Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Reflected Cross-Site Scripting via ‘delete_mobile’
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: CALL ME NOW
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: WP Register Profile With Shortcode
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.38
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.38, 4.2.35, 4.3.31, 4.4.30, 4.5.29, 4.6.26, 4.7.26, 4.8.22, 4.9.23, 5.0.19, 5.1.16, 5.2.18, 5.3.15, 5.4.13, 5.5.12, 5.6.11, 5.7.9, 5.8.7, 5.9.6, 6.0.4, 6.1.2, 6.2.1
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Add Posts to Pages
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SoundCloud Is Gold
Vulnerability: Missing Authorization to Soundcloud User Add
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version
Plugin: Survey Maker
Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version
Plugin: WP Category Post List Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Ship to Multiple Addresses
Vulnerability: Insecure Direct Object Reference
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version
Plugin: WCP Contact Form
Vulnerability: Missing Authorization via downloadCsv
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Injection Guard
Vulnerability: Cross-Site Request Forgery to Whitelist Update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: SEO by 10Web
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Contact Form by Supsystic
Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.7.25
Recommended Action: Update to version 1.7.25, or a newer patched version
Plugin: iframe popup
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Composite Products
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.7.6
Recommended Action: Update to version 8.7.6, or a newer patched version
Plugin: YITH WooCommerce Gift Cards Premium
Vulnerability: Missing Authorization
Patched Version: 3.24.0
Recommended Action: Update to version 3.24.0, or a newer patched version
Plugin: Pinterest RSS Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Featured Image Pro Post Grid
Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 5.15
Recommended Action: Update to version 5.15, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Forget About Shortcode Buttons
Vulnerability: Missing Authorization via fasc_buttons
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Simple Calendar – Google Calendar Plugin
Vulnerability: Cross-Site Request Forgery to Transient Cache Clearing
Patched Version: 3.1.43
Recommended Action: Update to version 3.1.43, or a newer patched version
Plugin: Link Whisper Free
Vulnerability: Missing Authorization via init()
Patched Version: 0.6.4
Recommended Action: Update to version 0.6.4, or a newer patched version
Plugin: Portfolio Gallery – Responsive Image Gallery
Vulnerability: Missing Authorization to Arbitrary Gallery Deletion
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: Post State Tags
Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Bookings
Vulnerability: Insecure Direct Object Reference
Patched Version: 1.15.79
Recommended Action: Update to version 1.15.79, or a newer patched version
Plugin: Contact Form Email
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.38
Recommended Action: Update to version 1.3.38, or a newer patched version
Plugin: Get your number
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ricerca – advanced search
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version
Plugin: eBecas
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Predictive Search
Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Product page shipping calculator for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 1.3.26
Recommended Action: Update to version 1.3.26, or a newer patched version
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: WP-Chatbot for Messenger
Vulnerability: Missing Authorization
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version
Plugin: Injection Guard
Vulnerability: Cross-Site Request Forgery via ig_update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: AutomateWoo
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.7.2
Recommended Action: Update to version 5.7.2, or a newer patched version
Plugin: WP Reactions Lite
Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: itemprop WP for SERP/SEO Rich snippets
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Online Booking and Scheduling Plugin – Bookly
Vulnerability: Arbitrary File Deletion
Patched Version: 21.8
Recommended Action: Update to version 21.8, or a newer patched version
Plugin: Injection Guard
Vulnerability: Missing Authorization via ig_update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: PixelYourSite Pro – Your smart PIXEL (TAG) Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.6.2
Recommended Action: Update to version 9.6.2, or a newer patched version
Plugin: File Away
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woodmart Core
Vulnerability: Authentication Bypass to Privilege Escalation
Patched Version: 1.0.37
Recommended Action: Update to version 1.0.37, or a newer patched version
Plugin: Zotpress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.3.4
Recommended Action: Update to version 7.3.4, or a newer patched version
Plugin: SlimStat Analytics
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: weebotLite
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cloudflare Turnstile or reCAPTCHA For any Pages, to Block Spam and Hackers Attack.
Vulnerability: Missing Authorization via recaptcha_for_all_image_select
Patched Version: 1.23
Recommended Action: Update to version 1.23, or a newer patched version
Plugin: Order Your Posts Manually
Vulnerability: Authenticated (Administrator+) SQL Injection via ‘sortdata’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Brands for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: Hyphenator
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Drop Shadow Boxes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.11
Recommended Action: Update to version 1.7.11, or a newer patched version
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Simple Page Ordering
Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Donations Made Easy – Smart Donations
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom 404 Pro
Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: Woo Custom Emails
Vulnerability: Missing Authorization to Unauthenticated Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.26.0
Recommended Action: Update to version 2.26.0, or a newer patched version
Plugin: Product Recommendations
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Core: WordPress
Vulnerability: Insufficient Sanitization of Block Attributes
Patched Version: 4.1.38
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.38, 4.2.35, 4.3.31, 4.4.30, 4.5.29, 4.6.26, 4.7.26, 4.8.22, 4.9.23, 5.0.19, 5.1.16, 5.2.18, 5.3.15, 5.4.13, 5.5.12, 5.6.11, 5.7.9, 5.8.7, 5.9.6, 6.0.4, 6.1.2, 6.2.1
Plugin: Pricing Table Builder – AP Pricing Tables Lite
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SlimStat Analytics
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Authentication Bypass
Patched Version: 5.2.1.1
Recommended Action: Update to version 5.2.1.1, or a newer patched version
Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2023
Recommended Action: Update to version 2023, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Cross-Site Request Forgery to Field Duplication
Patched Version: 6.1.0.0
Recommended Action: Update to version 6.1.0.0, or a newer patched version
Plugin: Video Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version
Plugin: Order Your Posts Manually
Vulnerability: Reflected Cross-Site Scripting via ‘_user_request’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: WP Replicate Post
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version
Plugin: AutomateWoo
Vulnerability: Authenticated (Shop manager+) SQL Injection
Patched Version: 5.7.2
Recommended Action: Update to version 5.7.2, or a newer patched version
Plugin: DevBuddy Twitter Feed
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Owl Carousel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Chinese Conversion
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.23
Recommended Action: Update to version 1.1.23, or a newer patched version
Plugin: Custom Field Suite
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: Column-Matic
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easing Slider
Vulnerability: Missing Authorization to Unauthenticated Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Sunny Search
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.71
Recommended Action: Update to version 3.2.71, or a newer patched version
Plugin: Don8
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Injection Guard
Vulnerability: Missing Authorization to Whitelist Update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder
Vulnerability: Open Redirect
Patched Version: 4.0.9.4
Recommended Action: Update to version 4.0.9.4, or a newer patched version
Plugin: WooCommerce Brands
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.46
Recommended Action: Update to version 1.6.46, or a newer patched version
Plugin: Essential Addons for Elementor Pro
Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: OTP Login Woocommerce (Login with OTP)
Vulnerability: Authentication Bypass to Privilege Escalation
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Missing Authorization via save_fields_settings
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: WooCommerce Product Add-ons
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Missing Authorization to Settings Update
Patched Version: 3.13.2
Recommended Action: Update to version 3.13.2, or a newer patched version
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
Vulnerability: Reflected Cross-Site Scripting via ‘lang’
Patched Version: 3.1.61
Recommended Action: Update to version 3.1.61, or a newer patched version
Plugin: Announcement & Notification Banner – Bulletin
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: WooCommerce Pre-Orders
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Sunny Search
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Multi Store Locator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hostel
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.5.2
Recommended Action: Update to version 1.1.5.2, or a newer patched version
Core: WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Embed Discovery
Patched Version: 4.1.38
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.38, 4.2.35, 4.3.31, 4.4.30, 4.5.29, 4.6.26, 4.7.26, 4.8.22, 4.9.23, 5.0.19, 5.1.16, 5.2.18, 5.3.15, 5.4.13, 5.5.12, 5.6.11, 5.7.9, 5.8.7, 5.9.6, 6.0.4, 6.1.2, 6.2.1
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Deletion
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Quick Page/Post Redirect Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Authenticated (Admin+) Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 5.2.1.0
Recommended Action: Update to version 5.2.1.0, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: WooCommerce Pre-Orders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2023
Recommended Action: Update to version 2023, or a newer patched version
Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.14.1
Recommended Action: Update to version 8.14.1, or a newer patched version
Plugin: Predictive Search
Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Photo Gallery by Ays – Responsive Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version
Plugin: Frontend Post WordPress Plugin – AccessPress Anonymous Post
Vulnerability: Authenticated (Contributor+) Arbitrary Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Subscribers and Landing Pages
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Announcement & Notification Banner – Bulletin
Vulnerability: Missing Authorization Checks
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: Predictive Search
Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: LetterPress – Elevate Your WordPress Site's E-Mail Campaigns and Marketing
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Editing
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Order Your Posts Manually
Vulnerability: Reflected Cross-Site Scripting via ‘cat_id’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Dyslexiefont Free
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Product Add-ons
Vulnerability: Authenticated (Shop Manager+) PHP Object Injection
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version
Plugin: Free WordPress Lead Generation Opt in, Free Popups, Generated Lead Email Popup, Exit-Intent Popup – NotifyVisitors
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 10Web Social Post Feed
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Missing Authorization to Custom Drop-Down Currency Switcher Creation
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Download Monitor
Vulnerability: Sensitive Information Exposure via REST API
Patched Version: 4.7.70
Recommended Action: Update to version 4.7.70, or a newer patched version
Plugin: WP All Backup
Vulnerability: Cross-Site Request Forgery to Backup Storage Modification
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: D-Bargain
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Locatoraid Store Locator
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.9.19
Recommended Action: Update to version 3.9.19, or a newer patched version
Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings
Vulnerability: Authenticated (Administrator+) Local File Inclusion
Patched Version: 7.5.4
Recommended Action: Update to version 7.5.4, or a newer patched version
Plugin: Custom Base Terms
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘base’
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Backup Migration
Vulnerability: Sensitive Information Exposure
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: video carousel slider with lightbox
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Unauthenticated Arbitrary Password Reset to Privilege Escalation
Patched Version: 5.7.2
Recommended Action: Update to version 5.7.2, or a newer patched version
Plugin: WhyDonate – FREE Donate button – Crowdfunding – Fundraising
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.12.16
Recommended Action: Update to version 3.12.16, or a newer patched version
Plugin: Google Site Verification plugin using Meta Tag
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Directory Traversal
Patched Version: 4.1.38
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.38, 4.2.35, 4.3.31, 4.4.30, 4.5.29, 4.6.26, 4.7.26, 4.8.22, 4.9.23, 5.0.19, 5.1.16, 5.2.18, 5.3.15, 5.4.13, 5.5.12, 5.6.11, 5.7.9, 5.8.7, 5.9.6, 6.0.4, 6.1.2, 6.2.1
Plugin: Woodmart Core
Vulnerability: PHP Object Injection
Patched Version: 1.0.37
Recommended Action: Update to version 1.0.37, or a newer patched version
Plugin: WP Custom Cursors | WordPress Cursor Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Quiz Maker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.2.7
Recommended Action: Update to version 6.4.2.7, or a newer patched version
Plugin: Essential Addons for Elementor Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: WCP Contact Form
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
