plugin: Responsive Tabs
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: 360 Javascript Viewer
Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 1.7.13
Recommended Action: Update to version 1.7.13, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘note_color’ Shortcode
Patched Version: 7.0.5
Recommended Action: Update to version 7.0.5, or a newer patched version
Plugin: VK All in One Expansion Unit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via className
Patched Version: 9.97.0.0
Recommended Action: Update to version 9.97.0.0, or a newer patched version
Plugin: WP Customer Reviews
Vulnerability: Authenticated (Contributor+) Malicious Redirect via HTTP-EQUIV Injection
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: BuddyPress Moderation
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Zippy
Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: 1.6.10
Recommended Action: Update to version 1.6.10, or a newer patched version
Plugin: Preview E-mails for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version
Plugin: Site Reviews
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 6.11.7
Recommended Action: Update to version 6.11.7, or a newer patched version
Plugin: AI Engine
Vulnerability: Authenticated (Editor+) Server-Side Request Forgery
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: User profile
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.21
Recommended Action: Update to version 2.0.21, or a newer patched version
Plugin: Dropdown multisite selector
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 0.9.2.1
Recommended Action: Update to version 0.9.2.1, or a newer patched version
Plugin: Fancy Comments WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.15
Recommended Action: Update to version 1.2.15, or a newer patched version
Plugin: Simply Static – The WordPress Static Site Generator
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Analytics Insights – Google Analytics Dashboard for WordPress
Vulnerability: Open Redirect
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version
Plugin: Travelers' Map
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Socialdriver
Vulnerability: Prototype Pollution
Patched Version: 2024
Recommended Action: Update to version 2024, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.5.44.7212
Recommended Action: Update to version 7.5.44.7212, or a newer patched version
Plugin: 360 Javascript Viewer
Vulnerability: Missing Authorization
Patched Version: 1.7.12
Recommended Action: Update to version 1.7.12, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Cincopa video and media plug-in
Vulnerability: Cross-Site Request Forgery via cincopa_mp_mt_options_page
Patched Version: 1.160
Recommended Action: Update to version 1.160, or a newer patched version
Plugin: Easy PopUp Show
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Events Tickets Plus
Vulnerability: Missing Authorization to Information Exposure
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version
Plugin: Contact Form to Any API
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: HTML Forms – Simple WordPress Forms Plugin
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 1.3.30
Recommended Action: Update to version 1.3.30, or a newer patched version
Plugin: Exchange Rates Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Smart Forms – when you need more than just a contact form
Vulnerability: Missing Authorization
Patched Version: 2.6.87
Recommended Action: Update to version 2.6.87, or a newer patched version
Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 21.3.2.1
Recommended Action: Update to version 21.3.2.1, or a newer patched version
Plugin: WPBakery Page Builder Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Event Tickets and Registration
Vulnerability: Improper Authorization to Information Disclosure
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version
Plugin: Fancy Product Designer
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Product Title
Patched Version: 6.1.81
Recommended Action: Update to version 6.1.81, or a newer patched version
Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.4.3
Recommended Action: Update to version 1.1.4.3, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Local File Inclusion via Team Member Listing
Patched Version: 5.4.2
Recommended Action: Update to version 5.4.2, or a newer patched version
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.11.8
Recommended Action: Update to version 2.11.8, or a newer patched version
Plugin: Network Summary
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Max Mega Menu
Vulnerability: Missing Authorization
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Top Bar
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: WP-Lister Lite for Amazon
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.6.12
Recommended Action: Update to version 2.6.12, or a newer patched version
Plugin: Church Admin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via meta-text
Patched Version: 4.1.18
Recommended Action: Update to version 4.1.18, or a newer patched version
Plugin: Calendarista
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 15.5.9
Recommended Action: Update to version 15.5.9, or a newer patched version
Plugin: canvasio3D Light
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HT Easy GA4 – Google Analytics WordPress Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: WooCommerce Cloak Affiliate Links
Vulnerability: Missing Authorization to Unauthenticated Permalink Modification
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version
Plugin: StreamWeasels Twitch Integration
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: AI Content Writing Assistant
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Media Cloud for Bunny CDN, Amazon S3, Cloudflare R2, Google Cloud Storage, DigitalOcean and more
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.5.25
Recommended Action: Update to version 4.5.25, or a newer patched version
Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.18.3
Recommended Action: Update to version 1.18.3, or a newer patched version
Plugin: Slider Hero with Video Background, Animation
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.7.0
Recommended Action: Update to version 8.7.0, or a newer patched version
Plugin: Favicon Rotator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version
Plugin: MapPress Maps for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.88.15
Recommended Action: Update to version 2.88.15, or a newer patched version
Plugin: Woo Viet – WooCommerce for Vietnam
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 4.0.27
Recommended Action: Update to version 4.0.27, or a newer patched version
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.6.24
Recommended Action: Update to version 1.6.6.24, or a newer patched version
Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 13.2.6
Recommended Action: Update to version 13.2.6, or a newer patched version
Plugin: AI Post Generator | AutoWriter
Vulnerability: Missing Authorization
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Simple Buttons Creator
Vulnerability: Cross-Site Request Forgery to Arbitrary Button Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Tabs
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
Plugin: Bulk NoIndex & NoFollow Toolkit
Vulnerability: Reflected Cross-Site Scripting via tab, order, and orderby
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version
Plugin: AFI – The Easiest Integration Plugin
Vulnerability: SQL Injection to Reflected Cross-Site Scripting via integration_id
Patched Version: 1.82.6
Recommended Action: Update to version 1.82.6, or a newer patched version
Plugin: Bold Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via class
Patched Version: 4.7.7
Recommended Action: Update to version 4.7.7, or a newer patched version
Plugin: SEOPress – On-site SEO
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version
Plugin: WP Edit Username
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.13.64
Recommended Action: Update to version 7.13.64, or a newer patched version
Plugin: WooThumbs for WooCommerce by Iconic
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version
Plugin: FeedFocal
Vulnerability: Missing Authorization via feedfocal_api_setup REST function
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Coming Soon & Maintenance Mode by Colorlib
Vulnerability: Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Sermons
Vulnerability: Reflected Cross-Site Scripting via s
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: NPS computy
Vulnerability: Cross-Site Request Forgery to Results Deletion
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.28
Recommended Action: Update to version 1.0.28, or a newer patched version
Plugin: Spiffy Calendar
Vulnerability: Insufficient Authorization
Patched Version: 4.9.9
Recommended Action: Update to version 4.9.9, or a newer patched version
Plugin: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.26.3
Recommended Action: Update to version 1.26.3, or a newer patched version
Plugin: Smart Forms – when you need more than just a contact form
Vulnerability: Missing Authorization
Patched Version: 2.6.94
Recommended Action: Update to version 2.6.94, or a newer patched version
Plugin: WP Editor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Specific Content For Mobile – Customize the mobile version without redirections
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.9.6
Recommended Action: Update to version 0.1.9.6, or a newer patched version
Plugin: Korea SNS
Vulnerability: Cross-Site Request Forgery via kon_tergos_options
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: Page Builder by SiteOrigin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Legacy Image Widget
Patched Version: 2.29.7
Recommended Action: Update to version 2.29.7, or a newer patched version
Plugin: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Authententicated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version
Plugin: Lightweight Accordion
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.17
Recommended Action: Update to version 1.5.17, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via video_html_tag
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version
Plugin: Sitekit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Sensitive Information Exposure
Patched Version: 1.15.23
Recommended Action: Update to version 1.15.23, or a newer patched version
Plugin: Page Builder Gutenberg Blocks – CoBlocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version
Plugin: WP CleanFix
Vulnerability: Missing Authorization via register
Patched Version: 5.7.0
Recommended Action: Update to version 5.7.0, or a newer patched version
Plugin: WooCommerce Clover Payment Gateway
Vulnerability: Missing Authorization via callback_handler
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: File Manager
Vulnerability: Cross-Site Request Forgery to Local JS File Inclusion
Patched Version: 7.2.5
Recommended Action: Update to version 7.2.5, or a newer patched version
Plugin: ReDi Restaurant Reservation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 24.0303
Recommended Action: Update to version 24.0303, or a newer patched version
Plugin: Shipping with Venipak for WooCommerce
Vulnerability: Reflected Cross-Site Scripting via ‘venipak_labels_link’
Patched Version: 1.19.6
Recommended Action: Update to version 1.19.6, or a newer patched version
Plugin: Off-Canvas Sidebars & Menus (Slidebars)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.5.8.2
Recommended Action: Update to version 0.5.8.2, or a newer patched version
Plugin: Contact Form
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version
Plugin: Events Tickets Plus
Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version
Plugin: Triberr
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: WordPress Contact Forms by Cimatti
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via settings
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version
Plugin: RoyalSlider
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.5.44.7212
Recommended Action: Update to version 7.5.44.7212, or a newer patched version
Plugin: WordPress Automatic Plugin
Vulnerability: Unauthenticated Arbitrary File Download and Server-Side Request Forgery
Patched Version: 3.92.1
Recommended Action: Update to version 3.92.1, or a newer patched version
Plugin: Meta Box
Vulnerability: Authenticated (Contributor+) Information Exposure via Post Meta
Patched Version: 5.9.4
Recommended Action: Update to version 5.9.4, or a newer patched version
Plugin: Builder for WooCommerce product reviews shortcodes – ReviewShort
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.01.4
Recommended Action: Update to version 1.01.4, or a newer patched version
Plugin: Web Application Firewall – website security
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Hercules Core
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 5.3.2.0
Recommended Action: Update to version 5.3.2.0, or a newer patched version
Plugin: WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing)
Vulnerability: Authenticated(Subscriber+) Missing Authorization via multiple AJAX actions
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Envo's Elementor Templates & Widgets for WooCommerce
Vulnerability: Cross-Site Request Forgery via ajax_theme_activation
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: SupportCandy – Helpdesk & Customer Support Ticket System
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: Easy Textillate
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.02
Recommended Action: Update to version 2.02, or a newer patched version
Plugin: Real Media Library: Media Library Folder & File Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.22.8
Recommended Action: Update to version 4.22.8, or a newer patched version
Plugin: Contests by Rewards Fuel
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.0.63
Recommended Action: Update to version 2.0.63, or a newer patched version
Plugin: WooCommerce
Vulnerability: Missing Authorization to Private/Draft Product Disclosure
Patched Version: 8.6
Recommended Action: Update to version 8.6, or a newer patched version
Plugin: WP Reset – Most Advanced WordPress Reset Tool
Vulnerability: Sensitive Information Exposure due to Insufficient Randomness
Patched Version: 2.01
Recommended Action: Update to version 2.01, or a newer patched version
Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 2.11.19
Recommended Action: Update to version 2.11.19, or a newer patched version
Plugin: Multi Currency For WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: Calculated Fields Form
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.55
Recommended Action: Update to version 1.2.55, or a newer patched version
Plugin: PilotPress
Vulnerability: Authenticated(Subscriber+) Missing Authorization via multiple AJAX functions
Patched Version: 2.0.31
Recommended Action: Update to version 2.0.31, or a newer patched version
Plugin: Event post
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version
Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.94
Recommended Action: Update to version 1.5.94, or a newer patched version
Plugin: ApplyOnline – Application Form Builder and Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Block Content
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fb_appid
Patched Version: 6.5.4
Recommended Action: Update to version 6.5.4, or a newer patched version
Plugin: MyCurator Content Curation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.77
Recommended Action: Update to version 3.77, or a newer patched version
Plugin: WC Builder – WooCommerce Page Builder for WPBakery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version
Plugin: Order Tip for WooCommerce
Vulnerability: Missing Authorization to Unauthenticated Data Export
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3.2
Recommended Action: Update to version 2.4.3.2, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Missing Authorization to Authenticated(Author+) Arbitrary Post Slug Modification
Patched Version: 2.4.3.2
Recommended Action: Update to version 2.4.3.2, or a newer patched version
Plugin: WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing)
Vulnerability: Sensitive Information Exposure via export_users
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: Grid Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.12
Recommended Action: Update to version 5.9.12, or a newer patched version
Plugin: WP Coder – Code Snippets + HTML, CSS, JS and PHP Injection
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: Modal Window – create popup modal window
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Missing Authorization via get_uri_editor
Patched Version: 2.4.3.2
Recommended Action: Update to version 2.4.3.2, or a newer patched version
Plugin: Survey Maker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title
Patched Version: 3.13.2
Recommended Action: Update to version 3.13.2, or a newer patched version
Plugin: BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages
Vulnerability: Authenticated (Subscriber+) PHP Object Injection in get_simple_request
Patched Version: 3.4.21
Recommended Action: Update to version 3.4.21, or a newer patched version
Plugin: Easy Social Share Buttons for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.5
Recommended Action: Update to version 9.5, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 21.3.5
Recommended Action: Update to version 21.3.5, or a newer patched version
Plugin: Link Whisper Free
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.6.9
Recommended Action: Update to version 0.6.9, or a newer patched version
Plugin: Link Whisper Free
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 0.7.2
Recommended Action: Update to version 0.7.2, or a newer patched version
Plugin: Premium Packages – Sell Digital Products Securely
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version
Plugin: Crisp – Live Chat and Chatbot
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 0.45
Recommended Action: Update to version 0.45, or a newer patched version
Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.1.8
Recommended Action: Update to version 7.1.8, or a newer patched version
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via HowTo block attributes
Patched Version: 1.0.215
Recommended Action: Update to version 1.0.215, or a newer patched version
Plugin: WordPress Tooltips
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 9.4.5
Recommended Action: Update to version 9.4.5, or a newer patched version
Plugin: LiquidPoll – Polls, Surveys, NPS and Feedback Reviews
Vulnerability: Information Exposure
Patched Version: 3.3.77
Recommended Action: Update to version 3.3.77, or a newer patched version
Plugin: BackWPup – WordPress Backup & Restore Plugin
Vulnerability: Sensitive Information Exposure
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Authenticated (Admin+) Directory Traversal to Arbitrary File Read
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version
Plugin: WP Popups – WordPress Popup builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.5.6
Recommended Action: Update to version 2.1.5.6, or a newer patched version
Plugin: Memberpress
Vulnerability: Reflected Cross-Site Scripting via message and error
Patched Version: 1.11.27
Recommended Action: Update to version 1.11.27, or a newer patched version
Plugin: WP Change Email Sender
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: WP Compress – Instant Performance & Speed Optimization
Vulnerability: Missing Authorization to Unauthenticated CDN Modification
Patched Version: 6.11.11
Recommended Action: Update to version 6.11.11, or a newer patched version
Plugin: Sell Tickets – Event Ticketing and Event Registration – Ticket Tailor for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version
Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget
Patched Version: 2.0.5.7
Recommended Action: Update to version 2.0.5.7, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.0.30
Recommended Action: Update to version 9.0.30, or a newer patched version
Plugin: MapPress Maps for WordPress
Vulnerability: Insufficient Authorization to Information Disclosure
Patched Version: 2.88.16
Recommended Action: Update to version 2.88.16, or a newer patched version
Plugin: FlatPM – Ad Manager, AdSense and Custom Code
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.05
Recommended Action: Update to version 3.1.05, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.12.11
Recommended Action: Update to version 1.12.11, or a newer patched version
Plugin: PDF Builder for WPForms
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.89
Recommended Action: Update to version 1.2.89, or a newer patched version
Plugin: CM Download Manager – Document and File Management
Vulnerability: Cross-Site Request Forgery via editHeader
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version
Plugin: WordPress Ping Optimizer
Vulnerability: Cross-Site Request Forgery to Log Clearing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Doneren met Mollie
Vulnerability: Unauthenticated Reflected Cross-Site Scripting via search
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version
Plugin: OxyExtras
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3.1
Recommended Action: Update to version 2.4.3.1, or a newer patched version
Plugin: EasyAzon – Amazon Associates Affiliate Plugin
Vulnerability: Missing Authorization on AJAX actions
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via link
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.6.0
Recommended Action: Update to version 5.2.6.0, or a newer patched version
Plugin: Tutor LMS Elementor Addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: WP Responsive Tabs horizontal vertical and accordion Tabs
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.18
Recommended Action: Update to version 1.1.18, or a newer patched version
Plugin: iCalendrier
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.81
Recommended Action: Update to version 1.81, or a newer patched version
Plugin: WEN Responsive Columns
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Colibri Page Builder
Vulnerability: Missing Authorization
Patched Version: 1.0.249
Recommended Action: Update to version 1.0.249, or a newer patched version
Plugin: Portfolio Gallery – Image Gallery Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: PrettyLinks – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version
Plugin: SEO Backlink Monitor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Contact Form 7 – PayPal & Stripe Add-on
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Custom WooCommerce Checkout Fields Editor
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Check & Log Email – Easy Email Testing & Mail logging
Vulnerability: Unauthenticated Hook Injection
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version
Plugin: MJM Clinic
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.23
Recommended Action: Update to version 1.1.23, or a newer patched version
Plugin: Testimonial Slider
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version
Plugin: Social Media Share Buttons
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Stratum – Elementor Widgets
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version
Plugin: Media Library Assistant
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 3.14
Recommended Action: Update to version 3.14, or a newer patched version
Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 20240216
Recommended Action: Update to version 20240216, or a newer patched version
Plugin: Contests by Rewards Fuel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via update_rewards_fuel_api_key
Patched Version: 2.0.65
Recommended Action: Update to version 2.0.65, or a newer patched version
Plugin: MJM Clinic
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.1.23
Recommended Action: Update to version 1.1.23, or a newer patched version
Plugin: Caret Country Access Limit
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: JetWidgets For Elementor
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Widget Button URL
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version
Plugin: Tracking Code Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via force_fit
Patched Version: 2.2.27
Recommended Action: Update to version 2.2.27, or a newer patched version
Plugin: WooCommerce Customers Manager
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 29.7
Recommended Action: Update to version 29.7, or a newer patched version
Plugin: MyBookTable Bookstore by Stormhill Media
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version
Plugin: Piotnet Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.26
Recommended Action: Update to version 2.4.26, or a newer patched version
Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.5.6
Recommended Action: Update to version 2.0.5.6, or a newer patched version
Plugin: Database for Contact Form 7
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: PrettyLinks – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
Vulnerability: Reflected Cross-Site Scripting via post_status
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 4.0.27
Recommended Action: Update to version 4.0.27, or a newer patched version
Plugin: WP Armour – Honeypot Anti Spam
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version
Plugin: WP Dashboard Notes
Vulnerability: Insecure Direct Object References to Authenticated Private Note Deletion
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version
Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.9.21
Recommended Action: Update to version 6.9.21, or a newer patched version
Plugin: Easy Property Listings
Vulnerability: Authenticated(Contributor+) SQL Injection via Shortcode
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version
Plugin: WishSuite – Wishlist for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Standout Color Boxes and Buttons
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Reflected Cross-Site Scripting via campaign_id
Patched Version: 5.7.12
Recommended Action: Update to version 5.7.12, or a newer patched version
Plugin: Super Page Cache
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.7.6
Recommended Action: Update to version 4.7.6, or a newer patched version
Plugin: WordPress Automatic Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.92.1
Recommended Action: Update to version 3.92.1, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version
Plugin: Visualizer: Tables and Charts Manager for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.10.6
Recommended Action: Update to version 3.10.6, or a newer patched version
Plugin: Frontend Dashboard
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: Alt Manager
Vulnerability: Missing Authorization
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Passwordless Login
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: fitness calculators
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Cards for Beaver Builder
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via bootstrapcard link
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Advanced Search
Vulnerability: Cross-Site Request Forgery to Shortcode Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MailChimp Forms by MailMunch
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.11.16
Recommended Action: Update to version 2.11.16, or a newer patched version
Plugin: WP User Profile Avatar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: GamiPress – Button
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: DoLogin Security
Vulnerability: Missing Authorization via REST Endpoints
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: Ebook Store
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.8002
Recommended Action: Update to version 5.8002, or a newer patched version
Plugin: Podlove Podcast Publisher
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.10
Recommended Action: Update to version 4.0.10, or a newer patched version
Plugin: MDTF – Meta Data and Taxonomies Filter
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.3.3.1
Recommended Action: Update to version 1.3.3.1, or a newer patched version
Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.11.9
Recommended Action: Update to version 2.11.9, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: WP Directory Kit
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Better Search – Relevant search results for WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial Widget
Patched Version: 3.2.26
Recommended Action: Update to version 3.2.26, or a newer patched version
Plugin: PDF Embedder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7.1
Recommended Action: Update to version 4.7.1, or a newer patched version
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9.1
Recommended Action: Update to version 2.6.9.1, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.1.0
Recommended Action: Update to version 5.3.1.0, or a newer patched version
Plugin: Pz-LinkCard
Vulnerability: Cross-Site Request Forgery via page_cacheman
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version
Plugin: Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via process.php
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version
Plugin: Blocksy Companion
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.32
Recommended Action: Update to version 2.0.32, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.12
Recommended Action: Update to version 5.9.12, or a newer patched version
Plugin: Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: Tumult Hype Animations
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 1.9.13
Recommended Action: Update to version 1.9.13, or a newer patched version
Plugin: Survey Maker
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version
Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version
Plugin: WooCommerce Google Feed Manager
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.78
Recommended Action: Update to version 3.1.78, or a newer patched version
Plugin: Smart Online Order for Clover
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: GD Rating System
Vulnerability: Unauthenticated Stored Cross-Site Scripting via IP
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: NPS computy
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: MDTF – Meta Data and Taxonomies Filter
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: YITH WooCommerce Product Add-Ons
Vulnerability: Unuathenticated Cross-Site Scripting
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version
Plugin: The Ultimate Video Player For WordPress – by Presto Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: DecaLog
Vulnerability: Authenticated (Admin+) SQL injection
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via custom attributes
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version
Plugin: Product Import Export for WooCommerce – Import Export Product CSV Suite
Vulnerability: Authenticated(Shop Manager+) Arbitrary File Upload
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Breeze – WordPress Cache Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via breeze_api_token
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated (Contributor+) Stored Cross-site Scripting via ’embedpress_doc_custom_color’
Patched Version: 3.9.13
Recommended Action: Update to version 3.9.13, or a newer patched version
Plugin: Co-marquage service-public.fr
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 0.5.72
Recommended Action: Update to version 0.5.72, or a newer patched version
Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 12.3.17
Recommended Action: Update to version 12.3.17, or a newer patched version
Plugin: Hot Random Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Path Widget
Patched Version: 3.20.3
Recommended Action: Update to version 3.20.3, or a newer patched version
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: WP Post Disclaimer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: OneClick Chat to Order
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Email Subscription Popup
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.21
Recommended Action: Update to version 1.2.21, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Widget Attribute
Patched Version: 3.9.13
Recommended Action: Update to version 3.9.13, or a newer patched version
Plugin: Aparat for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Advanced Sermons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.2.7
Recommended Action: Update to version 4.2.7, or a newer patched version
Plugin: Jeg Elementor Kit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML Tags
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: Five Star Restaurant Menu and Food Ordering
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version
Plugin: WP Fusion Lite – Marketing Automation and CRM Integration for WordPress
Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 3.42.10
Recommended Action: Update to version 3.42.10, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Reflected Cross-Site Scripting via ‘thumb_url’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version
Plugin: Seers | GDPR & CCPA Cookie Consent & Compliance
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 8.1.2
Recommended Action: Update to version 8.1.2, or a newer patched version
Plugin: MDTF – Meta Data and Taxonomies Filter
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: Invitation Code Content Restriction Plugin from CreativeMinds
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Church Admin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.0.27
Recommended Action: Update to version 4.0.27, or a newer patched version
Plugin: WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing)
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Calendarista Basic Edition – WordPress appointment booking system
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: The Moneytizer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.6.1
Recommended Action: Update to version 9.6.1, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.24
Recommended Action: Update to version 4.0.24, or a newer patched version
Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shorcode
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: WooCommerce POS – Point of Sale
Vulnerability: Insufficient Verification of Data Authenticity to Authenticated (Customer+) Information Disclosure
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version
Plugin: Video Playlist For YouTube
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version
Plugin: WP SendFox
Vulnerability: Missing Authorization
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Translate WordPress and go Multilingual – Weglot
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Inline Related Posts
Vulnerability: Information Exposure
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: Tainacan
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 0.20.7
Recommended Action: Update to version 0.20.7, or a newer patched version
Plugin: wp-mpdf
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Local File Inclusion via Clients Widget
Patched Version: 5.4.2
Recommended Action: Update to version 5.4.2, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Navigation
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version
Plugin: Download Manager Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.85
Recommended Action: Update to version 3.2.85, or a newer patched version
Plugin: Property Hive
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Premmerce Permalink Manager for WooCommerce
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version
Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 6.7.9
Recommended Action: Update to version 6.7.9, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.2.3
Recommended Action: Update to version 8.2.3, or a newer patched version
Plugin: Cryptocurrency Widgets – Price Ticker & Coins List
Vulnerability: Missing Authorization
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
Plugin: WC Shop Sync – Square Payment Gateway for WooCommerce, Inventory Sync Between Square and WooCommerce, Ultimate WooCommerce Square Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.7.9
Recommended Action: Update to version 1.6.7.9, or a newer patched version
Plugin: CM Download Manager – Document and File Management
Vulnerability: Cross-Site Request Forgery via delHeader
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version
Plugin: Zoho Campaigns
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: WooCommerce License Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version
Plugin: AntiSpam for Contact Form 7
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.6.1
Recommended Action: Update to version 0.6.1, or a newer patched version
Plugin: Proofreading
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Move Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Smart Custom Fields
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Post Content Disclosure
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version
Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.9.21
Recommended Action: Update to version 6.9.21, or a newer patched version
Plugin: VK All in One Expansion Unit
Vulnerability: Information Exposure
Patched Version: 9.96.0.0
Recommended Action: Update to version 9.96.0.0, or a newer patched version
Plugin: Dracula Dark Mode – Enhanced Accessibility, Dark Mode & Reading Mode for WordPress
Vulnerability: The Revolutionary Dark Mode Plugin For WordPress <= 1.0.8
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Photo Gallery by Ays – Responsive Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.3
Recommended Action: Update to version 5.5.3, or a newer patched version
Plugin: Seriously Simple Podcasting
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: WP Calameo
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: WP Fast Total Search – The Power of Indexed Search
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via WPFTS Live Search Widget
Patched Version: 1.60.213
Recommended Action: Update to version 1.60.213, or a newer patched version
Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via ratings
Patched Version: 3.4.6
Recommended Action: Update to version 3.4.6, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Form Widget SVGZ File Upload
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version
Plugin: League Table – WordPress Table Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version
Plugin: Fullscreen Galleria
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.12
Recommended Action: Update to version 1.6.12, or a newer patched version
Plugin: Web Icons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.0.11
Recommended Action: Update to version 1.0.0.11, or a newer patched version
Plugin: demon image annotation
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.4
Recommended Action: Update to version 5.4, or a newer patched version
Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin
Vulnerability: 2.3.9
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: MW WP Form
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 5.1.0
Recommended Action: Update to version 5.1.0, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.2.20
Recommended Action: Update to version 3.2.20, or a newer patched version
Plugin: Visual Composer Website Builder
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 45.7.0
Recommended Action: Update to version 45.7.0, or a newer patched version
Plugin: DSGVO All in one for WP
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Locatoraid Store Locator
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.9.31
Recommended Action: Update to version 3.9.31, or a newer patched version
Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 6.8.7
Recommended Action: Update to version 6.8.7, or a newer patched version
Plugin: Compact WP Audio Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fileurl
Patched Version: 1.9.10
Recommended Action: Update to version 1.9.10, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Authentication Bypass
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: WP Media folder
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version
Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 20240223
Recommended Action: Update to version 20240223, or a newer patched version
Plugin: CM Download Manager – Document and File Management
Vulnerability: Cross-Site Request Forgery via unpublishHeader
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.17
Recommended Action: Update to version 4.10.17, or a newer patched version
Plugin: Property Hive
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version
Plugin: ePoll – Best WordPress Voting Plugin for Poll & Contest
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: Missing Authorization via mpg_get_log_by_project_id
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: ARI Stream Quiz – WordPress Quizzes Builder
Vulnerability: Authenticated(Contributor+) Content Injection
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Create by Mediavine
Vulnerability: Unauthenticated SQL Injection via ‘id’
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Missing Authorization
Patched Version: 6.1.11
Recommended Action: Update to version 6.1.11, or a newer patched version
Plugin: Action Network
Vulnerability: No subtitle
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: Simple Buttons Creator
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Add Button
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.