Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Seraphinite Accelerator
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery in OnAdminApi_HtmlCheck
Patched Version: 2.21
Recommended Action: Update to version 2.21, or a newer patched version
Plugin: SportsPress – Sports Club & League Manager
Vulnerability: Missing Authorization to Unauthenticated Event Permalink Update
Patched Version: 2.7.18
Recommended Action: Update to version 2.7.18, or a newer patched version
Plugin: WP eCommerce
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Blue Triad EZAnalytics
Vulnerability: Reflected Cross-Site Scripting via ‘bt_webid’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Cross-Site Request Forgery to Plugin Data Reset
Patched Version: 1.6.6.24
Recommended Action: Update to version 1.6.6.24, or a newer patched version
Plugin: Fontific | Google Fonts
Vulnerability: Cross-Site Request Forgery via ajax_fontific_save_all
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9.1
Recommended Action: Update to version 2.6.9.1, or a newer patched version
Plugin: WP Social Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: FeedWordPress
Vulnerability: Insecure Direct Object Referece
Patched Version: 2024.0428
Recommended Action: Update to version 2024.0428, or a newer patched version
Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.12.7
Recommended Action: Update to version 1.12.7, or a newer patched version
Plugin: Under Construction / Maintenance Mode from Acurax
Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPvivid Backup for MainWP
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.33
Recommended Action: Update to version 0.9.33, or a newer patched version
Plugin: WordPress Access Control
Vulnerability: Improper Access Control to Sensitive Information Exposure via REST API
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Comments Like Dislike
Vulnerability: IP Spoofing
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: 蜜蜂采集-BeePress 微信公众号今日头条知乎专栏简书等平台文章采集插件
Vulnerability: Cross-Site Request Forgery via beepress-pro.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Maintenance Mode
Vulnerability: Information Exposure
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: Build & Control Block Patterns – Boost up Gutenberg Editor
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.99
Recommended Action: Update to version 1.0.99, or a newer patched version
Plugin: Nextend Social Login and Register
Vulnerability: Reflected Self-Based Cross-Site Scripting via error_description
Patched Version: 3.1.13
Recommended Action: Update to version 3.1.13, or a newer patched version
Plugin: WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Testimonial – Testimonial Slider and Showcase Plugin
Vulnerability: Missing Authorization to Authenticated (Author+) Settings Update
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
Vulnerability: Missing Authorization to Unauthenticated IP Address Whitelist
Patched Version: 4.52
Recommended Action: Update to version 4.52, or a newer patched version
Plugin: NextMove Lite – Thank You Page for WooCommerce
Vulnerability: Missing Authorization to Unauthenticated System Information Disclosure
Patched Version: 2.18.1
Recommended Action: Update to version 2.18.1, or a newer patched version
Plugin: Calculated Fields Form
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.1.57
Recommended Action: Update to version 5.1.57, or a newer patched version
Plugin: Image Optimizer, Resizer and CDN – Sirv
Vulnerability: Missing Authorization
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version
Plugin: Easy!Appointments
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Advanced Social Feeds Widget & Shortcode
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wp Social Login and Register Social Counter
Vulnerability: Missing Authorization to Unauthenticated Social Login/Share Status Update
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Missing Authorization
Patched Version: 0.9.69
Recommended Action: Update to version 0.9.69, or a newer patched version
Plugin: AI Engine
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: LiteSpeed Cache
Vulnerability: Missing Authorization via update_cdn_status
Patched Version: 5.7.0.1
Recommended Action: Update to version 5.7.0.1, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.86
Recommended Action: Update to version 3.2.86, or a newer patched version
Plugin: Master Slider – Responsive Touch Slider
Vulnerability: Responsive Touch Slider <= 3.9.10
Patched Version: 3.10.0
Recommended Action: Update to version 3.10.0, or a newer patched version
Plugin: Auto Refresh Single Page
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PPOM – Product Addons & Custom Fields for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 32.0.10
Recommended Action: Update to version 32.0.10, or a newer patched version
Plugin: Visual Composer Website Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 45.7.0
Recommended Action: Update to version 45.7.0, or a newer patched version
Plugin: Events Manager – Calendar, Bookings, Tickets, and more!
Vulnerability: Authenticated(Administator+) Stored Cross-Site Scripting via settings
Patched Version: 6.4.7
Recommended Action: Update to version 6.4.7, or a newer patched version
Plugin: GenerateBlocks
Vulnerability: Sensitive Information Exposure
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Watermark RELOADED
Vulnerability: Cross-Site Request Forgery via optionsPage
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Show Posts
Vulnerability: Information Exposure
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Advanced iFrame
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2024.2
Recommended Action: Update to version 2024.2, or a newer patched version
Plugin: Page Builder Sandwich – Front End WordPress Page Builder Plugin
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Arbitrary Post Editing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget
Patched Version: 2.6.9.1
Recommended Action: Update to version 2.6.9.1, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: Cross-Site Request Forgery to Data Request Deletion
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version
Plugin: Backup and Restore WordPress – Backup Plugin
Vulnerability: Unauthenticated Information Exposure via Log Files
Patched Version: 1.50
Recommended Action: Update to version 1.50, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Banner, Team Members, and Image Scroll Widgets
Patched Version: 4.10.22
Recommended Action: Update to version 4.10.22, or a newer patched version
Plugin: Friends
Vulnerability: Authenticated (Admin+) Blind Server-Side Request Forgery
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version
Plugin: Media Alt Renamer
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via _wp_attachment_image_alt postmeta
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Password Protected Store for WooCommerce
Vulnerability: Information Exposure via REST API
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Download Manager
Vulnerability: Missing Authorization
Patched Version: 3.2.85
Recommended Action: Update to version 3.2.85, or a newer patched version
Plugin: Redirects
Vulnerability: Missing Authorization via save
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Configure SMTP
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking Calendar
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.83
Recommended Action: Update to version 1.3.83, or a newer patched version
Plugin: Vimeography: Vimeo Video Gallery WordPress Plugin
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: Simple Membership
Vulnerability: Unauthenticated Stored Self-Based Cross-Site Scripting
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget
Vulnerability: Authenticated (Contributor+) PHP Object Injection in outpost_shortcode_metabox_markup
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: Restaurant Solutions – Checklist
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Builder Sandwich – Front End WordPress Page Builder Plugin
Vulnerability: Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Media
Vulnerability: Missing Authorization via generate_link_for_media
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: File Manager
Vulnerability: Directory Traversal
Patched Version: 7.2.2
Recommended Action: Update to version 7.2.2, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via su_qrcode Shortcode
Patched Version: 7.0.4
Recommended Action: Update to version 7.0.4, or a newer patched version
Plugin: Rolo Slider
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Audio Widget
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version
Plugin: Contact Form 7 – PayPal & Stripe Add-on
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid
Vulnerability: Authenticated(Contributor+) PHP Object Injection
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Master Slider – Responsive Touch Slider
Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting via slider callback
Patched Version: 3.9.10
Recommended Action: Update to version 3.9.10, or a newer patched version
Plugin: Master Slider – Responsive Touch Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.10.0
Recommended Action: Update to version 3.10.0, or a newer patched version
Plugin: WP eCommerce
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ebook Store
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.8002
Recommended Action: Update to version 5.8002, or a newer patched version
Plugin: JM Twitter Cards
Vulnerability: Information Exposure via Meta Description
Patched Version: 14.1.0
Recommended Action: Update to version 14.1.0, or a newer patched version
Plugin: Marketing Optimizer
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Table Truncation
Patched Version: 4.53
Recommended Action: Update to version 4.53, or a newer patched version
Plugin: Page Duplicator
Vulnerability: Missing Authorization to Unauthenticated Post/Page Duplication
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Sharing Plugin – Sassy Social Share
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.59
Recommended Action: Update to version 3.3.59, or a newer patched version
Plugin: which template file
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: System Dashboard
Vulnerability: Reflected Cross-Site Scripting via X-Forwarded-For
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version
Plugin: Slivery Extender
Vulnerability: Authenticated(Contributor+) Remote Code Execution via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.24
Recommended Action: Update to version 3.2.24, or a newer patched version
Plugin: Image Optimizer, Resizer and CDN – Sirv
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version
Plugin: Slider Responsive Slideshow – Image slider, Gallery slideshow
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Covid-19 Stats Widget
Patched Version: 2.6.9.1
Recommended Action: Update to version 2.6.9.1, or a newer patched version
Plugin: LiteSpeed Cache
Vulnerability: Unauthenticated Stored Cross-Site Scripting via ‘nameservers’ and ‘_msg’
Patched Version: 5.7.0.1
Recommended Action: Update to version 5.7.0.1, or a newer patched version
Plugin: Custom Field Suite
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version
Plugin: Travelpayouts: All Travel Brands in One Place
Vulnerability: Open Redirect
Patched Version: 1.1.17
Recommended Action: Update to version 1.1.17, or a newer patched version
Plugin: Schema Pro
Vulnerability: Authenticated (Contributor+) Custom Field Access
Patched Version: 2.7.16
Recommended Action: Update to version 2.7.16, or a newer patched version
Plugin: Genesis Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via postTitleTag
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: SiteOrigin Widgets Bundle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.58.8
Recommended Action: Update to version 1.58.8, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 3.19.3
Recommended Action: Update to version 3.19.3, or a newer patched version
Plugin: Ultimate Bootstrap Elements for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce
Vulnerability: Authenticated(Contributor+) PHP Object Injection
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version
Plugin: Change Memory Limit
Vulnerability: Missing Authorization via admin_logic()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Unauthenticated SQL Injection
Patched Version: 0.9.69
Recommended Action: Update to version 0.9.69, or a newer patched version
Plugin: postMash – custom post order
Vulnerability: Reflected Cross-Site Scripting via m
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Under Construction / Maintenance Mode from Acurax
Vulnerability: Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 7.3.15
Recommended Action: Update to version 7.3.15, or a newer patched version
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.10
Recommended Action: Update to version 5.1.10, or a newer patched version
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget
Patched Version: 2.6.9.1
Recommended Action: Update to version 2.6.9.1, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
