Watch Out Wednesday – May 8, 2024

Home » Watch Out Wednesday – May 8, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Call / Contact Button

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit

Vulnerability: Missing Authorization
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scritping via Bookmark URL
Patched Version: 1.15.5
Recommended Action: Update to version 1.15.5, or a newer patched version

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: ENL Newsletter

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Justify
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: AnnounceKit

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MaxGalleria

Vulnerability: Missing Authorization
Patched Version: 6.4.3
Recommended Action: Update to version 6.4.3, or a newer patched version

Plugin: Send PDF for Contact Form 7

Vulnerability: Missing Authorization
Patched Version: 1.0.2.4
Recommended Action: Update to version 1.0.2.4, or a newer patched version

Plugin: Country State City Dropdown CF7

Vulnerability: Missing Authorization
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Import WP – Export and Import CSV and XML files to WordPress

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 2.13.1
Recommended Action: Update to version 2.13.1, or a newer patched version

Plugin: Custom Field Suite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Missing Authorization
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: ConvertPlus

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Patched Version: 3.5.26
Recommended Action: Update to version 3.5.26, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.21.2
Recommended Action: Update to version 3.21.2, or a newer patched version

Plugin: Matterport Shortcode

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.1.39
Recommended Action: Update to version 3.1.39, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘size’
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.35
Recommended Action: Update to version 1.1.35, or a newer patched version

Plugin: BlogLentor – Blog Designer Pack for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.6.2
Recommended Action: Update to version 4.4.6.2, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Path Traversal
Patched Version: 2.12.7
Recommended Action: Update to version 2.12.7, or a newer patched version

Plugin: Simple Image Popup

Plugin: Disabler

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Smart Maintenance Mode

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory

Vulnerability: Authenticated (Shop Manager+) Arbitrary Options Update
Patched Version: 4.9.0
Recommended Action: Update to version 4.9.0, or a newer patched version

Plugin: Business Card

Vulnerability: Cross-Site Request Forgery to Arbitrary Card Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Restaurant Table Booking

Plugin: Video Conferencing with Zoom

Vulnerability: Open Redirect
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Sensitive Information Exposure
Patched Version: 1.3.7.8
Recommended Action: Update to version 1.3.7.8, or a newer patched version

Plugin: Enhanced Media Library

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 7.1.9
Recommended Action: Update to version 7.1.9, or a newer patched version

Plugin: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder

Vulnerability: Authenticated (Contributor+) DOM-Based Cross-Site Scripting
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy

Vulnerability: Authenticated (Author+) Arbitrary Options Update
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version

Plugin: Hide Dashboard Notifications

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Stockholm Core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated (Subscriber+) Arbitrary Folder Name Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

Vulnerability: Cross-Site Request Forgery (CSRF) via sfs_process
Patched Version: 2024.5
Recommended Action: Update to version 2024.5, or a newer patched version

Plugin: Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery

Vulnerability: Missing Authorization
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.16
Recommended Action: Update to version 5.9.16, or a newer patched version

Plugin: Solid Affiliate

Vulnerability: Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action
Patched Version: 2.6.9.5
Recommended Action: Update to version 2.6.9.5, or a newer patched version

Plugin: Simple Basic Contact Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 20240502
Recommended Action: Update to version 20240502, or a newer patched version

Plugin: Viet Nam Affiliate

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.18
Recommended Action: Update to version 5.9.18, or a newer patched version

Plugin: Piotnet Addons For Elementor Pro

Vulnerability: Missing Authorization to Arbitrary Post/Page Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Recencio Book Reviews

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Missing Authorization via purchased_new_products
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: SKT Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Page Title
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Login with phone number

Vulnerability: Missing Authorization
Patched Version: 1.7.20
Recommended Action: Update to version 1.7.20, or a newer patched version

Plugin: Move Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery & Interactive Circle
Patched Version: 5.9.16
Recommended Action: Update to version 5.9.16, or a newer patched version

Plugin: Social Connect

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Missing Authorization
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Missing Authorization to Unauthenticated Google Analytics Tracking ID Modification
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Auto Affiliate Links

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: 6.4.4
Recommended Action: Update to version 6.4.4, or a newer patched version

Plugin: Adsmonetizer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: MainWP Child Reports

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Mhr Post Ticker

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
Patched Version: 2.6.9.4
Recommended Action: Update to version 2.6.9.4, or a newer patched version

Plugin: Auto Featured Image (Auto Post Thumbnail)

Vulnerability: Authenticated (Author+) Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Link Library

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via link-library Shortcode
Patched Version: 7.7
Recommended Action: Update to version 7.7, or a newer patched version

Plugin: Web Push Notifications – Webpushr

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.36.0
Recommended Action: Update to version 4.36.0, or a newer patched version

Plugin: Piotnet Addons For Elementor Pro

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Flip Carousel, Flip Box, Post Grid, and Taxonomy List Widget Attributes
Patched Version: 1.3.972
Recommended Action: Update to version 1.3.972, or a newer patched version

Plugin: WebToffee WP Backup and Migration

Vulnerability: Missing Authorization to Directory Traversal
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: BuddyPress

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 12.4.1
Recommended Action: Update to version 12.4.1, or a newer patched version

Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Freshdesk (official)

Vulnerability: Open Redirect
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Ghost

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Ultimate Blocks – WordPress Blocks Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Heading
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.0.264
Recommended Action: Update to version 1.0.264, or a newer patched version

Plugin: Responsive Gallery Grid

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.14
Recommended Action: Update to version 2.3.14, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder

Plugin: TT Custom Post Type Creator

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.29
Recommended Action: Update to version 4.10.29, or a newer patched version

Plugin: Element Pack Pro – Addon for Elementor Page Builder WordPress Plugin

Vulnerability: Authenticated (Contributor+) Arbitrary File Read and PHAR Deserialization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Startklar Elementor Addons

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.7.14
Recommended Action: Update to version 1.7.14, or a newer patched version

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.1.36
Recommended Action: Update to version 3.1.36, or a newer patched version

Plugin: Better Elementor Addons

Vulnerability: Authenticated(Contributor+) Local File Inclusion
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Advanced Most Recent Posts Mod

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sheets to WP Table Live Sync | Google Sheets Table Plugin for WordPress with Spreadsheet Integration – FlexTable

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: WP Datepicker

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Email Settings
Patched Version: 9.6.6
Recommended Action: Update to version 9.6.6, or a newer patched version

Plugin: Brozzme Scroll Top

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via JKit
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: ACF On-The-Go

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cookie Information | Free GDPR Consent Solution

Plugin: Knowledge Base documentation & wiki plugin – BasePress Docs

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.16.2.1
Recommended Action: Update to version 2.16.2.1, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Zero Spam for WordPress

Vulnerability: Spam Protection Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘arrow_style’
Patched Version: 4.10.29
Recommended Action: Update to version 4.10.29, or a newer patched version

Plugin: WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder

Vulnerability: Missing Authorization to Rating Manipulation
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: Better Comments

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Assistant – Every Day Productivity Apps

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.4.9.2
Recommended Action: Update to version 1.4.9.2, or a newer patched version

Plugin: Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Deletion
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.4.1.9
Recommended Action: Update to version 1.4.1.9, or a newer patched version

Plugin: Image Hover Effects – Elementor Addon

Vulnerability: Elementor Addon <= 1.4.1
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: SimpleShop

Vulnerability: Missing Authorization
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 22.6
Recommended Action: Update to version 22.6, or a newer patched version

Plugin: ShareThis Dashboard for Google Analytics

Vulnerability: Missing Authorization
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Advanced Ads – Ad Manager & AdSense

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget
Patched Version: 1.52.2
Recommended Action: Update to version 1.52.2, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.15.5
Recommended Action: Update to version 4.15.5, or a newer patched version

Plugin: IDonate – Blood Donation, Request And Donor Management System

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Sticky Social Link

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.31
Recommended Action: Update to version 4.10.31, or a newer patched version

Plugin: Mesmerize Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mesmerize_contact_form Shortcode
Patched Version: 1.6.149
Recommended Action: Update to version 1.6.149, or a newer patched version

Plugin: Inline Google Spreadsheet Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion/FAQ
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: Flattr

Plugin: ElementsReady Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.0
Recommended Action: Update to version 5.9.0, or a newer patched version

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via LaStudioKit Post Author Widget
Patched Version: 1.3.7.6
Recommended Action: Update to version 1.3.7.6, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (contributor+) Stored Cross-Site Scripting via _id
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Simple Membership

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version

Plugin: Swift Framework

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Latest Posts

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 5.0.8
Recommended Action: Update to version 5.0.8, or a newer patched version

Plugin: Soccer Engine – Soccer Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: Better Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Piotnet Addons For Elementor Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Subway – Private Site Option

Vulnerability: Improper Access Control to Sensitive Information Exposure via REST API
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ClickCease Click Fraud Protection

Vulnerability: Improper Authorization to sensitive information exposure via get_settings
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: XforWooCommerce

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DS Site Message

Plugin: eRoom – Zoom Meetings & Webinars

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 1.4.19
Recommended Action: Update to version 1.4.19, or a newer patched version

Plugin: WPZOOM Addons for Elementor (Templates, Widgets)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.36
Recommended Action: Update to version 1.1.36, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Onepage Scroll Module
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Five Star Restaurant Reservations – WordPress Booking Plugin

Vulnerability: Missing Authorization
Patched Version: 2.6.17
Recommended Action: Update to version 2.6.17, or a newer patched version

Plugin: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.12.9
Recommended Action: Update to version 3.12.9, or a newer patched version

Plugin: Woo Total Sales

Vulnerability: Missing Authorization to Unauthenticated Sales Report Retrieval
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Alt Text AI – Automatically generate image alt text for SEO and accessibility

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Regenerate post permalink

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Missing Authorization
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Blocks, and Elementor Widgets)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via pagingType Parameter
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: SVS Pricing Tables

Plugin: User Meta – User Profile Builder and User management plugin

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Configure Login Timeout

Plugin: Piotnet Addons For Elementor Pro

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Unauthenticated Price Manipulation
Patched Version: 1.8.8.2
Recommended Action: Update to version 1.8.8.2, or a newer patched version

Plugin: Edwiser Bridge – WordPress Moodle LMS Integration

Vulnerability: Authentication Bypass due to Missing Empty Value Check
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wprm-recipe-roundup-item Shortcode
Patched Version: 9.4.0
Recommended Action: Update to version 9.4.0, or a newer patched version

Plugin: Rescue Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Freshdesk (official)

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: EleForms – All In One Form Integration including DB for Elementor

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 2.9.9.8
Recommended Action: Update to version 2.9.9.8, or a newer patched version

Plugin: Hostel

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.5.4
Recommended Action: Update to version 1.1.5.4, or a newer patched version

Plugin: QuickieBar

Plugin: WP Job Manager

Vulnerability: Unauthenticated Information Exposure
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.14.4
Recommended Action: Update to version 3.14.4, or a newer patched version

Plugin: Vitepos – Point of sale (POS) plugin for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Mihdan: Yandex Turbo Feed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: WP Favorite Posts

Plugin: WP Page Post Widget Clone

Plugin: Pootle Pagebuilder – WordPress Page builder

Plugin: Stockholm Core

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing

Vulnerability: Missing Authorization
Patched Version: 1.7.20
Recommended Action: Update to version 1.7.20, or a newer patched version

Plugin: PeproDev Ultimate Invoice

Vulnerability: Missing Authorization
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Vulnerability: WordPress Plugin <= 14.0.10
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Text Effect Widget
Patched Version: 1.1.38
Recommended Action: Update to version 1.1.38, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Expired Title
Patched Version: 2.6.9.5
Recommended Action: Update to version 2.6.9.5, or a newer patched version

Plugin: Counter Up – Animated Number Counter & Milestone Showcase

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: EPROLO Dropshipping

Vulnerability: Missing Authorization
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Missing Authorization
Patched Version: 1.8.21
Recommended Action: Update to version 1.8.21, or a newer patched version

Plugin: SVS Pricing Tables

Vulnerability: Cross-Site Request Forgery to Pricing Table Edit/Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Better Comments

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Annual Archive

Plugin: Royal Elementor Addons and Templates

Vulnerability: Unauthenticated Limited File Upload
Patched Version: 1.3.95
Recommended Action: Update to version 1.3.95, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Missing Authorization
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: WPCS ( WordPress Custom Search )

Plugin: MF Gig Calendar

Plugin: Ultimate 410 Gone Status Code

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates

Vulnerability: Missing Authorization
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Customify Site Library

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MailerLite – Signup forms (official)

Vulnerability: 1.7.6
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Open Redirect
Patched Version: 4.0.31
Recommended Action: Update to version 4.0.31, or a newer patched version

Plugin: Easy Set Favicon

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Stack Group, Photo Stack, & Horizontal Timeline
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Header Footer Code Manager Pro

Vulnerability: Reflected Cross-Site Scripting via message
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via htmltag Parameter
Patched Version: 6.7.8
Recommended Action: Update to version 6.7.8, or a newer patched version

Plugin: Radio Station by netmix® – Manage and play your Show Schedule in WordPress!

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: WP etracker

Plugin: Swift Framework

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Missing Authorization to Unauthenticated Media Deletion
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: XML Sitemap & Google News

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: ENL Newsletter

Vulnerability: Cross-Site Request Forgery to Campaign Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 2.6.92
Recommended Action: Update to version 2.6.92, or a newer patched version

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Plugin: Easy Custom Auto Excerpt

Vulnerability: Sensitive Information Exposure
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: ADFO – Custom data in admin dashboard

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Lightbox Widget
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Missing Authorization on Duplicate Post
Patched Version: 2.0.5.6
Recommended Action: Update to version 2.0.5.6, or a newer patched version

Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

Vulnerability: Missing Authorization
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.72
Recommended Action: Update to version 3.72, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: 3.1.2
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (AccountingManager+) SQL Injection
Patched Version: 1.13.2
Recommended Action: Update to version 1.13.2, or a newer patched version

Plugin: Easy Affiliate Links

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version

Plugin: WordPress Ad Widget

Plugin: ParcelPanel (Free to install) – Shipment Tracking, Tracking, and Order Tracking for WooCommerce

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version

Plugin: Featured Content Gallery

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.218
Recommended Action: Update to version 1.0.218, or a newer patched version

Plugin: AI Engine

Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: 2.2.70
Recommended Action: Update to version 2.2.70, or a newer patched version

Plugin: Shared Counts – Social Media Share Buttons

Vulnerability: Missing Authorization to Arbitrary Email Sending
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: SimpleShop

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version

Plugin: Gold Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Tooltip & Popover Widget
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.1.2
Recommended Action: Update to version 2.8.1.2, or a newer patched version

Plugin: SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer

Vulnerability: Missing Authorization
Patched Version: 3.10.3
Recommended Action: Update to version 3.10.3, or a newer patched version

Plugin: Yoga Schedule Momoyoga

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Pet Manager

Plugin: Affiliate Program Suite — SliceWP Affiliates

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version

Plugin: AGCA – Custom Dashboard & Login Page

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 7.2.4
Recommended Action: Update to version 7.2.4, or a newer patched version

Plugin: Visual Footer Credit Remover

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: MailerLite – Signup forms (official)

Vulnerability: Missing Authorization
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: CF7 File Download – File Download for CF7

Plugin: Business Card

Vulnerability: Cross-Site Request Forgery to Category Edit
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Startklar Elementor Addons

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 1.7.14
Recommended Action: Update to version 1.7.14, or a newer patched version

Plugin: Frontend Admin by DynamiApps

Vulnerability: Improper Missing Encryption Exception Handling to Form Manipulation
Patched Version: 3.19.5
Recommended Action: Update to version 3.19.5, or a newer patched version

Plugin: Filterable Portfolio

Plugin: AWSOM News Announcement

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Insecure Direct Object Reference
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: Table Maker

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: Viet Affiliate Link

Plugin: Salon Booking System

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 9.6.6
Recommended Action: Update to version 9.6.6, or a newer patched version

Plugin: KKProgressbar2 Free – advanced progress bars

Plugin: Essential Grid Gallery WordPress Plugin

Vulnerability: Unauthenticated Private Post Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML Tags
Patched Version: 3.10.6
Recommended Action: Update to version 3.10.6, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Unauthenticated Information Exposure
Patched Version: 3.2.19
Recommended Action: Update to version 3.2.19, or a newer patched version

Plugin: Client Dash

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘colibri_breadcrumb_element’ Shortcode
Patched Version: 1.0.274
Recommended Action: Update to version 1.0.274, or a newer patched version

Plugin: SEOPress – On-site SEO

Vulnerability: Information Exposure
Patched Version: 7.7
Recommended Action: Update to version 7.7, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.3.3.3
Recommended Action: Update to version 1.3.3.3, or a newer patched version

Plugin: GDPR Compliance

Vulnerability: Authenticated (Subscriber+) Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.4.3.1
Recommended Action: Update to version 1.4.3.1, or a newer patched version

Plugin: Last Viewed Posts by WPBeginner

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Tabellen von faustball.com

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Content Blocks (Custom Post Widget)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Leaky Paywall

Vulnerability: Missing Authorization to Price Manipulation
Patched Version: 4.20.9
Recommended Action: Update to version 4.20.9, or a newer patched version

Plugin: Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder

Vulnerability: Missing Authorization
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization
Patched Version: 5.8.4
Recommended Action: Update to version 5.8.4, or a newer patched version

Plugin: WordPress Header Builder Plugin – Pearl

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Mooberry Book Manager

Vulnerability: Unauthenticated Information Exposure via Export Files
Patched Version: 4.15.13
Recommended Action: Update to version 4.15.13, or a newer patched version

Plugin: Joli FAQ SEO – WordPress FAQ Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘Countdown’
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Sydney Toolbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version

Plugin: AGCA – Custom Dashboard & Login Page

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.2.2
Recommended Action: Update to version 7.2.2, or a newer patched version

Plugin: canvasio3D Light

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Interactive World Maps

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Plugin: Knowledge Base documentation & wiki plugin – BasePress Docs

Vulnerability: Missing Authorization
Patched Version: 2.16.2.1
Recommended Action: Update to version 2.16.2.1, or a newer patched version

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Index Creation
Patched Version: 5.5.6
Recommended Action: Update to version 5.5.6, or a newer patched version

Plugin: Testimonial Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Squelch Tabs and Accordions Shortcodes

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.4.8
Recommended Action: Update to version 0.4.8, or a newer patched version

Plugin: Opal Widgets For Elementor

Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘titleTag’
Patched Version: 2.6.10
Recommended Action: Update to version 2.6.10, or a newer patched version

Plugin: EleForms – All In One Form Integration including DB for Elementor

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.9.9.8
Recommended Action: Update to version 2.9.9.8, or a newer patched version

Plugin: Appointment Bookings for Zoom GoogleMeet and more – Wappointment

Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 8.7.01.002
Recommended Action: Update to version 8.7.01.002, or a newer patched version

Plugin: Custom field finder

Vulnerability: Authenticated (Author+) PHP Object Injection
Patched Version: 0.4
Recommended Action: Update to version 0.4, or a newer patched version

Plugin: ENL Newsletter

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Pet Manager

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Plugin: KKProgressbar2 Free – advanced progress bars

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcodes
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Missing Authorization
Patched Version: 1.26.6
Recommended Action: Update to version 1.26.6, or a newer patched version

Plugin: Forty Four – 404 Plugin for WordPress

Plugin: Business Card

Vulnerability: Cross-Site Request Forgery to Card Edit
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SSU – WordPress Amazon S3 & Wasabi Smart File Uploads Plugin

Vulnerability: Missing Authorization
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Simple Website Banner

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.0.4
Recommended Action: Update to version 1.8.0.4, or a newer patched version

Plugin: WooCommerce Amazon Affiliates – WordPress Plugin

Plugin: Admin and Customer Messages After Order for WooCommerce: OrderConvo

Vulnerability: Missing Authorization to Arbitrary File Upload
Patched Version: 12.5
Recommended Action: Update to version 12.5, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.15.25
Recommended Action: Update to version 1.15.25, or a newer patched version

Plugin: SKT Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Block
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: WP Masquerade

Vulnerability: Authenticated (Subscriber+) Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Missing Authorization
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Property Hive

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: 2.0.13
Recommended Action: Update to version 2.0.13, or a newer patched version

Plugin: WP Video Lightbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Patched Version: 1.9.11
Recommended Action: Update to version 1.9.11, or a newer patched version

Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via User First Name and Last Name
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.8.3
Recommended Action: Update to version 1.0.8.3, or a newer patched version

Plugin: Payment Gateway Based Fees and Discounts for WooCommerce

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 2.12.2
Recommended Action: Update to version 2.12.2, or a newer patched version

Plugin: Easy Accept Payments via PayPal

Vulnerability: Missing Authorization
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: weDocs – Knowledgebase, Documentation, and Wiki Plugin for WP

Vulnerability: Missing Authorization
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: VOD Infomaniak

Plugin: WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder

Vulnerability: Missing Authorization
Patched Version: 3.7.5
Recommended Action: Update to version 3.7.5, or a newer patched version

Plugin: Admin Bar Editor – Hide Toolbar by User Roles

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.42
Recommended Action: Update to version 2.4.42, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.14
Patched Version: 5.7.15
Recommended Action: Update to version 5.7.15, or a newer patched version

Plugin: All-in-One Video Gallery

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload via featured image
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: KKProgressbar2 Free – advanced progress bars

Vulnerability: Cross-Site Request Forgery to Progress Bar Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Salon Booking System

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 9.6.6
Recommended Action: Update to version 9.6.6, or a newer patched version

Core: WordPress

Vulnerability: Unauthenticated & Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block
Patched Version: 6.0.8
Recommended Action: Update to one of the following versions, or a newer patched version: 6.0.8, 6.1.6, 6.2.5, 6.3.4, 6.4.4, 6.5.2

Plugin: ADFO – Custom data in admin dashboard

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Zotpress

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 7.3.10
Recommended Action: Update to version 7.3.10, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.59.1
Recommended Action: Update to version 3.59.1, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 4.3.7
Recommended Action: Update to version 4.3.7, or a newer patched version

Plugin: SVS Pricing Tables

Vulnerability: Cross-Site Request Forgery to Pricing Table Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Time Slots Booking Form

Vulnerability: Unauthenticated Price Manipulation
Patched Version: 1.2.07
Recommended Action: Update to version 1.2.07, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.35
Recommended Action: Update to version 3.2.35, or a newer patched version

Plugin: Breakdance

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via custom postmeta
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Property Hive

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via InfoBox
Patched Version: 2.6.9.3
Recommended Action: Update to version 2.6.9.3, or a newer patched version

Plugin: Sticky Anything

Plugin: WPPizza – A Restaurant Plugin

Vulnerability: Missing Authorization
Patched Version: 3.18.11
Recommended Action: Update to version 3.18.11, or a newer patched version

Plugin: Business Card

Vulnerability: Cross-Site Request Forgery to Category Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Follow Us Badges

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpsite_follow_us_badges Shortcode
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version

Plugin: Comments Evolved for WordPress

Plugin: Debug Info

Plugin: Pk Favicon Manager

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: One Click Demo Import

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: ChatBot Conversational Forms

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Piotnet Addons For Elementor Pro

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.4
Recommended Action: Update to version 1.13.4, or a newer patched version

Plugin: CM Tooltip Glossary

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Missing Authorization
Patched Version: 7.7.0
Recommended Action: Update to version 7.7.0, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘colibri-gallery-slideshow’ Shortcode
Patched Version: 1.0.274
Recommended Action: Update to version 1.0.274, or a newer patched version

Plugin: Advanced Ads – Ad Manager & AdSense

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.52.2
Recommended Action: Update to version 1.52.2, or a newer patched version

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 0.1.0.23
Recommended Action: Update to version 0.1.0.23, or a newer patched version

Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 2.16.0
Recommended Action: Update to version 2.16.0, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Missing Authorization to Unauthenticated Limited Options Update
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Contact Form 7 Extension For Mailchimp

Plugin: Thim Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: All-in-One Addons for Elementor – WidgetKit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Where Did You Hear About Us Checkout Field for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Missing Authorization to Unauthenticated Email Enumeration
Patched Version: 5.1.9
Recommended Action: Update to version 5.1.9, or a newer patched version

Plugin: Timber

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.23.1
Recommended Action: Update to version 1.23.1, or a newer patched version

Plugin: ConvertPlus

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.5.26
Recommended Action: Update to version 3.5.26, or a newer patched version

Plugin: gee Search Plus, improved WordPress search

Plugin: Action Network

Vulnerability: No subtitle
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Click to Chat – HoliThemes

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: FileOrganizer – Manage WordPress and Website Files

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.