Watch Out Wednesday – May 1, 2024

Home » Watch Out Wednesday – May 1, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress

Vulnerability: LMS <= 1.7.3
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Max Addons Pro for Bricks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: XStore Core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: ENL Newsletter

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SharkDropship and Affiliate for AliExpress, Temu, eBay, Amazon and Etsy to woocommerce

Vulnerability: Unauthenticated Arbitrary Content Deletion
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.1.1
Recommended Action: Update to version 4.6.1.1, or a newer patched version

Plugin: Login Logout Register Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AnnounceKit

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CBX Bookmark & Favorite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.22
Recommended Action: Update to version 1.7.22, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: XStore Core

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: HL Twitter

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Missing Authorization
Patched Version: 7.9.0
Recommended Action: Update to version 7.9.0, or a newer patched version

Plugin: Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

Vulnerability: GT3 Image Gallery & Gutenberg Block Gallery <= 2.7.7.21
Patched Version: 2.7.7.22
Recommended Action: Update to version 2.7.7.22, or a newer patched version

Plugin: Advanced Post List

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.5.6.2
Recommended Action: Update to version 0.5.6.2, or a newer patched version

Plugin: Calendar

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 1.3.15
Recommended Action: Update to version 1.3.15, or a newer patched version

Plugin: Tickera – WordPress Event Ticketing

Vulnerability: Insecure Direct Object Reference to Information Exposure
Patched Version: 3.5.2.5
Recommended Action: Update to version 3.5.2.5, or a newer patched version

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Missing Authorization
Patched Version: 1.6.22
Recommended Action: Update to version 1.6.22, or a newer patched version

Plugin: LearnPress Export Import – WordPress extension for LearnPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: Themify – WooCommerce Product Filter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Insecure Direct Object Reference
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Missing Authorization
Patched Version: 1.3.3.1
Recommended Action: Update to version 1.3.3.1, or a newer patched version

Plugin: HL Twitter

Plugin: FameTheme Demo Importer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Missing Authorization
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.

Vulnerability: Missing Authorization via showTemplatePreview()
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN

Vulnerability: Missing Authorization
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: WP Cost Estimation & Payment Forms Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 10.1.76
Recommended Action: Update to version 10.1.76, or a newer patched version

Plugin: WP LinkedIn Auto Publish

Vulnerability: Missing Authorization
Patched Version: 8.12
Recommended Action: Update to version 8.12, or a newer patched version

Plugin: RomethemeForm For Elementor

Vulnerability: Missing Authorization
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: AppPresser – Mobile App Framework

Vulnerability: Missing Authorization
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Bypass Group Members Limit
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version

Plugin: Elementor ImageBox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Missing Authorization
Patched Version: 1.3.91
Recommended Action: Update to version 1.3.91, or a newer patched version

Plugin: TFO Graphviz

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Archives Calendar Widget

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Path Traversal
Patched Version: 2.12.7
Recommended Action: Update to version 2.12.7, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting via ‘image_url’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version

Plugin: Olive One Click Demo Import

Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Mailster – Email Newsletter Plugin for WordPress

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Smart Maintenance Mode

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting via ‘current_url’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version

Plugin: Photo Gallery – Responsive Photo Gallery, Image Gallery, Portfolio Gallery, Logo Gallery And Team Gallery

Vulnerability: Authenticated(Contributor+) PHP Object Injection via Shortcode
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Easy Restaurant Table Booking

Plugin: DirectoryPress – Business Directory And Classified Ad Listing

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Video Conferencing with Zoom

Vulnerability: Open Redirect
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting via ‘image_id’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Sensitive Information Exposure
Patched Version: 1.3.7.8
Recommended Action: Update to version 1.3.7.8, or a newer patched version

Plugin: Carousel Slider

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version

Plugin: Debug Log Manager

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Base64 Encoder/Decoder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Maintenance Mode

Vulnerability: Unauthenticated IP Spoofing
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Active Products Tables for WooCommerce. Use constructor to create tables

Vulnerability: Missing Authorization
Patched Version: 1.0.6.3
Recommended Action: Update to version 1.0.6.3, or a newer patched version

Plugin: 5280 Bootstrap Modal Contact Form

Vulnerability: Cross-Site Request Forgery to Bulk Delete Messages
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hide Dashboard Notifications

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Restaurant Menu – Food Ordering System – Table Reservation

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Min and Max Purchase for WooCommerce

Plugin: Responsive Tabs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 7.2.3
Recommended Action: Update to version 7.2.3, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘note_color’ Shortcode
Patched Version: 7.0.5
Recommended Action: Update to version 7.0.5, or a newer patched version

Plugin: WP Customer Reviews

Vulnerability: Authenticated (Contributor+) Malicious Redirect via HTTP-EQUIV Injection
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Data Tables Generator by Supsystic

Vulnerability: Missing Authorization
Patched Version: 1.10.32
Recommended Action: Update to version 1.10.32, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.16
Recommended Action: Update to version 5.9.16, or a newer patched version

Plugin: Solid Affiliate

Vulnerability: Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wallet for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Missing Authorization
Patched Version: 2.4.33
Recommended Action: Update to version 2.4.33, or a newer patched version

Plugin: Different Menu in Different Pages – Control Menu Visibility (All in One)

Vulnerability: Missing Authorization to Menu Duplication
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: DethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.29.3
Recommended Action: Update to version 1.29.3, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Calendly Widget
Patched Version: 3.10.7
Recommended Action: Update to version 3.10.7, or a newer patched version

Plugin: Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media

Vulnerability: Missing Authorization
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.18
Recommended Action: Update to version 5.9.18, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Unauthenticated Arbitrary File Read and Server-Side Request Forgery
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: Piotnet Addons For Elementor Pro

Vulnerability: Missing Authorization to Arbitrary Post/Page Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Recencio Book Reviews

Plugin: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Vulnerability: Missing Authorization
Patched Version: 1.9.17
Recommended Action: Update to version 1.9.17, or a newer patched version

Plugin: Vision – Interactive Image Map Builder

Vulnerability: Missing Authorization
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.2.1
Recommended Action: Update to version 5.3.2.1, or a newer patched version

Plugin: Social Icons Widget & Block by WPZOOM

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.2.18
Recommended Action: Update to version 4.2.18, or a newer patched version

Plugin: Advanced Testimonial Carousel for Elementor

Vulnerability: Missing Authorization
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Popup4Phone

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Plugin: Royal Elementor Addons and Templates

Vulnerability: Unauthenticated IP Spoofing
Patched Version: 1.3.95
Recommended Action: Update to version 1.3.95, or a newer patched version

Plugin: HelloAsso

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery & Interactive Circle
Patched Version: 5.9.16
Recommended Action: Update to version 5.9.16, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.6.1.1
Recommended Action: Update to version 4.6.1.1, or a newer patched version

Plugin: WP Smart Import : Import any XML File to WordPress

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: WP Club Manager – WordPress Sports Club Plugin

Vulnerability: Missing Authorization
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Newsletter Popup

Plugin: Progressive WordPress (PWA)

Plugin: WP GoToWebinar

Vulnerability: Missing Authorization
Patched Version: 15.1
Recommended Action: Update to version 15.1, or a newer patched version

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Missing Authorization
Patched Version: 0.1.0.25
Recommended Action: Update to version 0.1.0.25, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Missing Authorization
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: WP Migrate Pro

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.6.11
Recommended Action: Update to version 2.6.11, or a newer patched version

Plugin: WPify Woo Czech

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.11
Recommended Action: Update to version 4.0.11, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Missing Authorization to Unauthenticated Google Analytics Tracking ID Modification
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.26
Recommended Action: Update to version 4.10.26, or a newer patched version

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: RomethemeKit For Elementor

Vulnerability: Missing Authorization
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: Information Exposure
Patched Version: 7.5.0
Recommended Action: Update to version 7.5.0, or a newer patched version

Plugin: All-in-one Like Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: MainWP Child Reports

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Themify – WooCommerce Product Filter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Mhr Post Ticker

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WP-Cufon

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Spreadplugin

Vulnerability: Cross-Site Scripting
Patched Version: 3.8.6.2
Recommended Action: Update to version 3.8.6.2, or a newer patched version

Plugin: Auto Featured Image (Auto Post Thumbnail)

Vulnerability: Authenticated (Author+) Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fixed HTML Toolbar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘tutor_instructor_list’ Shortcode
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Authenticated (Customer+) Stored Cross-Site Scripting via ‘sms_prefix’
Patched Version: 9.6.3
Recommended Action: Update to version 9.6.3, or a newer patched version

Plugin: Piotnet Addons For Elementor Pro

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP 404 Auto Redirect to Similar Post

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Pricing Table by Supsystic

Vulnerability: Authenticated (Admin+) Content Injection
Patched Version: 1.9.13
Recommended Action: Update to version 1.9.13, or a newer patched version

Plugin: List Custom Taxonomy Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Navigation menu as Dropdown Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: iPages Flipbook For WordPress

Vulnerability: Missing Authorization
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 8.0.0
Recommended Action: Update to version 8.0.0, or a newer patched version

Plugin: Easy CountDowner

Plugin: Grid Gallery – Photo Image Grid Gallery

Vulnerability: Authenticated (Contributor+) PHP Object Injection via shortcode
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: EventON

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.15
Recommended Action: Update to version 2.2.15, or a newer patched version

Plugin: WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Vulnerability: Unauthenticated Price Manipulation
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: DSGVO Youtube

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: WP Prayer

Vulnerability: Cross-Site Request Forgery to Arbitrary Prayer Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Information Exposure
Patched Version: 5.9.16
Recommended Action: Update to version 5.9.16, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (GiveWP Manager+) PHP Object Injection
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Poll | Vote | Contest – Best Poll Plugin for WordPress

Vulnerability: Missing Authorization
Patched Version: 4.10.0
Recommended Action: Update to version 4.10.0, or a newer patched version

Plugin: Export and Import Users and Customers

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Support Genix – Support Tickets Managing System & Helpdesk Plugin for WordPress and WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Element Pack Pro – Addon for Elementor Page Builder WordPress Plugin

Vulnerability: Authenticated (Contributor+) Arbitrary File Read and PHAR Deserialization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: XStore Core

Vulnerability: Authenticated (Subscriber+) Limited Arbitrary File Upload
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version

Plugin: Serious Slider

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event

Vulnerability: Authenticated(Contributor+) PHP Object Injection via Custom Meta
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 13.2.6
Recommended Action: Update to version 13.2.6, or a newer patched version

Plugin: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.0.8.3
Recommended Action: Update to version 2.0.8.3, or a newer patched version

Plugin: WP-Members Membership Plugin

Vulnerability: Unprotected Storage of Potentially Sensitive Files
Patched Version: 3.4.9.4
Recommended Action: Update to version 3.4.9.4, or a newer patched version

Plugin: Accessibility

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Better Elementor Addons

Vulnerability: Authenticated(Contributor+) Local File Inclusion
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Advanced Most Recent Posts Mod

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI Post Generator | AutoWriter

Vulnerability: Missing Authorization
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Missing Authorization
Patched Version: 1.3.91
Recommended Action: Update to version 1.3.91, or a newer patched version

Plugin: The School Management Pro

Vulnerability: Authenticated (School Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance)

Vulnerability: Missing Authorization
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free | RRatingg

Vulnerability: Missing Authorization
Patched Version: 1.3.02
Recommended Action: Update to version 1.3.02, or a newer patched version

Plugin: Mega Elements – Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via JKit
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: XStore Core

Vulnerability: Missing Authorization
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: ACF On-The-Go

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cookie Information | Free GDPR Consent Solution

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.13.64
Recommended Action: Update to version 7.13.64, or a newer patched version

Plugin: Knowledge Base documentation & wiki plugin – BasePress Docs

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.16.2.1
Recommended Action: Update to version 2.16.2.1, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Debug Log Manager

Vulnerability: Missing Authorization via toggle_debugging
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘arrow_style’
Patched Version: 4.10.29
Recommended Action: Update to version 4.10.29, or a newer patched version

Plugin: Max Addons Pro for Bricks

Vulnerability: Missing Authorization
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Crelly Slider

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Assistant – Every Day Productivity Apps

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.4.9.2
Recommended Action: Update to version 1.4.9.2, or a newer patched version

Plugin: Print My Blog – Print, PDF, & eBook Converter WordPress Plugin

Vulnerability: Missing Authorization
Patched Version: 3.26.3
Recommended Action: Update to version 3.26.3, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.4.1.9
Recommended Action: Update to version 1.4.1.9, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: EnvíaloSimple: Email Marketing y Newsletters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Live Composer – Free WordPress Website Builder

Vulnerability: Missing Authorization
Patched Version: 1.5.39
Recommended Action: Update to version 1.5.39, or a newer patched version

Plugin: PPOM – Product Addons & Custom Fields for WooCommerce

Vulnerability: Unauthenticated Arbitrary File Upload via ppom_upload_file
Patched Version: 32.0.19
Recommended Action: Update to version 32.0.19, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.31
Recommended Action: Update to version 4.10.31, or a newer patched version

Plugin: Inline Google Spreadsheet Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Seriously Simple Podcasting

Vulnerability: Unauthenticated Email Disclosure
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Cost Calculator Builder PRO

Vulnerability: Unauthenticated Cross-Site Scripting via SVG Upload
Patched Version: 3.1.68
Recommended Action: Update to version 3.1.68, or a newer patched version

Plugin: JW Player for WordPress

Vulnerability: Missing Authorization
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: PB MailCrypt – AntiSpam Email Encryption

Plugin: ChatBot Conversational Forms

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Headline Analyzer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: WP Cost Estimation & Payment Forms Builder

Vulnerability: Missing Authorization
Patched Version: 10.1.77
Recommended Action: Update to version 10.1.77, or a newer patched version

Plugin: Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Blocks, and Elementor Widgets)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Post Overlay
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Meks Smart Social Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Enjoy Social Feed plugin for WordPress website

Vulnerability: Missing Authorization to Database Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Vulnerability: Unauthenticated IP Spoofing
Patched Version: 1.12.11
Recommended Action: Update to version 1.12.11, or a newer patched version

Plugin: HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.10.0
Recommended Action: Update to version 2.10.0, or a newer patched version

Plugin: Piotnet Addons For Elementor Pro

Plugin: Subway – Private Site Option

Vulnerability: Improper Access Control to Sensitive Information Exposure via REST API
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ActiveDEMAND

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 0.2.42
Recommended Action: Update to version 0.2.42, or a newer patched version

Plugin: Cornerstone

Vulnerability: Reflected Cross-Site Scripting via PHP_SELF
Patched Version: 0.8.1
Recommended Action: Update to version 0.8.1, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated (Author+) SQL Injeciton
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Void Elementor WHMCS Elements For Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: XforWooCommerce

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cornerstone

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.8.1
Recommended Action: Update to version 0.8.1, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Insecure Direct Object Reference to Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-FormAssembly

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: WP-Lister Lite for eBay

Vulnerability: Authenticated (Shop Manager+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: WPZOOM Addons for Elementor (Templates, Widgets)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.36
Recommended Action: Update to version 1.1.36, or a newer patched version

Plugin: WordPress Automatic Plugin

Vulnerability: No subtitle
Patched Version: 3.93.0
Recommended Action: Update to version 3.93.0, or a newer patched version

Plugin: Five Star Restaurant Reservations – WordPress Booking Plugin

Vulnerability: Missing Authorization
Patched Version: 2.6.17
Recommended Action: Update to version 2.6.17, or a newer patched version

Plugin: Woo Total Sales

Vulnerability: Missing Authorization to Unauthenticated Sales Report Retrieval
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Membership

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Missing Authorization
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: SVS Pricing Tables

Plugin: User Meta – User Profile Builder and User management plugin

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Easy Property Listings

Vulnerability: Missing Authorization via epl_update_listing_coordinates()
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: Code Insert Manager (Q2W3 Inc Manager)

Plugin: Piotnet Addons For Elementor Pro

Plugin: GetResponse for WordPress

Plugin: WP ADA Compliance Check Basic – Most Comprehensive Web Accessibility Solution for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Brevo for WooCommerce

Vulnerability: Authenticated (Editor+) Arbitrary File Download and Deletion
Patched Version: 4.0.18
Recommended Action: Update to version 4.0.18, or a newer patched version

Plugin: Import Content in WordPress & WooCommerce with Excel

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: Mini Loops

Plugin: Envo Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version

Plugin: Reviews Plus

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Easy Textillate

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Backup and Restore WordPress – Backup Plugin

Vulnerability: Unauthenticated Information Exposure via Log Files
Patched Version: 1.50
Recommended Action: Update to version 1.50, or a newer patched version

Plugin: Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce

Vulnerability: Improper Authorization
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Vitepos – Point of sale (POS) plugin for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: 1.3.5.3
Recommended Action: Update to version 1.3.5.3, or a newer patched version

Plugin: Eleblog – Elementor Blog And Magazine Addons

Plugin: WP Page Post Widget Clone

Plugin: XStore Core

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: WordPress Menu Plugin — Superfly Responsive Menu

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version

Plugin: Print-O-Matic

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via su_lightbox
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: WP-Lister Lite for eBay

Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Vulnerability: WordPress Plugin <= 14.0.10
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Grid Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher

Vulnerability: Missing Authorization
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version

Plugin: Meks ThemeForest Smart Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: RomethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title HTML Tag
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Widget Post Slider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Knight Lab Timeline

Plugin: Google Doc Embedder

Vulnerability: Authenticated (Contributor+) Blind Server Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: WordPress Flipbook by Supsystic

Vulnerability: Missing Authorization
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Share This Image

Vulnerability: Open Redirect
Patched Version: 1.99
Recommended Action: Update to version 1.99, or a newer patched version

Plugin: EPROLO Dropshipping

Vulnerability: Missing Authorization
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Elements Plus!

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.16.4
Recommended Action: Update to version 2.16.4, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Missing Authorization
Patched Version: 1.8.21
Recommended Action: Update to version 1.8.21, or a newer patched version

Plugin: SVS Pricing Tables

Vulnerability: Cross-Site Request Forgery to Pricing Table Edit/Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Sina Fancy Text Widget
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages

Vulnerability: Authenticated (Subscriber+) PHP Object Injection in get_simple_request
Patched Version: 3.4.21
Recommended Action: Update to version 3.4.21, or a newer patched version

Plugin: Annual Archive

Plugin: SKU Label Changer For WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: LeadConnector

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Deletion
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.6.19
Recommended Action: Update to version 4.6.19, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Missing Authorization
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: month name translation benaceur

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: MF Gig Calendar

Plugin: Slash Admin

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates

Vulnerability: Missing Authorization
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Customify Site Library

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointment Booking Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.83
Recommended Action: Update to version 1.3.83, or a newer patched version

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.28
Recommended Action: Update to version 2.4.28, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 21.3.1
Recommended Action: Update to version 21.3.1, or a newer patched version

Plugin: MailerLite – Signup forms (official)

Vulnerability: 1.7.6
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Seers | GDPR & CCPA Cookie Consent & Compliance

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.1.1
Recommended Action: Update to version 8.1.1, or a newer patched version

Plugin: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Open Redirect
Patched Version: 4.0.31
Recommended Action: Update to version 4.0.31, or a newer patched version

Plugin: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.8.4
Recommended Action: Update to version 2.0.8.4, or a newer patched version

Plugin: Easy Set Favicon

Plugin: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.4.8
Recommended Action: Update to version 4.4.8, or a newer patched version

Plugin: Header Footer Code Manager Pro

Vulnerability: Reflected Cross-Site Scripting via message
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via htmltag Parameter
Patched Version: 6.7.8
Recommended Action: Update to version 6.7.8, or a newer patched version

Plugin: Radio Station by netmix® – Manage and play your Show Schedule in WordPress!

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: XStore Core

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Newsletters

Vulnerability: Information Exposure via Log files
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.15.24
Recommended Action: Update to version 1.15.24, or a newer patched version

Plugin: Booster Extension

Vulnerability: Basic Information Exposure via booster_extension_authorbox_shortcode_display
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Arconix Shortcodes

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 2.1.11
Recommended Action: Update to version 2.1.11, or a newer patched version

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 2.6.92
Recommended Action: Update to version 2.6.92, or a newer patched version

Plugin: Media Cleaner: Clean your WordPress!

Vulnerability: Unauthenticated Information Exposure
Patched Version: 6.7.3
Recommended Action: Update to version 6.7.3, or a newer patched version

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Plugin: WooCommerce Multilingual & Multicurrency with WPML

Vulnerability: Authenticated (Shop Manager+) SQL Injection
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version

Plugin: Team Members

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: ShortPixel Critical CSS

Vulnerability: Missing Authorization
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Missing Authorization on Duplicate Post
Patched Version: 2.0.5.6
Recommended Action: Update to version 2.0.5.6, or a newer patched version

Plugin: ACF Front End Editor

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) Arbitrary File Deletion
Patched Version: 21.3.5
Recommended Action: Update to version 21.3.5, or a newer patched version

Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Information Disclosure
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version

Plugin: 404 Solution

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.35.8
Recommended Action: Update to version 2.35.8, or a newer patched version

Plugin: VK Block Patterns

Vulnerability: Missing Authorization
Patched Version: 1.31.1.1
Recommended Action: Update to version 1.31.1.1, or a newer patched version

Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

Vulnerability: Missing Authorization
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: AI Infographic Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.8
Recommended Action: Update to version 4.6.8, or a newer patched version

Plugin: CPO Companion

Plugin: iPanorama 360 – Advanced Virtual Tour Builder

Vulnerability: Missing Authorization
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: AA Cash Calculator

Vulnerability: Reflected Cross-Site Scripting via invoice
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ElementsKit Elementor addons

Vulnerability: 3.1.2
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Language Switcher for Transposh

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Elementor Widget URL Custom Attributes
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Login with phone number

Vulnerability: Unauthorized Account Password Change to Privilege Escalation
Patched Version: 1.7.17
Recommended Action: Update to version 1.7.17, or a newer patched version

Plugin: WordPress Ad Widget

Plugin: Timetable and Event Schedule by MotoPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2.4.12
Recommended Action: Update to version 2.4.12, or a newer patched version

Plugin: Starbox – the Author Box for Humans

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version

Plugin: WP Dynamic Keywords Injector

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.22
Recommended Action: Update to version 2.3.22, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via SVG
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Insecure Direct Object Reference
Patched Version: 16.26.6
Recommended Action: Update to version 16.26.6, or a newer patched version

Plugin: WordPress Simple HTML Sitemap

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version

Plugin: Sailthru Triggermail

Plugin: Salon Booking System

Vulnerability: Authenticated (Customer+) Stored Cross-Site Scripting
Patched Version: 9.6.3
Recommended Action: Update to version 9.6.3, or a newer patched version

Plugin: Testimonial Slider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Sailthru Triggermail

Plugin: AJAX Login and Registration modal popup + inline form

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.24
Recommended Action: Update to version 2.24, or a newer patched version

Plugin: WooCommerce Shipping Label

Vulnerability: Authenticated (Shop Manager+) Stored Cross-Site Scripting
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: Zynith SEO

Plugin: AGCA – Custom Dashboard & Login Page

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 7.2.4
Recommended Action: Update to version 7.2.4, or a newer patched version

Plugin: Sliding Widgets

Plugin: Custom WooCommerce Checkout Fields Editor

Vulnerability: Missing Authorization
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: MailerLite – Signup forms (official)

Vulnerability: Missing Authorization
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: CF7 File Download – File Download for CF7

Plugin: Coupon & Discount Code Reveal Button

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 29.7
Recommended Action: Update to version 29.7, or a newer patched version

Plugin: Pz-LinkCard

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Filterable Portfolio

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.1.32
Recommended Action: Update to version 3.1.32, or a newer patched version

Plugin: Netgsm

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: Pretty Google Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Newsletter Popup

Vulnerability: Cross-Site Request Forgery to Subscriber Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Themify – WooCommerce Product Filter

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Image Slider

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.1.127
Recommended Action: Update to version 1.1.127, or a newer patched version

Plugin: Advanced Floating Content Lite

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.0.6.0
Recommended Action: Update to version 2.0.6.0, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: Hubbub Lite – Fast, Reliable Social Sharing Buttons

Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.33.1
Recommended Action: Update to version 1.33.1, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 9.6.6
Recommended Action: Update to version 9.6.6, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Events
Patched Version: 3.4.24
Recommended Action: Update to version 3.4.24, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting
Patched Version: 1.15.25
Recommended Action: Update to version 1.15.25, or a newer patched version

Plugin: Client Dash

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: Backup Migration

Vulnerability: Information Exposure via Log Files
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: CodeBard's Patron Button and Widgets for Patreon

Plugin: Theater for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 0.18.4
Recommended Action: Update to version 0.18.4, or a newer patched version

Plugin: Democracy Poll

Plugin: coreActivity: Activity Logging plugin for WordPress

Vulnerability: IP Spoofing
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: WP TradingView

Plugin: Fan Page Widget by ThemeNcode

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap

Vulnerability: Missing Authorization
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: XStore Core

Vulnerability: Authenticated (Subscriber+) Limited Arbitrary File Download
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: Tabellen von faustball.com

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 20230902
Recommended Action: Update to version 20230902, or a newer patched version

Plugin: Accessibility Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: HL Twitter

Vulnerability: Cross-Site Request Forgery to Twitter Account Unlink
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Newsletter Popup

Plugin: Leaky Paywall

Vulnerability: Missing Authorization to Price Manipulation
Patched Version: 4.20.9
Recommended Action: Update to version 4.20.9, or a newer patched version

Plugin: XStore Core

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: WP Prayer

Vulnerability: Cross-Site Request Forgery to Email Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Realtyna Organic IDX plugin + WPL Real Estate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.14.8
Recommended Action: Update to version 4.14.8, or a newer patched version

Plugin: GWP-Histats

Plugin: Base64 Encoder/Decoder

Vulnerability: Cross-Site Request Forgery to Setting Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated (Contributor+) Information Disclosure via Shortcode
Patched Version: 2.12.9
Recommended Action: Update to version 2.12.9, or a newer patched version

Plugin: XServer Migrator

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 1.6.2.1
Recommended Action: Update to version 1.6.2.1, or a newer patched version

Plugin: Kattene

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version

Plugin: PopupAlly

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Popup4Phone

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: Enjoy Social Feed plugin for WordPress website

Plugin: WordPress Header Builder Plugin – Pearl

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: BackUpWordPress

Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 3.14
Recommended Action: Update to version 3.14, or a newer patched version

Plugin: Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce

Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting via Templates
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Admin Page Spider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.32
Recommended Action: Update to version 3.32, or a newer patched version

Plugin: RSS Feed Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘Countdown’
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.63
Recommended Action: Update to version 3.63, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 29.8
Recommended Action: Update to version 29.8, or a newer patched version

Plugin: Login with phone number

Vulnerability: Missing Authorization
Patched Version: 1.6.94
Recommended Action: Update to version 1.6.94, or a newer patched version

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: Captcha Bypass
Patched Version: 1.4.57
Recommended Action: Update to version 1.4.57, or a newer patched version

Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds

Vulnerability: Sensitive Information Exposure via Log Files
Patched Version: 13.3.2
Recommended Action: Update to version 13.3.2, or a newer patched version

Plugin: Social Sharing Plugin – Sassy Social Share

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.61
Recommended Action: Update to version 3.3.61, or a newer patched version

Plugin: Fancy Elementor Flipbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Elementor Flipbox Widget
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: ElementsKit Pro

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Price Menu, Hotspot, and Advanced Toggle Widgets
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Interactive World Maps

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Plugin: WP File Download Light

Plugin: Table Rate Shipping Method for WooCommerce by Flexible Shipping

Vulnerability: Missing Authorization
Patched Version: 4.24.16
Recommended Action: Update to version 4.24.16, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: Knowledge Base documentation & wiki plugin – BasePress Docs

Vulnerability: Missing Authorization
Patched Version: 2.16.2.1
Recommended Action: Update to version 2.16.2.1, or a newer patched version

Plugin: Tagembed: Embed Twitter Feed, Google Reviews, YouTube Videos, TikTok, RSS Feed & More Social Media Feeds

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: WP Chat App

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: WP Media Category Management

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Social Share Icons & Social Share Buttons

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Survey Maker

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2.9
Recommended Action: Update to version 4.2.9, or a newer patched version

Plugin: Opal Widgets For Elementor

Plugin: Survey Maker

Vulnerability: IP Address Spoofing
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 2.11.1
Recommended Action: Update to version 2.11.1, or a newer patched version

Plugin: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Vulnerability: Missing Authorization
Patched Version: 1.9.17
Recommended Action: Update to version 1.9.17, or a newer patched version

Plugin: Custom field finder

Vulnerability: Authenticated (Author+) PHP Object Injection
Patched Version: 0.4
Recommended Action: Update to version 0.4, or a newer patched version

Plugin: AWeber for WooCommerce

Vulnerability: Missing Authorization to Access Token Modification
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcodes
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version

Plugin: Slider by 10Web – Responsive Image Slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.55
Recommended Action: Update to version 1.2.55, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting via ‘thumb_url’
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version

Plugin: WPC Composite Products for WooCommerce

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version

Plugin: SSU – WordPress Amazon S3 & Wasabi Smart File Uploads Plugin

Vulnerability: Missing Authorization
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Plugin: Giphypress

Plugin: WP Prayer

Plugin: Admin and Customer Messages After Order for WooCommerce: OrderConvo

Vulnerability: Missing Authorization to Arbitrary File Upload
Patched Version: 12.5
Recommended Action: Update to version 12.5, or a newer patched version

Plugin: WP Masquerade

Vulnerability: Authenticated (Subscriber+) Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Missing Authorization
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Property Hive

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: 2.0.13
Recommended Action: Update to version 2.0.13, or a newer patched version

Plugin: What's New Generator

Plugin: Car Dealer (Dealership) and Vehicle sales

Vulnerability: Authenticated (Admin+) Content Injection
Patched Version: 4.16
Recommended Action: Update to version 4.16, or a newer patched version

Plugin: Payment Gateway Based Fees and Discounts for WooCommerce

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 2.12.2
Recommended Action: Update to version 2.12.2, or a newer patched version

Plugin: Newsletter Popup

Vulnerability: Cross-Site Request Forgery to List Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.33
Recommended Action: Update to version 3.3.33, or a newer patched version

Plugin: Easy Accept Payments via PayPal

Vulnerability: Missing Authorization
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: VOD Infomaniak

Plugin: Admin Bar Editor – Hide Toolbar by User Roles

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Missing Authorization
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: ClickCease Click Fraud Protection

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: MJ Update History

Plugin: Qi Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown widget
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Perfect Pullquotes

Plugin: Google Typography

Plugin: TweetScroll Widget

Plugin: Tax Rate Upload

Plugin: Rate My Post – Star Rating Plugin by FeedbackWP

Vulnerability: Insecure Direct Object Reference
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: WTI Like Post

Vulnerability: IP Spoofing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.59.1
Recommended Action: Update to version 3.59.1, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 5.7.2
Recommended Action: Update to version 5.7.2, or a newer patched version

Plugin: Classified Listing – Classified ads & Business Directory Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion
Patched Version: 3.0.11
Recommended Action: Update to version 3.0.11, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 4.3.7
Recommended Action: Update to version 4.3.7, or a newer patched version

Plugin: Taxonomy Filter

Vulnerability: Cross-Site Request Forgery via taxonomy_filter_save_main_settings()
Patched Version: 2.2.10
Recommended Action: Update to version 2.2.10, or a newer patched version

Plugin: SVS Pricing Tables

Vulnerability: Cross-Site Request Forgery to Pricing Table Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Time Slots Booking Form

Vulnerability: Unauthenticated Price Manipulation
Patched Version: 1.2.07
Recommended Action: Update to version 1.2.07, or a newer patched version

Plugin: Innovs HR – Complete Human Resource Management System for Your Business

Plugin: All-in-One Addons for Elementor – WidgetKit

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LH Add Media From Url

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.23
Recommended Action: Update to version 1.23, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 29.8
Recommended Action: Update to version 29.8, or a newer patched version

Plugin: Sticky Anything

Plugin: Buttons Shortcode and Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Newsletters

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Missing Authorization to Post Duplication
Patched Version: 2.6.9.2
Recommended Action: Update to version 2.6.9.2, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Missing Authorization
Patched Version: 4.0.29
Recommended Action: Update to version 4.0.29, or a newer patched version

Plugin: Seriously Simple Podcasting

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Customer Email Verification for WooCommerce

Vulnerability: Email Verification and Authentication Bypass due to Insufficient Randomness
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Embed Google Fonts

Plugin: WPPizza – A Restaurant Plugin

Vulnerability: Missing Authorization
Patched Version: 3.18.11
Recommended Action: Update to version 3.18.11, or a newer patched version

Plugin: CC BMI Calculator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Solid Mail – SMTP email and logging made by SolidWP

Vulnerability: 1.2.6
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Survey Maker

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: Piotnet Addons For Elementor Pro

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.4
Recommended Action: Update to version 1.13.4, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: CM Tooltip Glossary

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Smart Recent Posts Widget

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Missing Authorization
Patched Version: 7.7.0
Recommended Action: Update to version 7.7.0, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.26.3
Recommended Action: Update to version 1.26.3, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.29.0
Recommended Action: Update to version 1.29.0, or a newer patched version

Plugin: Mortgage Calculators WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.60
Recommended Action: Update to version 1.60, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 1.1.13
Recommended Action: Update to version 1.1.13, or a newer patched version

Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 20240223
Recommended Action: Update to version 20240223, or a newer patched version

Plugin: ZD YouTube FLV Player

Vulnerability: Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 2.16.0
Recommended Action: Update to version 2.16.0, or a newer patched version

Plugin: YITH WooCommerce Compare

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.38.0
Recommended Action: Update to version 2.38.0, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Missing Authorization to Unauthenticated Limited Options Update
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Contact Form 7 Extension For Mailchimp

Plugin: WP Helper Premium

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version

Plugin: WP Club Manager – WordPress Sports Club Plugin

Vulnerability: Authenticated (Player+) Stored Cross-Site Scripting
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Where Did You Hear About Us Checkout Field for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Base64 Encoder/Decoder

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Under Construction

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: WP Stripe Checkout

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2.42
Recommended Action: Update to version 1.2.2.42, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.