Watch Out Wednesday – May 22, 2024

Home » Watch Out Wednesday – May 22, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit

Vulnerability: Missing Authorization
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: WPCal.io – Easy Meeting Scheduler

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.9.5.9
Recommended Action: Update to version 0.9.5.9, or a newer patched version

Plugin: Fastly

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 1.2.26
Recommended Action: Update to version 1.2.26, or a newer patched version

Plugin: DethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.1.1
Recommended Action: Update to version 4.6.1.1, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HL Twitter

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Missing Authorization to Settings Update and Limited Privilege Escalation
Patched Version: 5.1.17
Recommended Action: Update to version 5.1.17, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Missing Authorization to Setting Manipulation
Patched Version: 5.1.17
Recommended Action: Update to version 5.1.17, or a newer patched version

Plugin: HL Twitter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All Bootstrap Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.26.7
Recommended Action: Update to version 1.26.7, or a newer patched version

Plugin: YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress

Vulnerability: Missing Authorization to Arbitrary Post/Page Creation
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Crafthemes Demo Import

Vulnerability: Missing Authorization to Arbitrary Plugin Installation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt

Vulnerability: Missing Authorization to Unauthenticated Ad Status Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.35
Recommended Action: Update to version 1.1.35, or a newer patched version

Plugin: ARforms

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 6.6
Recommended Action: Update to version 6.6, or a newer patched version

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

Vulnerability: Reflected Cross-Site Scripting via pageType
Patched Version: 1.5.1.9
Recommended Action: Update to version 1.5.1.9, or a newer patched version

Plugin: Heateor Social Login WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.32
Recommended Action: Update to version 1.1.32, or a newer patched version

Plugin: ConvertPlus

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.5.26.1
Recommended Action: Update to version 3.5.26.1, or a newer patched version

Plugin: Base64 Encoder/Decoder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Stockholm Core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Missing Authorization via openai_file_list_callback
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: LetterPress – Elevate Your WordPress Site's E-Mail Campaigns and Marketing

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.10.9
Recommended Action: Update to version 3.10.9, or a newer patched version

Plugin: WP Table Builder – WordPress Table Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version

Plugin: Kognetiks Chatbot for WordPress

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Viet Nam Affiliate

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Missing Authorization in handle_ajax_request
Patched Version: 5.7.20
Recommended Action: Update to version 5.7.20, or a newer patched version

Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Popup4Phone

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PopupAlly

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: SKT Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Page Title
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Add Custom CSS and JS

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Move Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Advanced Custom Fields Pro

Vulnerability: Authenticated (Contributor+) Code Injection
Patched Version: 6.2.10
Recommended Action: Update to version 6.2.10, or a newer patched version

Plugin: Advanced Custom Fields Pro

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 6.2.10
Recommended Action: Update to version 6.2.10, or a newer patched version

Plugin: Tainacan

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 0.21.4
Recommended Action: Update to version 0.21.4, or a newer patched version

Plugin: reCAPTCHA Jetpack

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Missing Authorization to Appointment Time Alteration
Patched Version: 1.0.83
Recommended Action: Update to version 1.0.83, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 5.1.14
Recommended Action: Update to version 5.1.14, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Widget
Patched Version: 2.6.9.7
Recommended Action: Update to version 2.6.9.7, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via _id Parameter
Patched Version: 3.10.9
Recommended Action: Update to version 3.10.9, or a newer patched version

Plugin: Z-Downloads

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.11.4
Recommended Action: Update to version 1.11.4, or a newer patched version

Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.23.9
Recommended Action: Update to version 4.23.9, or a newer patched version

Plugin: Bulk Posts Editing For WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Missing Authorization via openai_file_upload_callback
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Gutenify – Visual Site Builder Blocks & Site Templates.

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Mega Elements – Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Ghost

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: WP Next Post Navi

Plugin: iPages Flipbook For WordPress

Vulnerability: Missing Authorization
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Form Submission Admin Email Bypass
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version

Plugin: Chauffeur Taxi Booking System for WordPress

Vulnerability: Authentication Bypass
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: Praison SEO WordPress

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Alt Text AI – Automatically generate image alt text for SEO and accessibility

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: WP Prayer

Vulnerability: Cross-Site Request Forgery to Arbitrary Prayer Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Copymatic – AI Content Writer & Generator

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: TT Custom Post Type Creator

Plugin: WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)

Vulnerability: Missing Authorization
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: WPB Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WP Stacker

Plugin: Elegant Blocks – Amazing Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Debug Log – Manger Tool

Vulnerability: Unauthenticated Information Exposure via Logs
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: AMP WP – Google AMP For WordPress

Vulnerability: Cross-Site Request Forgery via multiple settings pages
Patched Version: 1.5.16
Recommended Action: Update to version 1.5.16, or a newer patched version

Plugin: Testimonial Carousel For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 10.2.0
Recommended Action: Update to version 10.2.0, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Brozzme Scroll Top

Plugin: Automatic Translator with Google Translate

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Custom Font
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.219-beta
Recommended Action: Update to version 1.0.219-beta, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Unauthenticated Account Takeover to Privilege Escalation
Patched Version: 5.1.9
Recommended Action: Update to version 5.1.9, or a newer patched version

Plugin: ElementsKit Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: WordPress Automatic Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via autoplay Parameter
Patched Version: 3.95.0
Recommended Action: Update to version 3.95.0, or a newer patched version

Plugin: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 2.4.28
Recommended Action: Update to version 2.4.28, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Form Builder Widget
Patched Version: 1.3.975
Recommended Action: Update to version 1.3.975, or a newer patched version

Plugin: Contact Form Widget – Contact Query, Contact Page, Form Maker, Query Table

Vulnerability: Sensitive Information Exposure
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Vulnerability: Missing Authorization
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version

Plugin: Translate Multilingual sites – TranslatePress

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Swift Performance Lite

Vulnerability: Incorrect Authorization to Authenticated (Subscriber+) Settings Modification
Patched Version: 2.3.6.19
Recommended Action: Update to version 2.3.6.19, or a newer patched version

Plugin: Better Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Tutor LMS Pro

Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 22.7
Recommended Action: Update to version 22.7, or a newer patched version

Plugin: authLdap

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version

Plugin: DS Site Message

Plugin: WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)

Vulnerability: Missing Authorization
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Realtyna Organic IDX plugin + WPL Real Estate

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.14.8
Recommended Action: Update to version 4.14.8, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.17
Recommended Action: Update to version 5.1.17, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Insecure Direct Object Reference to Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.6.1
Recommended Action: Update to version 2.0.6.1, or a newer patched version

Plugin: Church Admin

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: Configure Login Timeout

Plugin: Bulk Posts Editing For WordPress

Vulnerability: Authenticated (Subscriber+) Missing Authorization
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version

Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)

Vulnerability: Authenticated (Author+) HTML Injection
Patched Version: 1.6.27
Recommended Action: Update to version 1.6.27, or a newer patched version

Plugin: Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: QuickieBar

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Missing Authorization to Arbitrary SQL Execution
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: WP Job Manager

Vulnerability: Unauthenticated Information Exposure
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version

Plugin: WP Favorite Posts

Plugin: Pootle Pagebuilder – WordPress Page builder

Plugin: Stockholm Core

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Salient Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing

Vulnerability: Missing Authorization
Patched Version: 1.7.20
Recommended Action: Update to version 1.7.20, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via su_lightbox
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Move Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Order Export & Order Import for WooCommerce

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.38
Recommended Action: Update to version 3.2.38, or a newer patched version

Plugin: BrainCert Virtual Classroom

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Counter Up – Animated Number Counter & Milestone Showcase

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Contact List – Online Staff Directory and Address Book

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 2.9.88
Recommended Action: Update to version 2.9.88, or a newer patched version

Plugin: SportsPress – Sports Club & League Manager

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 2.7.21
Recommended Action: Update to version 2.7.21, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Insecure Direct Object Reference to Menu Access
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: month name translation benaceur

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: WPCS ( WordPress Custom Search )

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Missing Authorization via openai_file_delete_callback
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.28
Recommended Action: Update to version 2.4.28, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Typer Effect
Patched Version: 3.2.38
Recommended Action: Update to version 3.2.38, or a newer patched version

Plugin: Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Woocommerce Support System

Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widget Attributes
Patched Version: 2.4.29
Recommended Action: Update to version 2.4.29, or a newer patched version

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Authenticated (Author+) Insecure Direct Object Reference
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version

Plugin: Envo Extra

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 1.8.17
Recommended Action: Update to version 1.8.17, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.7.18
Recommended Action: Update to version 1.6.7.18, or a newer patched version

Plugin: UnGallery

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.81
Recommended Action: Update to version 2.2.81, or a newer patched version

Plugin: Insert or Embed Articulate Content into WordPress

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Code Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP etracker

Plugin: Responsive Contact Form Builder & Lead Generation Plugin

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: LuckyWP Table of Contents

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Unyson

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.31
Recommended Action: Update to version 2.7.31, or a newer patched version

Plugin: BSK PDF Manager

Vulnerability: Arbitrary JavaScript Execution
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: PHP Object Injection via extractDynamicValues
Patched Version: 5.1.16
Recommended Action: Update to version 5.1.16, or a newer patched version

Plugin: Menu Icons by ThemeIsle

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: 0.13.14
Recommended Action: Update to version 0.13.14, or a newer patched version

Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore

Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.72
Recommended Action: Update to version 3.72, or a newer patched version

Plugin: Tutor LMS Pro

Vulnerability: Missing Authorization
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Easy Affiliate Links

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version

Plugin: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.9.26
Recommended Action: Update to version 1.9.26, or a newer patched version

Plugin: ARforms

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: UberMenu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Featured Content Gallery

Plugin: AI Engine

Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: 2.2.70
Recommended Action: Update to version 2.2.70, or a newer patched version

Plugin: WooCommerce Product Enquiry

Vulnerability: Unauthenticated Self-Based Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Gold Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Download Plugins and Themes in ZIP from Dashboard

Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: CBX Bookmark & Favorite

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.7.21
Recommended Action: Update to version 1.7.21, or a newer patched version

Plugin: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor

Vulnerability: Authenticated (Contributer+) Stored Cross-Site Scripting
Patched Version: 1.26.5
Recommended Action: Update to version 1.26.5, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Instructor+) SQL Injection
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: ShiftController Employee Shift Scheduling

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 4.9.58
Recommended Action: Update to version 4.9.58, or a newer patched version

Plugin: AJAX Login and Registration modal popup + inline form

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.24
Recommended Action: Update to version 2.24, or a newer patched version

Plugin: WP Backpack

Plugin: AWSOM News Announcement

Plugin: Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler

Vulnerability: Missing Authorization via Several AJAX Action
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Penci Soledad Data Migrator

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Fast Custom Social Share by CodeBard

Plugin: If-So Dynamic Content Personalization

Vulnerability: Missing Authorization
Patched Version: 1.7.1.1
Recommended Action: Update to version 1.7.1.1, or a newer patched version

Plugin: Swift Framework

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2024.0.0
Recommended Action: Update to version 2024.0.0, or a newer patched version

Plugin: Table Maker

Plugin: Page Builder by SiteOrigin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘siteorigin_widget’ Shortcode
Patched Version: 2.29.16
Recommended Action: Update to version 2.29.16, or a newer patched version

Plugin: Tagembed: Embed Twitter Feed, Google Reviews, YouTube Videos, TikTok, RSS Feed & More Social Media Feeds

Vulnerability: Missing Authorization
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: Viet Affiliate Link

Plugin: KKProgressbar2 Free – advanced progress bars

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Picture Gallery – Frontend Image Uploads, AJAX Photo List

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.5.12
Recommended Action: Update to version 1.5.12, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.26.7
Recommended Action: Update to version 1.26.7, or a newer patched version

Plugin: JCH Optimize

Vulnerability: Authenticated (Subscriber+) Directory Traversal
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Missing Authorization
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Envo's Elementor Templates & Widgets for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: LuckyWP Table of Contents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: reCAPTCHA Jetpack

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.4.3.1
Recommended Action: Update to version 1.4.3.1, or a newer patched version

Plugin: HL Twitter

Vulnerability: Cross-Site Request Forgery to Twitter Account Unlink
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Content Blocks (Custom Post Widget)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Sticky banner

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Builder for WooCommerce product reviews shortcodes – ReviewShort

Vulnerability: Missing Authorization
Patched Version: 1.01.6
Recommended Action: Update to version 1.01.6, or a newer patched version

Plugin: WP Prayer

Vulnerability: Cross-Site Request Forgery to Email Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Realtyna Organic IDX plugin + WPL Real Estate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.14.8
Recommended Action: Update to version 4.14.8, or a newer patched version

Plugin: Base64 Encoder/Decoder

Vulnerability: Cross-Site Request Forgery to Setting Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Missing Authorization to Options Update
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: 3.13.0
Recommended Action: Update to version 3.13.0, or a newer patched version

Plugin: Popup4Phone

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin Page Spider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.32
Recommended Action: Update to version 3.32, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Easy WP Cleaner

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2.4
Recommended Action: Update to version 2.7.2.4, or a newer patched version

Plugin: ImageMagick Sharpen Resized Images

Plugin: Tutor LMS Pro

Vulnerability: Missing Authorization to SQL Injection
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Cost Calculator Builder PRO

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 3.1.73
Recommended Action: Update to version 3.1.73, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Missing Authorization to WordPress Option Modification
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Stack Group Widget
Patched Version: 3.10.8
Recommended Action: Update to version 3.10.8, or a newer patched version

Plugin: Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: canvasio3D Light

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.21.6
Recommended Action: Update to version 3.21.6, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version

Plugin: Simple Counter

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.10
Recommended Action: Update to version 3.9.10, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Missing Authorization
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: WP Discourse

Vulnerability: Missing Authorization
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 8.7.01.002
Recommended Action: Update to version 8.7.01.002, or a newer patched version

Plugin: Fastly

Vulnerability: Missing Authorization
Patched Version: 1.2.26
Recommended Action: Update to version 1.2.26, or a newer patched version

Plugin: ShopBuilder – Elementor WooCommerce Builder Addons

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Salient Shortcodes

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: KKProgressbar2 Free – advanced progress bars

Plugin: Import and export users and customers

Vulnerability: Missing Authorization
Patched Version: 1.26.6
Recommended Action: Update to version 1.26.6, or a newer patched version

Plugin: Forty Four – 404 Plugin for WordPress

Plugin: LetterPress – Elevate Your WordPress Site's E-Mail Campaigns and Marketing

Plugin: WP Prayer

Plugin: Simple Popup Manager

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via woolentorsearch Shortcode
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.15.25
Recommended Action: Update to version 1.15.25, or a newer patched version

Plugin: SKT Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Block
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Post Grid Elementor Addon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag
Patched Version: 2.0.17
Recommended Action: Update to version 2.0.17, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via su_members Shortcode
Patched Version: 7.1.6
Recommended Action: Update to version 7.1.6, or a newer patched version

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.8.3
Recommended Action: Update to version 1.0.8.3, or a newer patched version

Plugin: Dextaz Ping

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: weDocs – Knowledgebase, Documentation, and Wiki Plugin for WP

Vulnerability: Missing Authorization
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.16
Recommended Action: Update to version 5.9.16, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.37
Recommended Action: Update to version 3.2.37, or a newer patched version

Plugin: Tainacan

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.21.4
Recommended Action: Update to version 0.21.4, or a newer patched version

Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Vulnerability: Missing Authorization
Patched Version: 1.12.5
Recommended Action: Update to version 1.12.5, or a newer patched version

Plugin: FundEngine – Donation and Crowdfunding Platform

Vulnerability: Missing Authorization
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.13
Recommended Action: Update to version 4.5.13, or a newer patched version

Plugin: KKProgressbar2 Free – advanced progress bars

Vulnerability: Cross-Site Request Forgery to Progress Bar Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Buddyboss Platform

Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Comment on Private Post
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: All-in-One Video Gallery

Vulnerability: Authenticated (Contributor+) Local File Inclusion via aiovg_search_form Shortcode
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.6.1
Recommended Action: Update to version 2.0.6.1, or a newer patched version

Plugin: Zotpress

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 7.3.10
Recommended Action: Update to version 7.3.10, or a newer patched version

Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: PeproDev CF7 Database

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Event Calendar Widget
Patched Version: 3.10.8
Recommended Action: Update to version 3.10.8, or a newer patched version

Plugin: SSL Certificate – Free SSL, HTTPS by SSL Zen

Vulnerability: Sensitive Information Exposure
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.35
Recommended Action: Update to version 3.2.35, or a newer patched version

Plugin: ARforms

Vulnerability: Unauthenticated Arbitrary File Deletion via Path Traversal
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 10.0
Recommended Action: Update to version 10.0, or a newer patched version

Plugin: Salient Core

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: ARforms

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 6.6
Recommended Action: Update to version 6.6, or a newer patched version

Plugin: Woocommerce Support System

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘orderby’
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: YITH WooCommerce Bulk Product Editing

Plugin: WPZOOM Addons for Elementor (Templates, Widgets)

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.1.38
Recommended Action: Update to version 1.1.38, or a newer patched version

Plugin: Comments Evolved for WordPress

Plugin: Debug Info

Plugin: Pk Favicon Manager

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version

Plugin: One Click Demo Import

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.29
Recommended Action: Update to version 1.6.29, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.7.2
Recommended Action: Update to version 5.7.2, or a newer patched version

Plugin: Custom Post Type Attachment

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via pdf_attachment Shortcode
Patched Version: 3.4.6
Recommended Action: Update to version 3.4.6, or a newer patched version

Plugin: weMail – Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.14.3
Recommended Action: Update to version 1.14.3, or a newer patched version

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Missing Authorization
Patched Version: 1.6.28
Recommended Action: Update to version 1.6.28, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via custom_attributes
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Thim Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: All-in-One Addons for Elementor – WidgetKit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Base64 Encoder/Decoder

Plugin: Timber

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.23.1
Recommended Action: Update to version 1.23.1, or a newer patched version

Plugin: gee Search Plus, improved WordPress search

Plugin: Popup Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.1.30
Recommended Action: Update to version 1.1.30, or a newer patched version

Plugin: AI Popup

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.