Watch Out Wednesday – March 27, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Shariff Wrapper

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.11
Recommended Action: Update to version 4.6.11, or a newer patched version

Plugin: Remove Duplicate Posts

Vulnerability: Missing Authorization to Post Deletion
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: GigPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Crypto Converter ⚡ Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Rocket Maintenance Mode & Coming Soon Page

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: Image Hover Effects – Elementor Addon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘eihe_align’
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Church Admin

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.0.28
Recommended Action: Update to version 4.0.28, or a newer patched version

Plugin: Web3 – Crypto wallet Login & NFT token gating

Vulnerability: Authentication Bypass
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: CRM Memberships

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Lister Lite for Amazon

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Vulnerability: Missing Authorization via get_players
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version

Plugin: Video Conferencing with Zoom

Vulnerability: Sensitive Information Exposure
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version

Plugin: Themify Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 1.6.7.9
Recommended Action: Update to version 1.6.7.9, or a newer patched version

Plugin: Co-marquage service-public.fr

Vulnerability: Reflected Cross-Site Scripting via search_term
Patched Version: 0.5.73
Recommended Action: Update to version 0.5.73, or a newer patched version

Plugin: WP Smart Import : Import any XML File to WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Scrollsequence – Cinematic Scroll Image Animation Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: HT Easy GA4 – Google Analytics WordPress Plugin

Vulnerability: Missing Authorization to Unauthenticated GA4 Email Update
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: canvasio3D Light

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting via ‘image_url’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version

Plugin: Olive One Click Demo Import

Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: WordPress Automatic Plugin

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 3.92.1
Recommended Action: Update to version 3.92.1, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting via ‘current_url’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version

Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version

Plugin: Podlove Web Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version

Plugin: Slider by Supsystic

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.8.11
Recommended Action: Update to version 1.8.11, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting via ‘image_id’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version

Plugin: WP Ultimate Review

Vulnerability: Cross-Site Request Forgery via wur_settings_view
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Authenticated (Editor+) Remote Code Execution
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.23
Recommended Action: Update to version 1.6.23, or a newer patched version

Plugin: WPFront Notification Bar

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Free Downloads WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.8.3
Recommended Action: Update to version 3.5.8.3, or a newer patched version

Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.12.8
Recommended Action: Update to version 5.12.8, or a newer patched version

Plugin: Restrict User Access – Ultimate Membership & Content Protection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Photo Gallery by Supsystic

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.15.17
Recommended Action: Update to version 1.15.17, or a newer patched version

Plugin: Easy Maintenance Mode

Vulnerability: Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.29.1
Recommended Action: Update to version 1.29.1, or a newer patched version

Plugin: WP Crontrol

Vulnerability: Remote Code Execution
Patched Version: 1.16.2
Recommended Action: Update to version 1.16.2, or a newer patched version

Plugin: Responsive Tabs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: 360 Javascript Viewer

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 1.7.13
Recommended Action: Update to version 1.7.13, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘note_color’ Shortcode
Patched Version: 7.0.5
Recommended Action: Update to version 7.0.5, or a newer patched version

Plugin: VK All in One Expansion Unit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via className
Patched Version: 9.97.0.0
Recommended Action: Update to version 9.97.0.0, or a newer patched version

Plugin: WP Customer Reviews

Vulnerability: Authenticated (Contributor+) Malicious Redirect via HTTP-EQUIV Injection
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: BuddyPress Moderation

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Zippy

Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: 1.6.10
Recommended Action: Update to version 1.6.10, or a newer patched version

Plugin: Preview E-mails for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version

Plugin: Site Reviews

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 6.11.7
Recommended Action: Update to version 6.11.7, or a newer patched version

Plugin: AI Engine

Vulnerability: Authenticated (Editor+) Server-Side Request Forgery
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: User profile

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.21
Recommended Action: Update to version 2.0.21, or a newer patched version

Plugin: Dropdown multisite selector

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 0.9.2.1
Recommended Action: Update to version 0.9.2.1, or a newer patched version

Plugin: Fancy Comments WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.15
Recommended Action: Update to version 1.2.15, or a newer patched version

Plugin: Simply Static – The WordPress Static Site Generator

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Analytics Insights – Google Analytics Dashboard for WordPress

Vulnerability: Open Redirect
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Travelers' Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Socialdriver

Vulnerability: Prototype Pollution
Patched Version: 2024
Recommended Action: Update to version 2024, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.5.44.7212
Recommended Action: Update to version 7.5.44.7212, or a newer patched version

Plugin: 360 Javascript Viewer

Vulnerability: Missing Authorization
Patched Version: 1.7.12
Recommended Action: Update to version 1.7.12, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Cincopa video and media plug-in

Vulnerability: Cross-Site Request Forgery via cincopa_mp_mt_options_page
Patched Version: 1.160
Recommended Action: Update to version 1.160, or a newer patched version

Plugin: Easy PopUp Show

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Events Tickets Plus

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version

Plugin: Contact Form to Any API

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: HTML Forms – Simple WordPress Forms Plugin

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 1.3.30
Recommended Action: Update to version 1.3.30, or a newer patched version

Plugin: Exchange Rates Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Missing Authorization
Patched Version: 2.6.87
Recommended Action: Update to version 2.6.87, or a newer patched version

Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 21.3.2.1
Recommended Action: Update to version 21.3.2.1, or a newer patched version

Plugin: WPBakery Page Builder Addons by Livemesh

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Event Tickets and Registration

Vulnerability: Improper Authorization to Information Disclosure
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Product Title
Patched Version: 6.1.81
Recommended Action: Update to version 6.1.81, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.4.3
Recommended Action: Update to version 1.1.4.3, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Team Member Listing
Patched Version: 5.4.2
Recommended Action: Update to version 5.4.2, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.11.8
Recommended Action: Update to version 2.11.8, or a newer patched version

Plugin: Network Summary

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Max Mega Menu

Vulnerability: Missing Authorization
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Top Bar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: WP-Lister Lite for Amazon

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.6.12
Recommended Action: Update to version 2.6.12, or a newer patched version

Plugin: Church Admin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via meta-text
Patched Version: 4.1.18
Recommended Action: Update to version 4.1.18, or a newer patched version

Plugin: Calendarista

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 15.5.9
Recommended Action: Update to version 15.5.9, or a newer patched version

Plugin: canvasio3D Light

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HT Easy GA4 – Google Analytics WordPress Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: WooCommerce Cloak Affiliate Links

Vulnerability: Missing Authorization to Unauthenticated Permalink Modification
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version

Plugin: StreamWeasels Twitch Integration

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: AI Content Writing Assistant

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Media Cloud for Bunny CDN, Amazon S3, Cloudflare R2, Google Cloud Storage, DigitalOcean and more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.5.25
Recommended Action: Update to version 4.5.25, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.18.3
Recommended Action: Update to version 1.18.3, or a newer patched version

Plugin: Slider Hero with Video Background, Animation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.7.0
Recommended Action: Update to version 8.7.0, or a newer patched version

Plugin: Favicon Rotator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.88.15
Recommended Action: Update to version 2.88.15, or a newer patched version

Plugin: Woo Viet – WooCommerce for Vietnam

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 4.0.27
Recommended Action: Update to version 4.0.27, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.6.24
Recommended Action: Update to version 1.6.6.24, or a newer patched version

Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 13.2.6
Recommended Action: Update to version 13.2.6, or a newer patched version

Plugin: AI Post Generator | AutoWriter

Vulnerability: Missing Authorization
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Simple Buttons Creator

Vulnerability: Cross-Site Request Forgery to Arbitrary Button Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Tabs

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Bulk NoIndex & NoFollow Toolkit

Vulnerability: Reflected Cross-Site Scripting via tab, order, and orderby
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: AFI – The Easiest Integration Plugin

Vulnerability: SQL Injection to Reflected Cross-Site Scripting via integration_id
Patched Version: 1.82.6
Recommended Action: Update to version 1.82.6, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via class
Patched Version: 4.7.7
Recommended Action: Update to version 4.7.7, or a newer patched version

Plugin: SEOPress – On-site SEO

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: WP Edit Username

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.13.64
Recommended Action: Update to version 7.13.64, or a newer patched version

Plugin: WooThumbs for WooCommerce by Iconic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version

Plugin: FeedFocal

Vulnerability: Missing Authorization via feedfocal_api_setup REST function
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Coming Soon & Maintenance Mode by Colorlib

Vulnerability: Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Sermons

Vulnerability: Reflected Cross-Site Scripting via s
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: NPS computy

Vulnerability: Cross-Site Request Forgery to Results Deletion
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.28
Recommended Action: Update to version 1.0.28, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Insufficient Authorization
Patched Version: 4.9.9
Recommended Action: Update to version 4.9.9, or a newer patched version

Plugin: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.26.3
Recommended Action: Update to version 1.26.3, or a newer patched version

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Missing Authorization
Patched Version: 2.6.94
Recommended Action: Update to version 2.6.94, or a newer patched version

Plugin: WP Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Specific Content For Mobile – Customize the mobile version without redirections

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.9.6
Recommended Action: Update to version 0.1.9.6, or a newer patched version

Plugin: Korea SNS

Vulnerability: Cross-Site Request Forgery via kon_tergos_options
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Page Builder by SiteOrigin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Legacy Image Widget
Patched Version: 2.29.7
Recommended Action: Update to version 2.29.7, or a newer patched version

Plugin: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authententicated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version

Plugin: Lightweight Accordion

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.17
Recommended Action: Update to version 1.5.17, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via video_html_tag
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version

Plugin: Sitekit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Sensitive Information Exposure
Patched Version: 1.15.23
Recommended Action: Update to version 1.15.23, or a newer patched version

Plugin: Page Builder Gutenberg Blocks – CoBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: WP CleanFix

Vulnerability: Missing Authorization via register
Patched Version: 5.7.0
Recommended Action: Update to version 5.7.0, or a newer patched version

Plugin: WooCommerce Clover Payment Gateway

Vulnerability: Missing Authorization via callback_handler
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: File Manager

Vulnerability: Cross-Site Request Forgery to Local JS File Inclusion
Patched Version: 7.2.5
Recommended Action: Update to version 7.2.5, or a newer patched version

Plugin: ReDi Restaurant Reservation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 24.0303
Recommended Action: Update to version 24.0303, or a newer patched version

Plugin: Shipping with Venipak for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via ‘venipak_labels_link’
Patched Version: 1.19.6
Recommended Action: Update to version 1.19.6, or a newer patched version

Plugin: Off-Canvas Sidebars & Menus (Slidebars)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.5.8.2
Recommended Action: Update to version 0.5.8.2, or a newer patched version

Plugin: Contact Form

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version

Plugin: Events Tickets Plus

Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version

Plugin: Triberr

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via settings
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version

Plugin: RoyalSlider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.5.44.7212
Recommended Action: Update to version 7.5.44.7212, or a newer patched version

Plugin: WordPress Automatic Plugin

Vulnerability: Unauthenticated Arbitrary File Download and Server-Side Request Forgery
Patched Version: 3.92.1
Recommended Action: Update to version 3.92.1, or a newer patched version

Plugin: Meta Box

Vulnerability: Authenticated (Contributor+) Information Exposure via Post Meta
Patched Version: 5.9.4
Recommended Action: Update to version 5.9.4, or a newer patched version

Plugin: Builder for WooCommerce product reviews shortcodes – ReviewShort

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.01.4
Recommended Action: Update to version 1.01.4, or a newer patched version

Plugin: Web Application Firewall – website security

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Hercules Core

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 5.3.2.0
Recommended Action: Update to version 5.3.2.0, or a newer patched version

Plugin: WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing)

Vulnerability: Authenticated(Subscriber+) Missing Authorization via multiple AJAX actions
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Envo's Elementor Templates & Widgets for WooCommerce

Vulnerability: Cross-Site Request Forgery via ajax_theme_activation
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Easy Textillate

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.02
Recommended Action: Update to version 2.02, or a newer patched version

Plugin: Real Media Library: Media Library Folder & File Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.22.8
Recommended Action: Update to version 4.22.8, or a newer patched version

Plugin: Contests by Rewards Fuel

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.0.63
Recommended Action: Update to version 2.0.63, or a newer patched version

Plugin: WooCommerce

Vulnerability: Missing Authorization to Private/Draft Product Disclosure
Patched Version: 8.6
Recommended Action: Update to version 8.6, or a newer patched version

Plugin: WP Reset – Most Advanced WordPress Reset Tool

Vulnerability: Sensitive Information Exposure due to Insufficient Randomness
Patched Version: 2.01
Recommended Action: Update to version 2.01, or a newer patched version

Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 2.11.19
Recommended Action: Update to version 2.11.19, or a newer patched version

Plugin: Multi Currency For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Calculated Fields Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.55
Recommended Action: Update to version 1.2.55, or a newer patched version

Plugin: PilotPress

Vulnerability: Authenticated(Subscriber+) Missing Authorization via multiple AJAX functions
Patched Version: 2.0.31
Recommended Action: Update to version 2.0.31, or a newer patched version

Plugin: Event post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version

Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.94
Recommended Action: Update to version 1.5.94, or a newer patched version

Plugin: ApplyOnline – Application Form Builder and Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Block Content
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fb_appid
Patched Version: 6.5.4
Recommended Action: Update to version 6.5.4, or a newer patched version

Plugin: MyCurator Content Curation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.77
Recommended Action: Update to version 3.77, or a newer patched version

Plugin: WC Builder – WooCommerce Page Builder for WPBakery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: Order Tip for WooCommerce

Vulnerability: Missing Authorization to Unauthenticated Data Export
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3.2
Recommended Action: Update to version 2.4.3.2, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Missing Authorization to Authenticated(Author+) Arbitrary Post Slug Modification
Patched Version: 2.4.3.2
Recommended Action: Update to version 2.4.3.2, or a newer patched version

Plugin: WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing)

Vulnerability: Sensitive Information Exposure via export_users
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Grid Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.12
Recommended Action: Update to version 5.9.12, or a newer patched version

Plugin: WP Coder – Code Snippets + HTML, CSS, JS and PHP Injection

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Modal Window – create popup modal window

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Missing Authorization via get_uri_editor
Patched Version: 2.4.3.2
Recommended Action: Update to version 2.4.3.2, or a newer patched version

Plugin: Survey Maker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title
Patched Version: 3.13.2
Recommended Action: Update to version 3.13.2, or a newer patched version

Plugin: BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages

Vulnerability: Authenticated (Subscriber+) PHP Object Injection in get_simple_request
Patched Version: 3.4.21
Recommended Action: Update to version 3.4.21, or a newer patched version

Plugin: Easy Social Share Buttons for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.5
Recommended Action: Update to version 9.5, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 21.3.5
Recommended Action: Update to version 21.3.5, or a newer patched version

Plugin: Link Whisper Free

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.6.9
Recommended Action: Update to version 0.6.9, or a newer patched version

Plugin: Link Whisper Free

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 0.7.2
Recommended Action: Update to version 0.7.2, or a newer patched version

Plugin: Premium Packages – Sell Digital Products Securely

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version

Plugin: Crisp – Live Chat and Chatbot

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 0.45
Recommended Action: Update to version 0.45, or a newer patched version

Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.1.8
Recommended Action: Update to version 7.1.8, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via HowTo block attributes
Patched Version: 1.0.215
Recommended Action: Update to version 1.0.215, or a newer patched version

Plugin: WordPress Tooltips

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 9.4.5
Recommended Action: Update to version 9.4.5, or a newer patched version

Plugin: LiquidPoll – Polls, Surveys, NPS and Feedback Reviews

Vulnerability: Information Exposure
Patched Version: 3.3.77
Recommended Action: Update to version 3.3.77, or a newer patched version

Plugin: BackWPup – WordPress Backup & Restore Plugin

Vulnerability: Sensitive Information Exposure
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Authenticated (Admin+) Directory Traversal to Arbitrary File Read
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version

Plugin: WP Popups – WordPress Popup builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.5.6
Recommended Action: Update to version 2.1.5.6, or a newer patched version

Plugin: Memberpress

Vulnerability: Reflected Cross-Site Scripting via message and error
Patched Version: 1.11.27
Recommended Action: Update to version 1.11.27, or a newer patched version

Plugin: WP Change Email Sender

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: WP Compress – Instant Performance & Speed Optimization

Vulnerability: Missing Authorization to Unauthenticated CDN Modification
Patched Version: 6.11.11
Recommended Action: Update to version 6.11.11, or a newer patched version

Plugin: Sell Tickets – Event Ticketing and Event Registration – Ticket Tailor for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget
Patched Version: 2.0.5.7
Recommended Action: Update to version 2.0.5.7, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.0.30
Recommended Action: Update to version 9.0.30, or a newer patched version

Plugin: MapPress Maps for WordPress

Vulnerability: Insufficient Authorization to Information Disclosure
Patched Version: 2.88.16
Recommended Action: Update to version 2.88.16, or a newer patched version

Plugin: FlatPM – Ad Manager, AdSense and Custom Code

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.05
Recommended Action: Update to version 3.1.05, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.12.11
Recommended Action: Update to version 1.12.11, or a newer patched version

Plugin: PDF Builder for WPForms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.89
Recommended Action: Update to version 1.2.89, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Cross-Site Request Forgery via editHeader
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: WordPress Ping Optimizer

Vulnerability: Cross-Site Request Forgery to Log Clearing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Doneren met Mollie

Vulnerability: Unauthenticated Reflected Cross-Site Scripting via search
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version

Plugin: OxyExtras

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3.1
Recommended Action: Update to version 2.4.3.1, or a newer patched version

Plugin: EasyAzon – Amazon Associates Affiliate Plugin

Vulnerability: Missing Authorization on AJAX actions
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via link
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.6.0
Recommended Action: Update to version 5.2.6.0, or a newer patched version

Plugin: Tutor LMS Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: WP Responsive Tabs horizontal vertical and accordion Tabs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.18
Recommended Action: Update to version 1.1.18, or a newer patched version

Plugin: iCalendrier

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.81
Recommended Action: Update to version 1.81, or a newer patched version

Plugin: WEN Responsive Columns

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Missing Authorization
Patched Version: 1.0.249
Recommended Action: Update to version 1.0.249, or a newer patched version

Plugin: Portfolio Gallery – Image Gallery Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: PrettyLinks – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: SEO Backlink Monitor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Contact Form 7 – PayPal & Stripe Add-on

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Custom WooCommerce Checkout Fields Editor

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Check & Log Email – Easy Email Testing & Mail logging

Vulnerability: Unauthenticated Hook Injection
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: MJM Clinic

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.23
Recommended Action: Update to version 1.1.23, or a newer patched version

Plugin: Testimonial Slider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Social Media Share Buttons

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Stratum – Elementor Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 3.14
Recommended Action: Update to version 3.14, or a newer patched version

Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 20240216
Recommended Action: Update to version 20240216, or a newer patched version

Plugin: Contests by Rewards Fuel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via update_rewards_fuel_api_key
Patched Version: 2.0.65
Recommended Action: Update to version 2.0.65, or a newer patched version

Plugin: MJM Clinic

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.1.23
Recommended Action: Update to version 1.1.23, or a newer patched version

Plugin: Caret Country Access Limit

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: JetWidgets For Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Widget Button URL
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version

Plugin: Tracking Code Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via force_fit
Patched Version: 2.2.27
Recommended Action: Update to version 2.2.27, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 29.7
Recommended Action: Update to version 29.7, or a newer patched version

Plugin: MyBookTable Bookstore by Stormhill Media

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.26
Recommended Action: Update to version 2.4.26, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.5.6
Recommended Action: Update to version 2.0.5.6, or a newer patched version

Plugin: Database for Contact Form 7

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: PrettyLinks – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Reflected Cross-Site Scripting via post_status
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 4.0.27
Recommended Action: Update to version 4.0.27, or a newer patched version

Plugin: WP Armour – Honeypot Anti Spam

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version

Plugin: WP Dashboard Notes

Vulnerability: Insecure Direct Object References to Authenticated Private Note Deletion
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version

Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.9.21
Recommended Action: Update to version 6.9.21, or a newer patched version

Plugin: Easy Property Listings

Vulnerability: Authenticated(Contributor+) SQL Injection via Shortcode
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: WishSuite – Wishlist for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Standout Color Boxes and Buttons

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Reflected Cross-Site Scripting via campaign_id
Patched Version: 5.7.12
Recommended Action: Update to version 5.7.12, or a newer patched version

Plugin: Super Page Cache

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.7.6
Recommended Action: Update to version 4.7.6, or a newer patched version

Plugin: WordPress Automatic Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.92.1
Recommended Action: Update to version 3.92.1, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.10.6
Recommended Action: Update to version 3.10.6, or a newer patched version

Plugin: Frontend Dashboard

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Alt Manager

Vulnerability: Missing Authorization
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Passwordless Login

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: fitness calculators

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Cards for Beaver Builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via bootstrapcard link
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Advanced Search

Vulnerability: Cross-Site Request Forgery to Shortcode Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MailChimp Forms by MailMunch

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.11.16
Recommended Action: Update to version 2.11.16, or a newer patched version

Plugin: WP User Profile Avatar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: GamiPress – Button

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: DoLogin Security

Vulnerability: Missing Authorization via REST Endpoints
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: Ebook Store

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.8002
Recommended Action: Update to version 5.8002, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.10
Recommended Action: Update to version 4.0.10, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.3.3.1
Recommended Action: Update to version 1.3.3.1, or a newer patched version

Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.11.9
Recommended Action: Update to version 2.11.9, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Better Search – Relevant search results for WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial Widget
Patched Version: 3.2.26
Recommended Action: Update to version 3.2.26, or a newer patched version

Plugin: PDF Embedder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7.1
Recommended Action: Update to version 4.7.1, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9.1
Recommended Action: Update to version 2.6.9.1, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.1.0
Recommended Action: Update to version 5.3.1.0, or a newer patched version

Plugin: Pz-LinkCard

Vulnerability: Cross-Site Request Forgery via page_cacheman
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version

Plugin: Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via process.php
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version

Plugin: Blocksy Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.32
Recommended Action: Update to version 2.0.32, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.12
Recommended Action: Update to version 5.9.12, or a newer patched version

Plugin: Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Tumult Hype Animations

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 1.9.13
Recommended Action: Update to version 1.9.13, or a newer patched version

Plugin: Survey Maker

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: Link Library

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version

Plugin: WooCommerce Google Feed Manager

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.78
Recommended Action: Update to version 3.1.78, or a newer patched version

Plugin: Smart Online Order for Clover

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: GD Rating System

Vulnerability: Unauthenticated Stored Cross-Site Scripting via IP
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: NPS computy

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: YITH WooCommerce Product Add-Ons

Vulnerability: Unuathenticated Cross-Site Scripting
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version

Plugin: The Ultimate Video Player For WordPress – by Presto Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: DecaLog

Vulnerability: Authenticated (Admin+) SQL injection
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via custom attributes
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: Product Import Export for WooCommerce – Import Export Product CSV Suite

Vulnerability: Authenticated(Shop Manager+) Arbitrary File Upload
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Breeze – WordPress Cache Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via breeze_api_token
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-site Scripting via ’embedpress_doc_custom_color’
Patched Version: 3.9.13
Recommended Action: Update to version 3.9.13, or a newer patched version

Plugin: Co-marquage service-public.fr

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 0.5.72
Recommended Action: Update to version 0.5.72, or a newer patched version

Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 12.3.17
Recommended Action: Update to version 12.3.17, or a newer patched version

Plugin: Hot Random Image

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Path Widget
Patched Version: 3.20.3
Recommended Action: Update to version 3.20.3, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: WP Post Disclaimer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: OneClick Chat to Order

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Email Subscription Popup

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.21
Recommended Action: Update to version 1.2.21, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Widget Attribute
Patched Version: 3.9.13
Recommended Action: Update to version 3.9.13, or a newer patched version

Plugin: Aparat for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Advanced Sermons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.2.7
Recommended Action: Update to version 4.2.7, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML Tags
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Five Star Restaurant Menu and Food Ordering

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version

Plugin: WP Fusion Lite – Marketing Automation and CRM Integration for WordPress

Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 3.42.10
Recommended Action: Update to version 3.42.10, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting via ‘thumb_url’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version

Plugin: Seers | GDPR & CCPA Cookie Consent & Compliance

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 8.1.2
Recommended Action: Update to version 8.1.2, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Invitation Code Content Restriction Plugin from CreativeMinds

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Church Admin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.0.27
Recommended Action: Update to version 4.0.27, or a newer patched version

Plugin: WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing)

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Calendarista Basic Edition – WordPress appointment booking system

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: The Moneytizer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.6.1
Recommended Action: Update to version 9.6.1, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.24
Recommended Action: Update to version 4.0.24, or a newer patched version

Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shorcode
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: WooCommerce POS – Point of Sale

Vulnerability: Insufficient Verification of Data Authenticity to Authenticated (Customer+) Information Disclosure
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version

Plugin: Video Playlist For YouTube

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version

Plugin: WP SendFox

Vulnerability: Missing Authorization
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Translate WordPress and go Multilingual – Weglot

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Inline Related Posts

Vulnerability: Information Exposure
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Tainacan

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 0.20.7
Recommended Action: Update to version 0.20.7, or a newer patched version

Plugin: wp-mpdf

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Clients Widget
Patched Version: 5.4.2
Recommended Action: Update to version 5.4.2, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Navigation
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version

Plugin: Download Manager Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.85
Recommended Action: Update to version 3.2.85, or a newer patched version

Plugin: Property Hive

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Premmerce Permalink Manager for WooCommerce

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version

Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 6.7.9
Recommended Action: Update to version 6.7.9, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.2.3
Recommended Action: Update to version 8.2.3, or a newer patched version

Plugin: Cryptocurrency Widgets – Price Ticker & Coins List

Vulnerability: Missing Authorization
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: WC Shop Sync – Square Payment Gateway for WooCommerce, Inventory Sync Between Square and WooCommerce, Ultimate WooCommerce Square Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.7.9
Recommended Action: Update to version 1.6.7.9, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Cross-Site Request Forgery via delHeader
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: Zoho Campaigns

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: WooCommerce License Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: AntiSpam for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.6.1
Recommended Action: Update to version 0.6.1, or a newer patched version

Plugin: Proofreading

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Move Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Smart Custom Fields

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Post Content Disclosure
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.9.21
Recommended Action: Update to version 6.9.21, or a newer patched version

Plugin: VK All in One Expansion Unit

Vulnerability: Information Exposure
Patched Version: 9.96.0.0
Recommended Action: Update to version 9.96.0.0, or a newer patched version

Plugin: Dracula Dark Mode – Enhanced Accessibility, Dark Mode & Reading Mode for WordPress

Vulnerability: The Revolutionary Dark Mode Plugin For WordPress <= 1.0.8
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.3
Recommended Action: Update to version 5.5.3, or a newer patched version

Plugin: Seriously Simple Podcasting

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: WP Calameo

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: WP Fast Total Search – The Power of Indexed Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via WPFTS Live Search Widget
Patched Version: 1.60.213
Recommended Action: Update to version 1.60.213, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via ratings
Patched Version: 3.4.6
Recommended Action: Update to version 3.4.6, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Form Widget SVGZ File Upload
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version

Plugin: League Table – WordPress Table Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version

Plugin: Fullscreen Galleria

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.12
Recommended Action: Update to version 1.6.12, or a newer patched version

Plugin: Web Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.0.11
Recommended Action: Update to version 1.0.0.11, or a newer patched version

Plugin: demon image annotation

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.4
Recommended Action: Update to version 5.4, or a newer patched version

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Vulnerability: 2.3.9
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: MW WP Form

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 5.1.0
Recommended Action: Update to version 5.1.0, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.2.20
Recommended Action: Update to version 3.2.20, or a newer patched version

Plugin: Visual Composer Website Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 45.7.0
Recommended Action: Update to version 45.7.0, or a newer patched version

Plugin: DSGVO All in one for WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: Locatoraid Store Locator

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.9.31
Recommended Action: Update to version 3.9.31, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 6.8.7
Recommended Action: Update to version 6.8.7, or a newer patched version

Plugin: Compact WP Audio Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fileurl
Patched Version: 1.9.10
Recommended Action: Update to version 1.9.10, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Authentication Bypass
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: WP Media folder

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version

Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 20240223
Recommended Action: Update to version 20240223, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Cross-Site Request Forgery via unpublishHeader
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.17
Recommended Action: Update to version 4.10.17, or a newer patched version

Plugin: Property Hive

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: ePoll – Best WordPress Voting Plugin for Poll & Contest

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Missing Authorization via mpg_get_log_by_project_id
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: ARI Stream Quiz – WordPress Quizzes Builder

Vulnerability: Authenticated(Contributor+) Content Injection
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Create by Mediavine

Vulnerability: Unauthenticated SQL Injection via ‘id’
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Missing Authorization
Patched Version: 6.1.11
Recommended Action: Update to version 6.1.11, or a newer patched version

Plugin: Action Network

Vulnerability: No subtitle
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Simple Buttons Creator

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Add Button
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress