Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Career Section
Vulnerability: Career Section <= 1.7 – Unauthenticated Arbitrary File Upload
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: COMPE – WooCommerce Compare Products
Vulnerability: COMPE <= 1.1.4 – Unauthenticated Insecure Direct Object Reference
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: HEL Online Classroom: AI-powered Online Classrooms
Vulnerability: HEL Online Classroom: AI-powered Online Classrooms <= 1.0.3 – Missing Authorization to Unauthenticated Arbitrary Classroom Deletion via 'id' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Canto
Vulnerability: Canto <= 3.1.1 – Missing Authorization to Unauthenticated File Upload
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Classified Listing – AI-Powered Classified ads & Business Directory Plugin
Vulnerability: Classified Listing <= 5.3.10 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via add_order_note and send_email_to_user_by_moderator AJAX Actions
Patched Version: 5.4.0
Recommended Action: Update to version 5.4.0, or a newer patched version
Theme: The7 — Website and eCommerce Builder for WordPress
Vulnerability: The7 <= 14.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 'link' Parameter
Patched Version: 14.3.3
Recommended Action: Update to version 14.3.3, or a newer patched version
Plugin: Frontend Admin by DynamiApps
Vulnerability: Frontend Admin by DynamiApps <= 3.28.36 – Unauthenticated Privilege Escalation via Edit User Form
Patched Version: 3.29.1
Recommended Action: Update to version 3.29.1, or a newer patched version
Plugin: InfusedWoo Pro
Vulnerability: InfusedWoo Pro <= 5.1.2 – Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe'
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version
Plugin: Shortcodely
Vulnerability: Shortcodely <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'widget_area' Shortcode Attribute
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Marketing for WooCommerce by Omnisend
Vulnerability: Omnisend for WooCommerce <= 1.18.0 – Unauthenticated Omnisend Account Takeover via Predictable Connect Token
Patched Version: 1.18.1
Recommended Action: Update to version 1.18.1, or a newer patched version
Plugin: Pricing Tables for WP
Vulnerability: Pricing Tables for WP <= 1.1.0 – Reflected Cross-Site Scripting via 'page' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Job Portal – AI-Powered Recruitment System for Company or Job Board website
Vulnerability: WP Job Portal <= 2.4.4 – Authenticated (Editor+) Stored Cross-Site Scripting via Job Description Field
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings
Vulnerability: Rate Star Review Vote <= 1.6.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification via 'rating_id' Parameter
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: Gravity SMTP
Vulnerability: Gravity SMTP <= 2.1.4 – Unauthenticated Sensitive Information Exposure via REST API
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: Fancy Image Show
Vulnerability: Fancy Image Show <= 9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Redirection
Vulnerability: WP-Redirection <= 1.0.3 – Cross-Site Request Forgery to Settings Update
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Client Dash
Vulnerability: Ultimate Client Dash <= 4.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.1
Recommended Action: Update to version 4.7.1, or a newer patched version
Plugin: VK All in One Expansion Unit
Vulnerability: VK All in One Expansion Unit <= 9.112.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title
Patched Version: 9.112.4
Recommended Action: Update to version 9.112.4, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Templates & Widgets
Vulnerability: Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.13 – Authenticated (Author+) Limited Privilege Escalation via register_user
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version
Plugin: Avada (Fusion) Builder
Vulnerability: Avada Builder <= 3.15.1 – Unauthenticated SQL Injection via 'product_order' Parameter
Patched Version: 3.15.2
Recommended Action: Update to version 3.15.2, or a newer patched version
Plugin: Share This Image
Vulnerability: Share This Image <= 2.14 – Unauthenticated Server-Side Request Forgery
Patched Version: 2.15
Recommended Action: Update to version 2.15, or a newer patched version
Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more
Vulnerability: JoomSport <= 5.7.7 – Unauthenticated SQL Injection via 'sortf' Parameter
Patched Version: 5.7.8
Recommended Action: Update to version 5.7.8, or a newer patched version
Plugin: Frontend File Manager Plugin
Vulnerability: Frontend File Manager <= 23.6 – Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Download Access
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bootstrap Shortcode
Vulnerability: Bootstrap Shortcode <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'box' Shortcode
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PDF Invoices & Packing Slips for WooCommerce
Vulnerability: PDF Invoices & Packing Slips for WooCommerce <= 5.6.0 – Missing Authorization to Authenticated (Subscriber+) Peppol Identifier Modification
Patched Version: 5.7.0
Recommended Action: Update to version 5.7.0, or a newer patched version
Plugin: Receive Notifications After Form Submitting – Form Notify for Any Forms
Vulnerability: Receive Notifications After Form Submitting – Form Notify for Any Forms <= 1.1.10 – Unauthenticated Authentication Bypass via LINE OAuth Callback
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: NEX-Forms – Ultimate Forms Plugin for WordPress
Vulnerability: NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.12 – Authenticated (Administrator+) SQL Injection via 'table' Parameter
Patched Version: 9.1.13
Recommended Action: Update to version 9.1.13, or a newer patched version
Plugin: WP SEO Structured Data Schema
Vulnerability: WP SEO Structured Data Schema <= 2.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via '_kcseo_ative_tab' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via Navigation Menu Lite Widget
Patched Version: 6.4.12
Recommended Action: Update to version 6.4.12, or a newer patched version
Plugin: Motors – Car Dealership & Classified Listings Plugin
Vulnerability: Motors – Car Dealership & Classified Listings Plugin <= 1.4.103 – Missing Authorization to Authenticated (Subscriber+) Payment Bypass via 'stm_payment_status' Parameter
Patched Version: 1.4.104
Recommended Action: Update to version 1.4.104, or a newer patched version
Plugin: Database Backup for WordPress
Vulnerability: Database Backup for WordPress <= 2.5.2 – Missing Authorization to Unauthenticated Database Backup Interception
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: Contact Form 7
Vulnerability: Contact Form 7 <= 6.0.5 – Order Replay Vulnerability
Patched Version: 6.0.6
Recommended Action: Update to version 6.0.6, or a newer patched version
Plugin: RTMKit
Vulnerability: RTMKit Addons for Elementor <= 2.0.2 – Authenticated (Author+) Local File Inclusion via 'path'
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: WPFAQBlock– FAQ & Accordion Plugin For Gutenberg
Vulnerability: WPFAQBlock– FAQ & Accordion Plugin For Gutenberg <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Database Backup for WordPress
Vulnerability: Database Backup for WordPress <= 2.5.2 – Missing Authorization to Unauthenticated Arbitrary File Read and Deletion
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: My Calendar – Accessible Event Manager
Vulnerability: My Calendar <= 3.7.9 – Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter
Patched Version: 3.7.10
Recommended Action: Update to version 3.7.10, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: ProfileGrid <= 5.9.8.4 – Authenticated (Subscriber+) SQL Injection via 'rid' Parameter
Patched Version: 5.9.8.5
Recommended Action: Update to version 5.9.8.5, or a newer patched version
Plugin: ilGhera Support System for WooCommerce
Vulnerability: ilGhera Support System for WooCommerce <= 1.3.0 – Missing Authorization to Unauthenticated Sensitive Information Exposure
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Slek Gateway for WooCommerce
Vulnerability: Slek Gateway for WooCommerce <= 1.0 – Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Broadstreet
Vulnerability: Broadstreet <= 1.53.1 – Missing Authorization to Authenticated (Subscriber+) Advertiser Creation
Patched Version: 1.53.2
Recommended Action: Update to version 1.53.2, or a newer patched version
Plugin: AzonPost
Vulnerability: AzonPost <= 1.3 – Reflected Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Magic Export & Import
Vulnerability: Magic Export & Import <= 1.1.0 – Unauthenticated Information Exposure
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: GWD Conex
Vulnerability: GWD Connect <= 2.9 – Unauthenticated Limited Code Execution via update_agent
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LifePress
Vulnerability: LifePress <= 2.2.2 – Unauthenticated Stored Cross-Site Scripting via 'n' Parameter via lp_update_mds AJAX Action
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 – Incorrect Authorization to Authenticated (Author+) Arbitrary Draft Post Creation via 'post_type'
Patched Version: 6.4.8
Recommended Action: Update to version 6.4.8, or a newer patched version
Plugin: Motors – Car Dealership & Classified Listings Plugin
Vulnerability: Motors – Car Dealer, Classifieds & Listing <= 1.4.107 – Authenticated (Subscriber+) Arbitrary File Deletion via 'stm_dealer_logo_path' Parameter
Patched Version: 1.4.108
Recommended Action: Update to version 1.4.108, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Tutor LMS <= 3.9.9 – Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter
Patched Version: 3.9.10
Recommended Action: Update to version 3.9.10, or a newer patched version
Plugin: Taskbuilder – Project Management & Task Management Tool With Kanban Board
Vulnerability: Taskbuilder – Project Management & Task Management Tool With Kanban Board <= 5.0.6 – Authenticated (Subscriber+) Time-Based Blind SQL Injection via 'project_search' Parameter
Patched Version: 5.0.7
Recommended Action: Update to version 5.0.7, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Vulnerability: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses <= 4.3.5 – Authenticated (Subscriber+) Payment Bypass to Free Course Enrollment via 'quantity' Parameter
Patched Version: 4.3.6
Recommended Action: Update to version 4.3.6, or a newer patched version
Plugin: Quick Table
Vulnerability: Quick Table <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'style' Shortcode Attribute
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Surbma | Recent Comments Shortcode
Vulnerability: Surbma | Recent Comments Shortcode <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: coreActivity: Activity Logging for WordPress
Vulnerability: coreActivity: Activity Logging for WordPress <= 3.0 – Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
Vulnerability: MonsterInsights <= 10.1.2 – Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset
Patched Version: 10.1.3
Recommended Action: Update to version 10.1.3, or a newer patched version
Plugin: Related Posts Lite
Vulnerability: Related Posts Lite <= 1.12 – Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: ProfileGrid <= 5.9.8.4 – Missing Authorization to Authenticated (Subscriber+) Group Settings Modification
Patched Version: 5.9.8.5
Recommended Action: Update to version 5.9.8.5, or a newer patched version
Plugin: GLS Shipping for WooCommerce
Vulnerability: GLS Shipping for WooCommerce <= 1.4.0 – Reflected Cross-Site Scripting via 'failed_orders'
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: RTMKit
Vulnerability: RTMKit Addons for Elementor <= 2.0.2 – Authenticated (Author+) Missing Authorization to Widget Configuration Modification
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: InfusedWoo Pro
Vulnerability: InfusedWoo Pro <= 5.1.2 – Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary User Meta Update
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version
Plugin: LatePoint – Calendar Booking Plugin for Appointments and Events
Vulnerability: LatePoint <= 5.3.2 – Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route
Patched Version: 5.4.0
Recommended Action: Update to version 5.4.0, or a newer patched version
Plugin: Smartcat Translator for WPML
Vulnerability: Smartcat Translator for WPML <= 3.1.77 – Missing Authorization to Unauthenticated Plugin Settings Update
Patched Version: 3.1.78
Recommended Action: Update to version 3.1.78, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: FOX – Currency Switcher Professional for WooCommerce <= 1.4.5 – Missing Authorization to Authenticated (Contributor+) Configuration Deletion
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: SP Blog Designer
Vulnerability: SP Blog Designer <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'design' Attribute
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Theme: KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme
Vulnerability: Kallyas <= 4.24.0 – Authenticated (Contributor+) Remote Code Execution
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AI Chatbot & Workflow Automation by AIWU
Vulnerability: AI Chatbot & Workflow Automation by AIWU <= 1.4.17 – Unauthenticated SQL Injection in getListForTbl()
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: InfusedWoo Pro
Vulnerability: InfusedWoo Pro <= 5.1.2 – Unauthenticated Arbitrary File Read via 'url' Parameter
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version
Plugin: MW WP Form
Vulnerability: MW WP Form <= 5.1.2 – Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version
Plugin: Forms Rb
Vulnerability: Forms Rb <= 1.1.9 – Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via 'form_id' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Fluent Forms <= 6.1.21 – Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version
Plugin: Tm – WordPress Redirection
Vulnerability: Tm – WordPress Redirection <= 1.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Avada (Fusion) Builder
Vulnerability: Avada Builder <= 3.15.2 – Authenticated (Subscriber+) Arbitrary File Read via 'custom_svg' Shortcode Parameter
Patched Version: 3.15.3
Recommended Action: Update to version 3.15.3, or a newer patched version
Plugin: Zawgyi Embed
Vulnerability: Zawgyi Embed <= 2.1.1 – Cross-Site Request Forgery via 'zawgyi_forceCSS' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Meks Easy Maps
Vulnerability: Meks Easy Maps <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Next Date
Vulnerability: Next Date <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)
Vulnerability: Burst Statistics 3.4.0 – 3.4.1.1 – Authentication Bypass to Admin Account Takeover
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Hostinger Reach – AI-Powered Email Marketing for WordPress
Vulnerability: Hostinger Reach <= 1.3.8 – Missing Authorization to Authenticated (Subscriber+) Integration API Key Update
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Voyage Plus
Vulnerability: Voyage Plus <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'post-content' Shortcode
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Vulnerability: Charitable <= 1.8.10.4 – Authenticated (Custom+) SQL Injection via 's' Search Parameter
Patched Version: 1.8.10.5
Recommended Action: Update to version 1.8.10.5, or a newer patched version
Plugin: CC Child Pages
Vulnerability: CC Child Pages <= 2.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'more' Parameter
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Advanced Social Media Icons
Vulnerability: Advanced Social Media Icons <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'social' Shortcode
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan
Vulnerability: WP Encryption – One Click SSL & Force HTTPS <= 7.8.5.10 – Missing Authorization to Authenticated (Subscriber+) SSL Setup Tampering
Patched Version: 7.8.5.11
Recommended Action: Update to version 7.8.5.11, or a newer patched version
Plugin: Coinbase Commerce for Contact Form 7
Vulnerability: Coinbase Commerce for Contact Form 7 <= 1.1.2 – Missing Authorization to Authenticated (Subscriber+) API Key Modification via 'cccf7_api_key' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Fluent Forms <= 6.2.0 – Authenticated (Subscriber+) Authorization Bypass via 'table' Parameter
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version
Plugin: WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce
Vulnerability: WebinarIgnition <= 4.09.1 – Unauthenticated SQL Injection
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: iPOSpays Payment Gateway for WooCommerce
Vulnerability: iPOSpays Gateways WC <= 1.3.7 – Unauthenticated Missing Authorization to Settings Update via REST API Endpoint
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quick Playground
Vulnerability: Quick Playground <= 1.3.3 – Unauthenticated Path Traversal to Arbitrary File Read via 'stylesheet' Parameter
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Court Reservation – Manage Your Court Bookings Online
Vulnerability: Court Reservation – Manage Your Court Bookings Online <= 1.10.11 – Unauthenticated SQL Injection
Patched Version: 1.10.12
Recommended Action: Update to version 1.10.12, or a newer patched version
Plugin: BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor
Vulnerability: BetterDocs <= 4.3.10 – Unauthenticated Information Exposure
Patched Version: 4.3.11
Recommended Action: Update to version 4.3.11, or a newer patched version
Plugin: Advanced Custom Fields: Font Awesome Field
Vulnerability: Advanced Custom Fields: Font Awesome Field <= 5.0.2 – Authenticated (Subscriber+) Stored Cross-Site Scripting via JSON Field
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version
Plugin: Cost of Goods: Product Cost & Profit Calculator for WooCommerce
Vulnerability: Cost of Goods: Product Cost & Profit Calculator for WooCommerce <= 4.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: Smart Appointment & Booking
Vulnerability: Smart Appointment & Booking <= 1.0.8 – Missing Authorization to Unauthenticated Arbitrary Booking Cancellation
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bold Page Builder
Vulnerability: Bold Page Builder <= 5.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode
Patched Version: 5.6.9
Recommended Action: Update to version 5.6.9, or a newer patched version
Plugin: Woo Commerce Minimum Weight
Vulnerability: Woo Commerce Minimum Weight <= 3.0.1 – Cross-Site Request Forgery via Settings Update Form
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Broadstreet
Vulnerability: Broadstreet <= 1.53.1 – Authenticated (Subscriber+) Information Disclosure
Patched Version: 1.53.2
Recommended Action: Update to version 1.53.2, or a newer patched version
Plugin: Unlimited Elements For Elementor
Vulnerability: Unlimited Elements For Elementor <= 2.0.7 – Authenticated (Contributor+) SQL Injection via 'filter_search' Parameter
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers
Vulnerability: Sunshine Photo Cart < 3.6.2 – Unauthenticated Information Exposure
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version
Plugin: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Vulnerability: User Registration & Membership <= 5.1.5 – Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter
Patched Version: 5.1.6
Recommended Action: Update to version 5.1.6, or a newer patched version
Plugin: FastBots
Vulnerability: FastBots <= 1.0.12 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Orderable – Restaurant & Food Ordering System
Vulnerability: Orderable <= 1.20.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Ultimate Member <= 2.11.1 – Reflected Cross-Site Scripting via Filter Parameters
Patched Version: 2.11.2
Recommended Action: Update to version 2.11.2, or a newer patched version
Plugin: Credits Shortcode
Vulnerability: Credits Shortcode <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Skysa Text Ticker App
Vulnerability: Skysa Text Ticker App <= 1.4 – Cross-Site Request Forgery to Settings Modification via 'Save Settings' Form
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Google Maps Integration
Vulnerability: WP Google Maps Integration <= 1.2 – Reflected Cross-Site Scripting via 'page' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Time Sheets
Vulnerability: Time Sheets <= 2.1.3 – Use of Known Vulnerable Component
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPC Badge Management for WooCommerce
Vulnerability: WPC Badge Management for WooCommerce <= 3.1.6 – Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'text' Attribute
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version
Plugin: MapGeo – Interactive Geo Maps
Vulnerability: MapGeo – Interactive Geo Maps <= 1.6.27 – Reflected Cross-Site Scripting via 'map' Parameter
Patched Version: 1.6.28
Recommended Action: Update to version 1.6.28, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: ProfileGrid <= 5.9.8.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Group Joining
Patched Version: 5.9.8.5
Recommended Action: Update to version 5.9.8.5, or a newer patched version
Plugin: WP Page Permalink Extension
Vulnerability: WP Page Permalink Extension <= 1.5.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Eight Day Week Print Workflow
Vulnerability: Eight Day Week Print Workflow <= 1.2.6 – Authenticated (Subscriber+) SQL Injection via 'title' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Notify Odoo
Vulnerability: Notify Odoo <= 1.0.1 – Cross-Site Request Forgery to Settings Update
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Schema Plugin For Divi, Gutenberg & Shortcodes
Vulnerability: Schema Plugin For Divi, Gutenberg & Shortcodes <= 4.3.2 – Authenticated (Contributor+) Object Instantiation
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Fluent Forms <= 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'permission_message' Shortcode Attribute
Patched Version: 6.2.2
Recommended Action: Update to version 6.2.2, or a newer patched version
Plugin: scratchblocks for WP
Vulnerability: scratchblocks for WP <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Continually
Vulnerability: Continually <= 4.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'continually_embed_code' Parameter
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More
Vulnerability: Envira Gallery <= 1.12.4 – Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter
Patched Version: 1.12.5
Recommended Action: Update to version 1.12.5, or a newer patched version
Plugin: Database Backup for WordPress
Vulnerability: Database Backup for WordPress <= 2.5.2 – Missing Authorization to Unauthenticated Database Export
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: Snow Monkey Blocks
Vulnerability: Snow Monkey Blocks <= 24.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-slick' Attribute
Patched Version: 24.1.12
Recommended Action: Update to version 24.1.12, or a newer patched version
Plugin: ManageWP Worker
Vulnerability: ManageWP Worker <= 4.9.31 – Unauthenticated Stored Cross-Site Scripting via 'MWP-Key-Name' Header
Patched Version: 4.9.32
Recommended Action: Update to version 4.9.32, or a newer patched version
Plugin: School Management System for WordPress
Vulnerability: School Management <= 1.93.1 (02-07-2025) – Authenticated (Student+) Arbitrary File Upload
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Weaver Show Posts
Vulnerability: Weaver Show Posts <= 1.8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'Additional Classes to Wrap Posts' Widget Setting
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Press3D
Vulnerability: Press3D <= 1.0.2 – Authenticated (Author+) Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Quick Interest Slider
Vulnerability: Quick Interest Slider <= 3.1.5 – Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version
Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Vulnerability: Custom Twitter Feeds <= 2.5.4 – Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version
Plugin: Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization
Vulnerability: Nelio AB Testing <= 8.2.8 – Unauthenticated Information Exposure
Patched Version: 8.3.0
Recommended Action: Update to version 8.3.0, or a newer patched version
Plugin: Meta Field Block – Display custom fields in the Block Editor without coding
Vulnerability: Meta Field Block <= 1.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'tagName' Block Attribute
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Media Sync
Vulnerability: Media Sync <= 1.4.9 – Authenticated (Author+) Path Traversal via 'sub_dir' and 'media_items' Parameters
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Related Posts Lite
Vulnerability: Related Posts Lite <= 1.12 – Cross-Site Request Forgery
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Royal Addons for Elementor – Addons and Templates Kit for Elementor
Vulnerability: Royal Addons for Elementor <= 1.7.1058 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter
Patched Version: 1.7.1059
Recommended Action: Update to version 1.7.1059, or a newer patched version
Plugin: Blog2Social: Social Media Auto Post & Scheduler
Vulnerability: Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 – Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter
Patched Version: 8.9.1
Recommended Action: Update to version 8.9.1, or a newer patched version
Plugin: BJ Lazy Load
Vulnerability: BJ Lazy Load <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom HTML Block
Patched Version: N/A
Recommended Action: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: InfusedWoo Pro
Vulnerability: InfusedWoo Pro <= 5.1.2 – Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version
Plugin: Surbma | MiniCRM Shortcode
Vulnerability: Surbma | MiniCRM Shortcode <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Advanced Custom Fields: Extended
Vulnerability: Advanced Custom Fields: Extended <= 0.9.2.3 – Unauthenticated Arbitrary Shortcode Execution
Patched Version: 0.9.2.4
Recommended Action: Update to version 0.9.2.4, or a newer patched version
Plugin: Broadstreet
Vulnerability: Broadstreet <= 1.53.1 – Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.53.2
Recommended Action: Update to version 1.53.2, or a newer patched version
Plugin: Cost Calculator Builder
Vulnerability: Cost Calculator Builder <= 4.0.1 – Unauthenticated Price Manipulation and Insecure Direct Object Reference
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
