Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Fluent Forms <= 6.2.1 – Authenticated (Administrator+) Arbitrary File Read via Path Traversal in Email Attachment
Patched Version: 6.2.2
Recommended Action: Update to version 6.2.2, or a newer patched version
Theme: SpicePress
Vulnerability: SpicePress <= 2.3.2.5 – Cross-Site Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder
Vulnerability: Nexter Blocks <= 4.7.0 – Unauthenticated Information Exposure
Patched Version: 4.7.1
Recommended Action: Update to version 4.7.1, or a newer patched version
Plugin: GenerateBlocks
Vulnerability: GenerateBlocks <= 2.2.0 – Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Dynamic Tag Replacements
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: JetFormBuilder — Dynamic Blocks Form Builder
Vulnerability: JetFormBuilder — Dynamic Blocks Form Builder <= 3.5.6.1 – Authenticated (Contributor+) Remote Code Execution
Patched Version: 3.5.6.2
Recommended Action: Update to version 3.5.6.2, or a newer patched version
Plugin: WhatsApp Chat – WordPress WhatsApp Chat
Vulnerability: Elfsight WhatsApp Chat CC <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: Grand Car Rental | Limousine HTML Template
Vulnerability: Grand Car Rental <= 3.6.9 – Cross-Site Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: Flipmart – MegaOne Multipurpose WordPress Theme
Vulnerability: Flipmart <= 2.8 – Missing Authorization
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Cost Estimation
Vulnerability: WP Cost Estimation < 10.3.0 – Missing Authorization
Patched Version: 10.3.0
Recommended Action: Update to version 10.3.0, or a newer patched version
Plugin: Royal Addons for Elementor – Addons and Templates Kit for Elementor
Vulnerability: Royal Elementor Addons <= 1.7.1056 – Missing Authorization
Patched Version: 1.7.1057
Recommended Action: Update to version 1.7.1057, or a newer patched version
Plugin: ShopBuilder – WooCommerce Builder For Elementor
Vulnerability: ShopBuilder – Elementor WooCommerce Builder Addons <= 3.2.4 – Unauthenticated Information Exposure
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: Product Filter for WooCommerce by WBW
Vulnerability: Product Filter for WooCommerce by WBW < 3.1.3 – Unauthenticated SQL Injection
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: tagDiv Composer
Vulnerability: tagDiv Composer <= 5.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: Duka Market – Multipurpose eCommerce Template
Vulnerability: DukaMarket <= 1.3.0 – Unauthenticated Arbitrary Shortcode Execution
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gravity SMTP
Vulnerability: Gravity SMTP <= 2.1.4 – Unauthenticated Sensitive Information Exposure via REST API
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Theme: Woodmart
Vulnerability: WoodMart <= 8.3.9 – Unauthenticated Sensitive Information Exposure
Patched Version: 8.4.0
Recommended Action: Update to version 8.4.0, or a newer patched version
Plugin: Blog Filter Post Filtering
Vulnerability: Blog Filter <= 1.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Beaver Builder Page Builder – Drag and Drop Website Builder
Vulnerability: Beaver Builder <= 2.10.1.2 – Authenticated (Contributor+) SQL Injection
Patched Version: 2.10.1.5
Recommended Action: Update to version 2.10.1.5, or a newer patched version
Theme: Homeo – Real Estate WordPress Theme
Vulnerability: Homeo <= 1.2.59 – Authenticated (Contributor+) Local File Inclusion
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 – Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter
Patched Version: 1.52.1
Recommended Action: Update to version 1.52.1, or a newer patched version
Plugin: WooCommerce Photo Reviews Premium
Vulnerability: WooCommerce Photo Reviews <= 1.4.4 – Unauthenticated Arbitrary Shortcode Execution
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: GiveWP <= 3.14.1 – Unauthenticated PHP Object Injection
Patched Version: 3.14.2
Recommended Action: Update to version 3.14.2, or a newer patched version
Plugin: DEPART – Deposit and Part payment for Woo
Vulnerability: DEPART <= 1.0.7 – Missing Authorization
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Theme: Grand Portfolio WordPress
Vulnerability: Grand Portfolio <= 3.3 – Cross-Site Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Awesome Support <= 6.1.7 – Missing Authorization
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version
Plugin: Mixed Media Gallery Blocks
Vulnerability: Mixed Media Gallery Blocks <= 3.3.2 – Authenticated (Contributor+) Remote Code Execution
Patched Version: 3.3.2.1
Recommended Action: Update to version 3.3.2.1, or a newer patched version
Plugin: CP Multi View Events Calendar
Vulnerability: CP Multi View Event Calendar <= 1.4.36 – Missing Authorization
Patched Version: 1.4.37
Recommended Action: Update to version 1.4.37, or a newer patched version
Plugin: Visionary Core
Vulnerability: Visionary Core <= 1.4.9 – Reflected Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: The Tribal Plugin
Vulnerability: The Tribal <= 1.3.4 – Unauthenticated Information Exposure
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Medilazar Core
Vulnerability: Medilazar Core < 1.4.7 – Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Vulnerability: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 – Authenticated (Subscriber+) PHP Object Injection
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version
Plugin: Stylish Order Form Builder
Vulnerability: Stylish Order Form Builder <= 1.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting via 'product_name' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce
Vulnerability: WCFM Marketplace – Multivendor Marketplace for WooCommerce <= 3.7.1 – Authenticated (Store vendor+) SQL Injection
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Widget
Vulnerability: Image Widget <= 4.4.11 – Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.4.12
Recommended Action: Update to version 4.4.12, or a newer patched version
Plugin: Geo Mashup
Vulnerability: Geo Mashup <= 1.13.18 – Unauthenticated Time-Based SQL Injection via 'sort' Parameter
Patched Version: 1.13.19
Recommended Action: Update to version 1.13.19, or a newer patched version
Plugin: BSK PDF Manager
Vulnerability: BSK PDF Manager <= 3.7.2 – Unauthenticated Information Exposure
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rank Math SEO PRO
Vulnerability: Rank Math SEO PRO <= 3.0.96 – Missing Authorization
Patched Version: 3.0.97
Recommended Action: Update to version 3.0.97, or a newer patched version
Plugin: Visual Link Preview
Vulnerability: Visual Link Preview <= 2.3.0 – Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Theme: Betheme
Vulnerability: Betheme <= 28.4 – Authenticated (Contributor+) Arbitrary File Deletion via 'mfn-icon-upload'
Patched Version: 28.4.1
Recommended Action: Update to version 28.4.1, or a newer patched version
Theme: Blackfyre – Create Your Own Gaming Community
Vulnerability: Blackfyre <= 2.5.4 – Cross-Site Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: E2Pdf – Export Pdf Tool for WordPress
Vulnerability: E2Pdf – Export Pdf Tool for WordPress <= 1.32.17 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
Patched Version: 1.32.18
Recommended Action: Update to version 1.32.18, or a newer patched version
Theme: Grand Photography WordPress
Vulnerability: Grand Photography <= 5.7.8 – Cross-Site Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Vulnerability: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 4.4.9 – Unauthenticated Remote Code Execution
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version
Plugin: RT-Theme 18 Responsive WordPress Theme
Vulnerability: RT-Theme 18 | Extensions <= 2.5 – Unauthenticated Information Exposure
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPFAQBlock– FAQ & Accordion Plugin For Gutenberg
Vulnerability: WPFAQBlock– FAQ & Accordion Plugin For Gutenberg <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: APRIL – Fashion WooCommerce WordPress Theme
Vulnerability: G5Plus April <= 6.8 – Missing Authorization
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Attachments
Vulnerability: Download Attachments <= 1.4.0 – Unauthenticated Insecure Direct Object Reference
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jobica Core
Vulnerability: Jobica Core <= 1.4.1 – Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Filr – Secure document library
Vulnerability: Filr – Secure document library <= 1.2.13 – Authenticated (Contributor+) Arbitrary File Uploads
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: Gracey
Vulnerability: Gracey < 1.4 – Unauthenticated PHP Object Injection
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: addfreespace
Vulnerability: addfreespace <= 0.1.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Appointment Booking Calendar <= 1.6.10.6 – Unauthenticated Arbitrary Appointment View, Modification and Deletion
Patched Version: 1.6.11
Recommended Action: Update to version 1.6.11, or a newer patched version
Plugin: DOOFINDER Search and Discovery for WP & WooCommerce
Vulnerability: Doofinder for WooCommerce <= 2.10.13 – Unauthenticated Information Exposure
Patched Version: 2.10.14
Recommended Action: Update to version 2.10.14, or a newer patched version
Theme: S.King | Personal Stylist and Fashion Blogger WordPress Theme
Vulnerability: S.King <= 1.5.3 – Unauthenticated Local File Inclusion
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tag, Category, and Taxonomy Manager – Autotagger Automatically Add Terms
Vulnerability: TaxoPress <= 3.44.0 – Authenticated (Editor+) SQL Injection
Patched Version: 3.45.0
Recommended Action: Update to version 3.45.0, or a newer patched version
Plugin: Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website
Vulnerability: Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Addon Elements for Elementor (formerly Elementor Addon Elements)
Vulnerability: Elementor Addon Elements <= 1.14.4 – Authenticated (Contributor+) Information Exposure
Patched Version: 1.14.5
Recommended Action: Update to version 1.14.5, or a newer patched version
Plugin: Social Post Embed
Vulnerability: Social Post Embed <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Threads Embed
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid
Vulnerability: Magazine Blocks <= 1.8.3 – Missing Authorization
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version
Plugin: Contact Form Email
Vulnerability: Contact Form Email <= 1.3.63 – Missing Authorization
Patched Version: 1.3.64
Recommended Action: Update to version 1.3.64, or a newer patched version
Plugin: GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content
Vulnerability: GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.2.0 – Unauthenticated SQL Injection via 'attributekey'
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Elated Listing
Vulnerability: Elated Listing <= 1.4 – Missing Authorization
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: WPBookit Pro – Appointment Booking Plugin for WordPress
Vulnerability: WPBookit Pro <= 1.6.18 – Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Order Tracking – WordPress Status Tracking Plugin
Vulnerability: Order Tracking <= 3.4.4 – Missing Authorization
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gift Up Gift Cards for WordPress and WooCommerce
Vulnerability: Gift Up Gift Cards for WordPress and WooCommerce <= 3.1.7 – Unauthenticated Server-Side Request Forgery
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version
Theme: Freeio – Freelance Marketplace WordPress Theme
Vulnerability: Freeio <= 1.3.21 – Authenticated (Contributor+) Local File Inclusion
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: Yobazar – Elementor Fashion WooCommerce Theme
Vulnerability: Yobazar < 1.6.7 – Reflected Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: YML for Yandex Market
Vulnerability: YML for Yandex Market < 5.3.0 – Authenticated (Shop Manager+) Arbitrary File Deletion
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version
Plugin: Ninja Tables – Easy Data Table Builder
Vulnerability: Ninja Tables <= 5.2.6 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version
Theme: Golo – City Travel Guide WordPress Theme
Vulnerability: Golo – City Travel Guide WordPress Theme < 1.7.5 – Reflected Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: tagDiv Composer
Vulnerability: tagDiv Composer <= 5.4.3 – Unauthenticated Arbitrary Shortcode Execution
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Podigee WordPress Quick Publish – now with Gutenberg support!
Vulnerability: Podigee <= 1.4.0 – Unauthenticated Sever-Side Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Affiliate Program Suite — SliceWP Affiliates
Vulnerability: Affiliate Program Suite <= 1.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Zingaya Click-to-Call
Vulnerability: Zingaya Click-to-Call <= 1.0 – Reflected Cross-Site Scripting via 'email' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BetterDocs Pro
Vulnerability: BetterDocs Pro <= 3.7.0 – Unauthenticated SQL Injection via Encyclopedia 'limit' Parameter
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: AI Engine (Pro)
Vulnerability: AI Engine (Pro) < 3.4.2 – Missing Authorization
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Related Posts Lite
Vulnerability: Related Posts Lite <= 1.12 – Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LatePoint – Calendar Booking Plugin for Appointments and Events
Vulnerability: LatePoint <= 5.5.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version
Plugin: Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity
Vulnerability: Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity <= 3.3.6 – Unauthenticated Information Disclosure via REST API
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Tutor LMS <= 3.9.7 – Missing Authorization
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version
Plugin: Nelio Content – Editorial Calendar & Social Media Auto-Posting
Vulnerability: Nelio Content <= 4.3.1 – Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version
Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View
Vulnerability: WpStream < 4.11.2 – Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 4.11.2
Recommended Action: Update to version 4.11.2, or a newer patched version
Plugin: Squeeze – Image Optimization & Compression, WEBP Conversion
Vulnerability: Squeeze <= 1.7.7 – Authenticated (Subscriber+) Directory Traversal
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version
Plugin: B2Bking
Vulnerability: B2BKing Premium < 5.4.20 – Unauthenticated Open Redirect
Patched Version: 5.4.20
Recommended Action: Update to version 5.4.20, or a newer patched version
Plugin: Auto Affiliate Links
Vulnerability: Auto Affiliate Links <= 6.8.8 – Unauthenticated Stored Cross-Site Scripting via 'url' Parameter
Patched Version: 6.8.8.1
Recommended Action: Update to version 6.8.8.1, or a newer patched version
Plugin: Time Sheets
Vulnerability: Time Sheets <= 2.1.3 – Cross-Site Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: Organic Food – Farm & Food Business Eco WordPress
Vulnerability: OrganicFood <= 3.6.4 – Authenticated (Contributor+) Local File Inclusion
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mentoring
Vulnerability: Mentoring <= 1.2.8 – Unauthenticated Privilege Escalation in mentoring_process_registration
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Theme: Betheme
Vulnerability: Betheme <= 28.4 – Authenticated (Author+) Arbitrary File Upload to Remote Code Execution via Icon Pack Upload
Patched Version: 28.4.1
Recommended Action: Update to version 28.4.1, or a newer patched version
Plugin: Event Booking Manager for WooCommerce
Vulnerability: WpEvently < 5.1.9 – Unauthenticated Information Exposure
Patched Version: 5.1.9
Recommended Action: Update to version 5.1.9, or a newer patched version
Plugin: Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)
Vulnerability: Barcode Scanner with Inventory & Order Manager <= 1.11.0 – Cross-Site Request Forgery
Patched Version: 1.12.0
Recommended Action: Update to version 1.12.0, or a newer patched version
Theme: Reebox – Elementor WooCommerce WordPress Theme
Vulnerability: Reebox < 1.4.8 – Reflected Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor
Vulnerability: ElementsKit Elementor Addons <= 3.8.2 – Missing Authorization to Unauthenticated Widget Content Overwrite
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.52.1 – Unauthenticated Arbitrary File Read via 'upload-1[file][file_path]'
Patched Version: 1.52.2
Recommended Action: Update to version 1.52.2, or a newer patched version
Plugin: bBlocks – Essential Gutenberg Blocks & Patterns Collection
Vulnerability: bBlocks – Essential Gutenberg Blocks & Patterns Collection < 2.0.30 – Missing Authorization
Patched Version: 2.0.30
Recommended Action: Update to version 2.0.30, or a newer patched version
Plugin: AWP Classifieds
Vulnerability: AWP Classifieds <= 4.4.5 – Unauthenticated SQL Injection via 'regions'
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Share This Image
Vulnerability: Share This Image <= 2.12 – Missing Authorization
Patched Version: 2.13
Recommended Action: Update to version 2.13, or a newer patched version
Theme: Calliope
Vulnerability: Calliope <= 1.0.33 – Cross-Site Request Forgery
Patched Version: 1.0.35
Recommended Action: Update to version 1.0.35, or a newer patched version
Plugin: RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
Vulnerability: RepairBuddy <= 4.1132 – Unauthenticated Information Exposure
Patched Version: 4.1133
Recommended Action: Update to version 4.1133, or a newer patched version
Plugin: NMR Strava activities
Vulnerability: NMR Strava activities <= 1.0.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Patched Version: 1.0.15
Recommended Action: Update to version 1.0.15, or a newer patched version
Plugin: Memberlite Shortcodes
Vulnerability: Memberlite Shortcodes <= 1.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Amazon Affiliates – WordPress Plugin
Vulnerability: WooCommerce Amazon Affiliates – WordPress Plugin <= 14.0.31 – Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: FlashMart – Multipurpose Sections Shopify Theme
Vulnerability: FlashMart <= 2.0.15 – Unauthenticated Local File Inclusion
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: Biolife – Organic Food WordPress Theme ( RTL Supported )
Vulnerability: Biolife <= 3.2.3 – Missing Authorization
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
Vulnerability: Coming Soon Page, Under Construction & Maintenance Mode by SeedProd <= 6.19.8 – Authenticated (Editor+) Server-Side Request Forgery
Patched Version: 6.19.9
Recommended Action: Update to version 6.19.9, or a newer patched version
Plugin: Meks Easy Maps
Vulnerability: Meks Easy Maps <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DirectoryPress – Business Directory And Classified Ad Listing
Vulnerability: DirectoryPress <= 3.6.26 – Unauthenticated Information Exposure
Patched Version: 3.6.27
Recommended Action: Update to version 3.6.27, or a newer patched version
Plugin: GlobalPayments Gateway Provider for WooCommerce
Vulnerability: GlobalPayments WooCommerce <= 1.18.0 – Unauthenticated Server-Side Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bus Ticket Booking with Seat Reservation
Vulnerability: Bus Ticket Booking with Seat Reservation < 5.6.5 – Unauthenticated Information Exposure
Patched Version: 5.6.5
Recommended Action: Update to version 5.6.5, or a newer patched version
Theme: Boldman – Handyman Renovation Services WordPress Theme + RTL
Vulnerability: Boldman <= 7.7 – Authenticated (Contributor+) Local File Inclusion
Patched Version: 7.8
Recommended Action: Update to version 7.8, or a newer patched version
Plugin: WP Ultimate Review
Vulnerability: Ultimate Review <= 2.3.9 – Missing Authorization
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Booking for Appointments and Events Calendar – Amelia <= 2.2.1 – Unauthenticated Authorization Bypass via Remote Approval Endpoint
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: JW Player for WordPress
Vulnerability: JW Player for WordPress <= 2.3.7 – Missing Authorization
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Vulnerability: Contact Form by WPForms <= 1.10.0.2 – Cross-Site Request Forgery
Patched Version: 1.10.0.3
Recommended Action: Update to version 1.10.0.3, or a newer patched version
Plugin: Subscribe To Comments Reloaded
Vulnerability: Subscribe To Comments Reloaded <= 240119 – Improper Authorization to Unauthenticated Arbitrary Subscription Management
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 3D Viewer – Display Interactive 3D Models
Vulnerability: 3D viewer – Embed 3D Models <= 1.8.5 – Missing Authorization
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: Card Elements for WPBakery
Vulnerability: Card Elements for WPBakery <= 1.0.8 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tutor LMS Pro
Vulnerability: Tutor LMS Pro <= 3.9.6 – Unauthenticated SQL Injection
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version
Plugin: Mercado Pago payments for WooCommerce
Vulnerability: Mercado Pago payments for WooCommerce <= 8.7.11 – Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure
Patched Version: 8.7.12
Recommended Action: Update to version 8.7.12, or a newer patched version
Plugin: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
Vulnerability: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute
Patched Version: 4.10.1
Recommended Action: Update to version 4.10.1, or a newer patched version
Plugin: RSVP and Event Management
Vulnerability: RSVP and Event Management <= 2.7.16 – Unauthenticated Information Exposure
Patched Version: 2.7.17
Recommended Action: Update to version 2.7.17, or a newer patched version
Plugin: Embed PDF Viewer
Vulnerability: Embed PDF Viewer <= 2.4.7 – Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version
Plugin: WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce
Vulnerability: WebinarIgnition <= 4.09.1 – Unauthenticated SQL Injection
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SureForms – Contact Form, Payment Form & Other Custom Form Builder
Vulnerability: SureForms <= 1.13.1 – Missing Authorization to Unauthenticated Sensitive Information Exposure
Patched Version: 1.13.2
Recommended Action: Update to version 1.13.2, or a newer patched version
Plugin: JCH Optimize
Vulnerability: JCH Optimize <= 4.0.0 – Missing Authorization
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Theme: Emphires – Human Resources & Recruiting Theme
Vulnerability: Emphires <= 3.9 – Authenticated (Contributor+) Local File Inclusion
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: Mogi – A Creative Portfolio / Agency WordPress Theme
Vulnerability: Mogi <= 1.2.3 – Missing Authorization
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content
Vulnerability: GeekyBot <= 1.2.2 – Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Slider Revolution
Vulnerability: Slider Revolution 7.0.0 – 7.0.10 – Authenticated (Subscriber+) Arbitrary File Upload via _get_media_url
Patched Version: 7.0.11
Recommended Action: Update to version 7.0.11, or a newer patched version
Plugin: All-in-One WP Migration Unlimited Extension
Vulnerability: All-in-One WP Migration Unlimited Extension <= 2.83 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Backup Schedule Creation and Backup File Download
Patched Version: 2.84
Recommended Action: Update to version 2.84, or a newer patched version
Plugin: Modal Dialog
Vulnerability: Modal Dialog <= 3.5.16 – Authenticated (Admin+) Remote Code Execution
Patched Version: 3.5.17
Recommended Action: Update to version 3.5.17, or a newer patched version
Plugin: Geo Mashup
Vulnerability: Geo Mashup <= 1.13.18 – Unauthenticated Time-Based SQL Injection via 'object_ids' Parameter
Patched Version: 1.13.19
Recommended Action: Update to version 1.13.19, or a newer patched version
Theme: Woostify
Vulnerability: Woostify <= 2.4.2 – Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gutenverse – WordPress Blocks, Page Builder & Site Editor
Vulnerability: Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 – Authenticated (Contributor+) Server-Side Request Forgery via 'imageUrl'
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: Tutor LMS Pro
Vulnerability: Tutor LMS Pro <= 3.9.8 – Missing Authorization
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version
Plugin: Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts
Vulnerability: Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts <= 2.7.1 – Authenticated (Contributor+) Remote Code Execution
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version
Plugin: EmailKit – Email Customizer for WooCommerce & WP
Vulnerability: EmailKit <= 1.6.5 – Authenticated (Author+) Arbitrary File Read via 'emailkit-editor-template' REST Parameter
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: Element Pack – Widgets, Templates & Addons for Elementor
Vulnerability: Element Pack Elementor Addons <= 8.4.2 – Authenticated (Editor+) SQL Injection
Patched Version: 8.5.0
Recommended Action: Update to version 8.5.0, or a newer patched version
Plugin: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
Vulnerability: PopupKit <= 2.1.5 – Authenticated (Subscriber+) Information Exposure
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Image Photo Gallery Final Tiles Grid
Vulnerability: Image Photo Gallery Final Tiles Grid <= 3.6.11 – Authenticated (Author+) Insecure Direct Object Reference
Patched Version: 3.6.12
Recommended Action: Update to version 3.6.12, or a newer patched version
Plugin: 12 Step Meeting List
Vulnerability: 12 Step Meeting List <= 3.19.9 – Unauthenticated Information Exposure
Patched Version: 3.19.10
Recommended Action: Update to version 3.19.10, or a newer patched version
Theme: VW Education Lite
Vulnerability: VW Education Lite <= 2.2.0 – Missing Authorization
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: DX Sources
Vulnerability: DX Sources <= 2.0.1 – Cross-Site Request Forgery to Settings Update
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Blog Card
Vulnerability: Simple Blog Card <= 2.37 – Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 2.38
Recommended Action: Update to version 2.38, or a newer patched version
Plugin: Advanced Woo Labels – Product Labels & Badges for WooCommerce
Vulnerability: Advanced Woo Labels <= 2.36 – Authenticated (Admin+) Remote Code Execution
Patched Version: 2.37
Recommended Action: Update to version 2.37, or a newer patched version
Plugin: UiCore Elements – Free widgets and templates for Elementor
Vulnerability: UiCore Elements <= 1.3.14 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: Greenly – Ecology & Solar Energy WordPress Theme
Vulnerability: Greenly <= 8.1 – Authenticated (Contributor+) Local File Inclusion
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version
Theme: Armania – Fashion, Furniture, Organic, Food Multipurpose Elementor WooCommerce Theme (RTL Supported)
Vulnerability: Armania <= 1.4.8 – Unauthenticated Arbitrary Shortcode Execution
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LatePoint – Calendar Booking Plugin for Appointments and Events
Vulnerability: LatePoint <= 5.5.0 – Unauthenticated Account Takeover via Weak Password Recovery Mechanism
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version
Plugin: Time Sheets
Vulnerability: Time Sheets <= 2.1.3 – Use of Known Vulnerable Component
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LatePoint – Calendar Booking Plugin for Appointments and Events
Vulnerability: LatePoint <= 5.5.0 – Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version
Plugin: Project Manager – AI Powered Project Management, Task Management, Kanban Board & Time Tracker
Vulnerability: WP Project Manager <= 2.6.31 – Authenticated (Project Manager+) SQL Injection
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Publish 2 Ping.fm
Vulnerability: Publish 2 Ping.fm <= 1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpPingPingKey' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Page Permalink Extension
Vulnerability: WP Page Permalink Extension <= 1.5.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: Biolife – Organic Food WordPress Theme ( RTL Supported )
Vulnerability: Biolife <= 3.2.3 – Authenticated (Contributor+) Local File Inclusion
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: PageLayer <= 2.0.8 – Authenticated (Contributor+) Information Exposure
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails
Vulnerability: MailerPress <= 1.4.2 – Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Medilink-Core
Vulnerability: Medilink-Core < 2.0.7 – Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Vulnerability: User Registration & Membership <= 5.1.4 – Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version
Plugin: Royal Addons for Elementor – Addons and Templates Kit for Elementor
Vulnerability: Royal Addons for Elementor <= 1.7.1056 – Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta
Patched Version: 1.7.1057
Recommended Action: Update to version 1.7.1057, or a newer patched version
Plugin: WP Ghost (Hide My WP Ghost) – Security & Firewall
Vulnerability: Hide My WP Ghost < 7.0.00 – Unauthenticated Open Redirect
Patched Version: 7.0.00
Recommended Action: Update to version 7.0.00, or a newer patched version
Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
Vulnerability: MP3 Audio Player for Music, Radio & Podcast by Sonaar <= 5.11 – Unauthenticated Server-Side Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Starter Templates & Sites Pack by ThemeGrill
Vulnerability: ThemeGrill Demo Importer <= 2.0.0.6 – Missing Authorization
Patched Version: 2.0.0.7
Recommended Action: Update to version 2.0.0.7, or a newer patched version
Plugin: Geo Mashup
Vulnerability: Geo Mashup <= 1.13.18 – Unauthenticated Time-Based SQL Injection via 'map_post_type' Parameter
Patched Version: 1.13.19
Recommended Action: Update to version 1.13.19, or a newer patched version
Plugin: Gutenverse – WordPress Blocks, Page Builder & Site Editor
Vulnerability: Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'separatorIconSVG'
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Vulnerability: WP-Optimize <= 4.5.2 – Authenticated (Author+) Arbitrary File Deletion via 'original-file' Post Meta
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version
Plugin: Schema Plugin For Divi, Gutenberg & Shortcodes
Vulnerability: Schema Plugin For Divi, Gutenberg & Shortcodes <= 4.3.2 – Authenticated (Contributor+) Object Instantiation
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gravity Bookings
Vulnerability: Gravity Bookings <= 2.5.9 – Unauthenticated SQL Injection via 'category_id' Parameter
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Spectra Gutenberg Blocks – Website Builder for the Block Editor
Vulnerability: Spectra <= 2.19.22 – Missing Authorization
Patched Version: 2.19.23
Recommended Action: Update to version 2.19.23, or a newer patched version
Plugin: Sky Addons – Elementor Addons with Widgets & Templates
Vulnerability: Sky Addons <= 3.3.2 – Authenticated (Author+) Stored Cross-Site Scripting via Custom Script
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Instantio — Side Cart & One-Page Checkout for WooCommerce
Vulnerability: Instantio <= 3.3.30 – Unauthenticated Information Exposure
Patched Version: 3.3.31
Recommended Action: Update to version 3.3.31, or a newer patched version
Plugin: Blog Settings
Vulnerability: Blog Settings <= 1.0 – Reflected Cross-Site Scripting via 'page' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Simply Schedule Appointments <= 1.6.11.0 – Missing Authorization
Patched Version: 1.6.11.1
Recommended Action: Update to version 1.6.11.1, or a newer patched version
Theme: Uminex – Multipurpose WooCommerce Theme
Vulnerability: Uminex <= 1.0.9 – Unauthenticated Arbitrary Shortcode Execution
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Forminator Forms <= 1.53.0 – Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook
Patched Version: 1.53.0.1
Recommended Action: Update to version 1.53.0.1, or a newer patched version
Plugin: BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
Vulnerability: BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.14 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.15
Recommended Action: Update to version 2.2.15, or a newer patched version
Theme: Nanosoft – WP Theme for IT Solutions and Services Company
Vulnerability: Nanosoft < 1.3.2 – Missing Authorization
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Wp EMember
Vulnerability: eMember <= 10.2.2 – Missing Authorization
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Weaver Show Posts
Vulnerability: Weaver Show Posts <= 1.8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'Additional Classes to Wrap Posts' Widget Setting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Vulnerability: User Registration <= 5.1.5 – Reflected Cross-Site Scripting
Patched Version: 5.1.6
Recommended Action: Update to version 5.1.6, or a newer patched version
Plugin: Wallet for WooCommerce
Vulnerability: TeraWallet – For WooCommerce <= 1.5.15 – Authenticated (Customer+) Race Condition
Patched Version: 1.5.16
Recommended Action: Update to version 1.5.16, or a newer patched version
Theme: LabtechCO | Laboratory & Science Research WordPress Theme
Vulnerability: LabtechCO <= 8.3 – Authenticated (Contributor+) Local File Inclusion
Patched Version: 8.4
Recommended Action: Update to version 8.4, or a newer patched version
Plugin: Export All URLs
Vulnerability: Export All URLs <= 4.1 – Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: Simple Owl Shortcodes
Vulnerability: Simple Owl Shortcodes <= 2.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Attribute
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)
Vulnerability: Burst Statistics Really Simple Plugins <= 1.5.3 – Authenticated (Editor+) SQL Injection
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: E-cab Taxi Booking Manager for Woocommerce
Vulnerability: Taxi Booking Manager for WooCommerce <= 1.3.0 – Missing Authorization
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: MDTF – Meta Data and Taxonomies Filter
Vulnerability: MDTF <= 1.3.6 – Missing Authorization
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel
Vulnerability: WP Carousel Free <= 2.7.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-caption' Attribute
Patched Version: 2.7.11
Recommended Action: Update to version 2.7.11, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Forminator Forms <= 1.51.1 – Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter
Patched Version: 1.52
Recommended Action: Update to version 1.52, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: GiveWP <= 4.14.5 – Missing Authorization
Patched Version: 4.14.6
Recommended Action: Update to version 4.14.6, or a newer patched version
Plugin: TableOn – WordPress Posts Table Filterable
Vulnerability: TableOn – WordPress Posts Table Filterable <= 1.0.5.1 – Missing Authorization
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Categories Images
Vulnerability: Categories Images <= 3.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Related Posts Lite
Vulnerability: Related Posts Lite <= 1.12 – Cross-Site Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Clippy
Vulnerability: WP-Clippy <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pinpoint Booking System – Version 2
Vulnerability: Pinpoint Booking System <= 2.9.9.6.5 – Missing Authorization
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Royal Addons for Elementor – Addons and Templates Kit for Elementor
Vulnerability: Royal Addons for Elementor <= 1.7.1056 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'Follow Button Text' Parameter
Patched Version: 1.7.1057
Recommended Action: Update to version 1.7.1057, or a newer patched version
Plugin: Greenly Theme Addons
Vulnerability: Greenly Theme Addons < 8.2 – Authenticated (Contributor+) Local File Inclusion
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version
Plugin: JetEngine
Vulnerability: JetEngine < 3.8.4.1 – Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.8.4.1
Recommended Action: Update to version 3.8.4.1, or a newer patched version
Theme: TechOne – Electronics Multipurpose WooCommerce Theme ( RTL Supported )
Vulnerability: TechOne <= 3.0.3 – Unauthenticated Arbitrary Shortcode Execution
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Getty Images
Vulnerability: Getty Images <= 4.1.0 – Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
Vulnerability: Majestic Support <= 1.1.2 – Missing Authorization
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 – Unauthenticated SQL Injection via 'inputs'
Patched Version: 1.15.43
Recommended Action: Update to version 1.15.43, or a newer patched version
Plugin: RPS Include Content
Vulnerability: RPS Include Content <= 1.2.2 – Missing Authorization
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: Teluro
Vulnerability: Teluro <= 1.0.31 – Cross-Site Request Forgery
Patched Version: 1.0.36
Recommended Action: Update to version 1.0.36, or a newer patched version
Theme: BigHearts – Charity & Donation WordPress Theme
Vulnerability: BigHearts <= 3.1.14 – Missing Authorization
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version
Plugin: WeePie Cookie Allow
Vulnerability: WeePie Cookie Allow <= 3.4.11 – Unauthenticated SQL Injection via 'consent' Parameter
Patched Version: 3.4.12
Recommended Action: Update to version 3.4.12, or a newer patched version
Plugin: Loco Translate
Vulnerability: Loco Translate <= 2.8.2 – Authenticated (Translator+) Path Traversal to Limited File Read via 'ref' Parameter
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: Turbo Manager
Vulnerability: Turbo Manager < 4.0.8 – Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: Simple History – Track, Log, and Audit WordPress Changes
Vulnerability: Simple History <= 5.24.0 – Unauthenticated Information Exposure
Patched Version: 5.24.1
Recommended Action: Update to version 5.24.1, or a newer patched version
Plugin: MoreConvert Pro
Vulnerability: MoreConvert Pro <= 1.9.14 – Authentication Bypass via Waitlist Guest Verification Token Reuse
Patched Version: 1.9.15
Recommended Action: Update to version 1.9.15, or a newer patched version
Plugin: PDF Invoices and Packing Slips For WooCommerce
Vulnerability: PDF Invoices and Packing Slips For WooCommerce <= 1.3.7 – Authenticated (Subscriber+) PHP Object Injection
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
