Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: DethemeKit For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Justify
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: EasyEvent
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Breakdance
Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Custom Field Suite
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: All Bootstrap Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.21.2
Recommended Action: Update to version 3.21.2, or a newer patched version
Plugin: Ditty – Responsive News Tickers, Sliders, and Lists
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.1.39
Recommended Action: Update to version 3.1.39, or a newer patched version
Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpvideo Shortcode
Patched Version: 13.4
Recommended Action: Update to version 13.4, or a newer patched version
Plugin: White Label CMS
Vulnerability: Missing Authorization to Plugin Settings Reset
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: Wp EMember
Vulnerability: Reflected Cross-Site Scripting via ‘fieldId’
Patched Version: 10.3.9
Recommended Action: Update to version 10.3.9, or a newer patched version
Plugin: Business Card
Vulnerability: Cross-Site Request Forgery to Arbitrary Card Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Netgsm
Vulnerability: Missing Authorization
Patched Version: 2.9.33
Recommended Action: Update to version 2.9.33, or a newer patched version
Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages
Vulnerability: Reflected Cross-Site Scripting via pageType
Patched Version: 1.5.1.9
Recommended Action: Update to version 1.5.1.9, or a newer patched version
Plugin: Heateor Social Login WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.32
Recommended Action: Update to version 1.1.32, or a newer patched version
Plugin: Carousel Slider
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Authenticated (Subscriber+) Arbitrary Folder Name Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hotel Booking Lite
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 4.11.2
Recommended Action: Update to version 4.11.2, or a newer patched version
Plugin: Graphina – Elementor Charts and Graphs
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.8.10
Recommended Action: Update to version 1.8.10, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Dual Color Header’, ‘Event Calendar’, & ‘Advanced Data Table’
Patched Version: 5.9.20
Recommended Action: Update to version 5.9.20, or a newer patched version
Plugin: Simple Basic Contact Form
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 20240502
Recommended Action: Update to version 20240502, or a newer patched version
Plugin: Kognetiks Chatbot for WordPress
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Missing Authorization in handle_ajax_request
Patched Version: 5.7.20
Recommended Action: Update to version 5.7.20, or a newer patched version
Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version
Plugin: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Social Icons Widget & Block by WPZOOM
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.2.18
Recommended Action: Update to version 4.2.18, or a newer patched version
Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version
Plugin: FS Product Inquiry
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Connect
Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Enter Addons – Ultimate Template Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Animation Title widget img tag
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 3.9.17
Recommended Action: Update to version 3.9.17, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated Time-Based SQL Injection
Patched Version: 4.2.6.6
Recommended Action: Update to version 4.2.6.6, or a newer patched version
Plugin: Z-Downloads
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.11.4
Recommended Action: Update to version 1.11.4, or a newer patched version
Plugin: Link Library
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via link-library Shortcode
Patched Version: 7.7
Recommended Action: Update to version 7.7, or a newer patched version
Plugin: Thim Elementor Kit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 1.1.9.1
Recommended Action: Update to version 1.1.9.1, or a newer patched version
Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.23.9
Recommended Action: Update to version 4.23.9, or a newer patched version
Plugin: BuddyPress
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 12.4.1
Recommended Action: Update to version 12.4.1, or a newer patched version
Plugin: Gutenify – Visual Site Builder Blocks & Site Templates.
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Mega Elements – Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Copymatic – AI Content Writer & Generator
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)
Vulnerability: Missing Authorization
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: Ditty – Responsive News Tickers, Sliders, and Lists
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.1.36
Recommended Action: Update to version 3.1.36, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via layout_html Parameter
Patched Version: 4.2.6.6
Recommended Action: Update to version 4.2.6.6, or a newer patched version
Plugin: Meow Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.4
Recommended Action: Update to version 5.1.4, or a newer patched version
Plugin: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Image Hover Effects – Elementor Addon
Vulnerability: Elementor Addon <= 1.4.1
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: SimpleShop
Vulnerability: Missing Authorization
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version
Plugin: Yoast SEO
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 22.6
Recommended Action: Update to version 22.6, or a newer patched version
Plugin: Advanced Ads – Ad Manager & AdSense
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget
Patched Version: 1.52.2
Recommended Action: Update to version 1.52.2, or a newer patched version
Plugin: Blocksy Companion
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Uploads
Patched Version: 2.0.46
Recommended Action: Update to version 2.0.46, or a newer patched version
Plugin: Mesmerize Companion
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mesmerize_contact_form Shortcode
Patched Version: 1.6.149
Recommended Action: Update to version 1.6.149, or a newer patched version
Plugin: Flattr
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Widget – Contact Query, Contact Page, Form Maker, Query Table
Vulnerability: Sensitive Information Exposure
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.4.3.1
Recommended Action: Update to version 1.4.3.1, or a newer patched version
Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Vulnerability: Missing Authorization
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version
Plugin: Simple Membership
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version
Plugin: Translate Multilingual sites – TranslatePress
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: WP Latest Posts
Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 5.0.8
Recommended Action: Update to version 5.0.8, or a newer patched version
Plugin: Soccer Engine – Soccer Plugin for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Several Widgets
Patched Version: 5.9.20
Recommended Action: Update to version 5.9.20, or a newer patched version
Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Vulnerability: Authenticated (Admin+) Command Injection
Patched Version: 1.5.103
Recommended Action: Update to version 1.5.103, or a newer patched version
Plugin: Swift Performance Lite
Vulnerability: Incorrect Authorization to Authenticated (Subscriber+) Settings Modification
Patched Version: 2.3.6.19
Recommended Action: Update to version 2.3.6.19, or a newer patched version
Plugin: Yoast SEO
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 22.7
Recommended Action: Update to version 22.7, or a newer patched version
Plugin: Buddyboss Platform
Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Link on Private Post
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: Pure Chat – Live Chat & More!
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.23
Recommended Action: Update to version 2.23, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version
Plugin: WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)
Vulnerability: Missing Authorization
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: Sydney Toolbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via aThemes: Portfolio Widget
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version
Plugin: Playlist for Youtube
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.40
Recommended Action: Update to version 1.40, or a newer patched version
Plugin: Enter Addons – Ultimate Template Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Heading widget
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Authenticated (Administrator+) Arbitrary File Deletion
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Church Admin
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Blocks, and Elementor Widgets)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via pagingType Parameter
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version
Plugin: Site Reviews
Vulnerability: IP Address Spoofing to Blocking Bypass
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version
Plugin: LoginPress Pro
Vulnerability: Captcha Bypass
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Hostel
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.5.4
Recommended Action: Update to version 1.1.5.4, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version
Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.14.4
Recommended Action: Update to version 3.14.4, or a newer patched version
Plugin: Flo Forms – Easy Drag & Drop Form Builder
Vulnerability: Missing Authorization
Patched Version: 1.0.43
Recommended Action: Update to version 1.0.43, or a newer patched version
Plugin: Order Export & Order Import for WooCommerce
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Text Effect Widget
Patched Version: 1.1.38
Recommended Action: Update to version 1.1.38, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.38
Recommended Action: Update to version 3.2.38, or a newer patched version
Plugin: Contact List – Online Staff Directory and Address Book
Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 2.9.88
Recommended Action: Update to version 2.9.88, or a newer patched version
Plugin: SportsPress – Sports Club & League Manager
Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 2.7.21
Recommended Action: Update to version 2.7.21, or a newer patched version
Plugin: Kognetiks Chatbot for WordPress
Vulnerability: Unauthenticated Arbitrary File Upload via chatbot_chatgpt_upload_file_to_assistant Function
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Typer Effect
Patched Version: 3.2.38
Recommended Action: Update to version 3.2.38, or a newer patched version
Plugin: Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: WP Compress – Instant Performance & Speed Optimization
Vulnerability: Missing Authorization
Patched Version: 6.20.02
Recommended Action: Update to version 6.20.02, or a newer patched version
Plugin: Insert or Embed Articulate Content into WordPress
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Code Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Swift Framework
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: XML Sitemap & Google News
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: Unyson
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.31
Recommended Action: Update to version 2.7.31, or a newer patched version
Plugin: Automatic QR Code Generator – QR Code Composer
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: The Events Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.0.1
Recommended Action: Update to version 6.4.0.1, or a newer patched version
Plugin: ADFO – Custom data in admin dashboard
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Advanced Post Block- Great solution for displaying Posts
Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 1.13.5
Recommended Action: Update to version 1.13.5, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Interactive Circles’
Patched Version: 5.9.20
Recommended Action: Update to version 5.9.20, or a newer patched version
Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore
Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Sensitive Information Exposure
Patched Version: 5.6.5
Recommended Action: Update to version 5.6.5, or a newer patched version
Plugin: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.9.26
Recommended Action: Update to version 1.9.26, or a newer patched version
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.218
Recommended Action: Update to version 1.0.218, or a newer patched version
Plugin: SimpleShop
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Tooltip & Popover Widget
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Orders Tracking for WooCommerce
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.1.2
Recommended Action: Update to version 2.8.1.2, or a newer patched version
Plugin: FS Product Inquiry
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sailthru Triggermail
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sailthru Triggermail
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pet Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Visual Footer Credit Remover
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Pods – Custom Content Types and Fields
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Pod Form Redirect URL
Patched Version: 3.2.1.1
Recommended Action: Update to version 3.2.1.1, or a newer patched version
Plugin: Business Card
Vulnerability: Cross-Site Request Forgery to Category Edit
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gianism
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 20240412
Recommended Action: Update to version 20240412, or a newer patched version
Plugin: Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler
Vulnerability: Missing Authorization via Several AJAX Action
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: Pretty Google Calendar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Fast Custom Social Share by CodeBard
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: If-So Dynamic Content Personalization
Vulnerability: Missing Authorization
Patched Version: 1.7.1.1
Recommended Action: Update to version 1.7.1.1, or a newer patched version
Plugin: WC Serial Numbers – Ultimate License Manager for Selling, Licensing & Securely Delivering Digital Content with WooCommerce
Vulnerability: Missing Authorization
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: Picture Gallery – Frontend Image Uploads, AJAX Photo List
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.5.12
Recommended Action: Update to version 1.5.12, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Link
Patched Version: 3.2.37
Recommended Action: Update to version 3.2.37, or a newer patched version
Plugin: JCH Optimize
Vulnerability: Authenticated (Subscriber+) Directory Traversal
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: Envo's Elementor Templates & Widgets for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version
Plugin: Image Hover Effects – WordPress Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: Falang multilanguage for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.50
Recommended Action: Update to version 1.3.50, or a newer patched version
Plugin: Fan Page Widget by ThemeNcode
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Last Viewed Posts by WPBeginner
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Sticky banner
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Propovoice: All-in-One Client Management System
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.7.6.3
Recommended Action: Update to version 1.7.6.3, or a newer patched version
Plugin: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: 3.13.0
Recommended Action: Update to version 3.13.0, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.21
Recommended Action: Update to version 5.9.21, or a newer patched version
Plugin: Joli FAQ SEO – WordPress FAQ Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2.4
Recommended Action: Update to version 2.7.2.4, or a newer patched version
Plugin: Themify Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via themify_button Shortcode
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated Bypass to User Registration
Patched Version: 4.2.6.6
Recommended Action: Update to version 4.2.6.6, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version
Plugin: YITH WooCommerce Gift Cards
Vulnerability: Missing Authorization to Unauthenticated WooCommerce Settings Update
Patched Version: 4.13.0
Recommended Action: Update to version 4.13.0, or a newer patched version
Plugin: HTML5 Audio Player- Best WordPress Audio Player Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 2.2.22
Recommended Action: Update to version 2.2.22, or a newer patched version
Plugin: WP Compress – Instant Performance & Speed Optimization
Vulnerability: Open Redirect via css
Patched Version: 6.20.02
Recommended Action: Update to version 6.20.02, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via photo widget crop attribute
Patched Version: 2.8.1.3
Recommended Action: Update to version 2.8.1.3, or a newer patched version
Plugin: Testimonial Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Squelch Tabs and Accordions Shortcodes
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.4.8
Recommended Action: Update to version 0.4.8, or a newer patched version
Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version
Plugin: WP Discourse
Vulnerability: Missing Authorization
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer
Patched Version: 3.2.37
Recommended Action: Update to version 3.2.37, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version
Plugin: Pet Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ShopBuilder – Elementor WooCommerce Builder Addons
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: Business Card
Vulnerability: Cross-Site Request Forgery to Card Edit
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: iframe
Vulnerability: Authenticated (Contributor+ Stored Cross-Site Scripting
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version
Plugin: Web Directory Free
Vulnerability: Authenticated (Contributor+) SQL Injection via post_id
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version
Plugin: Simple Basic Contact Form
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 20240511
Recommended Action: Update to version 20240511, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.37
Recommended Action: Update to version 3.2.37, or a newer patched version
Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
Vulnerability: Missing Authorization
Patched Version: 1.12.5
Recommended Action: Update to version 1.12.5, or a newer patched version
Plugin: FundEngine – Donation and Crowdfunding Platform
Vulnerability: Missing Authorization
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Spectra Pro
Vulnerability: Authenticated (Author+) Privilege Escalation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: All-in-One Video Gallery
Vulnerability: Authenticated (Contributor+) Local File Inclusion via aiovg_search_form Shortcode
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: WordPress Webinar Plugin – WebinarPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.33.21
Recommended Action: Update to version 1.33.21, or a newer patched version
Plugin: ADFO – Custom data in admin dashboard
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization
Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version
Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.5.105
Recommended Action: Update to version 1.5.105, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Authenticated (Instructor+) Arbitrary File Upload
Patched Version: 4.2.6.6
Recommended Action: Update to version 4.2.6.6, or a newer patched version
Plugin: Business Card
Vulnerability: Cross-Site Request Forgery to Category Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Divi Builder
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 4.25.1
Recommended Action: Update to version 4.25.1, or a newer patched version
Plugin: Social Sharing Plugin – Social Warfare
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version
Plugin: Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category, and more
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: Porto Theme – Functionality
Vulnerability: Functionality <= 3.0.9
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
Vulnerability: Authenticated (Contributor+) DOM-Based Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version
Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.103
Recommended Action: Update to version 1.5.103, or a newer patched version
Plugin: Advanced Ads – Ad Manager & AdSense
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.52.2
Recommended Action: Update to version 1.52.2, or a newer patched version
Plugin: Image Hover Effects – WordPress Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6
Recommended Action: Update to version 5.6, or a newer patched version
Plugin: Popup Builder
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.1.30
Recommended Action: Update to version 1.1.30, or a newer patched version
Plugin: Porto Theme – Functionality
Vulnerability: Functionality <= 3.1.0
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: AI Popup
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
