Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Essential Grid Portfolio – Photo Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: Flo Forms – Easy Drag & Drop Form Builder
Vulnerability: Missing Authorization via flo_send_test_email
Patched Version: 1.0.42
Recommended Action: Update to version 1.0.42, or a newer patched version
Plugin: Restaurant & Cafe Addon for Elementor
Vulnerability: Missing Authorization
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Ditty – Responsive News Tickers, Sliders, and Lists
Vulnerability: Missing Authorization via save_ditty_permissions_check
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version
Plugin: Interactive World Map
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: BSK Contact Form 7 Blacklist
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Japanized For WooCommerce
Vulnerability: Missing Authorization
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version
Plugin: Star CloudPRNT for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Vulnerability: Missing Authorization
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.28.0
Recommended Action: Update to version 1.28.0, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: Multi Step Form
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.13
Recommended Action: Update to version 1.7.13, or a newer patched version
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2.3
Recommended Action: Update to version 2.7.2.3, or a newer patched version
Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version
Plugin: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
Vulnerability: Sensitive Information Exposure
Patched Version: 20.5.4
Recommended Action: Update to version 20.5.4, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: Easy Newsletter Signups
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcodes Finder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
Vulnerability: Missing Authorization via AJAX actions
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: EasyRotator for WordPress – Slider Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Vertical scroll recent post
Vulnerability: Cross-Site Request Forgery via vsrp_admin_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend
Vulnerability: Authenticated (Author+) Privilege Escalation
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version
Plugin: Essential Grid Portfolio – Photo Gallery
Vulnerability: Missing Authorization
Patched Version: 3.0.19
Recommended Action: Update to version 3.0.19, or a newer patched version
Plugin: YOP Poll
Vulnerability: Race Condition to Vote Manipulation
Patched Version: 6.5.27
Recommended Action: Update to version 6.5.27, or a newer patched version
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.27
Recommended Action: Update to version 3.3.27, or a newer patched version
Plugin: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
Vulnerability: Missing Authorization via AJAX actions
Patched Version: 7.3.10
Recommended Action: Update to version 7.3.10, or a newer patched version
Plugin: AMP+ Plus
Vulnerability: Reflected Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LayerSlider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.7.10
Recommended Action: Update to version 7.7.10, or a newer patched version
Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 7.6.7
Recommended Action: Update to version 7.6.7, or a newer patched version
Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: Product Catalog Simple
Vulnerability: Cross-Site Request Forgery via ic_system_status
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Post Pay Counter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.790
Recommended Action: Update to version 2.790, or a newer patched version
Plugin: Sponsors
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 3.1.43
Recommended Action: Update to version 3.1.43, or a newer patched version
Plugin: EventON
Vulnerability: Authenticated (Admin+) HTML Injection
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Image Compressor & Optimizer – iLoveIMG
Vulnerability: iLoveIMG <= 1.0.5
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: LuckyWP Scripts Control
Vulnerability: Missing Authorization
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Korea SNS
Vulnerability: Cross-Site Request Forgery via kon_tergos_options
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: Events Addon for Elementor
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.6.12
Recommended Action: Update to version 7.6.12, or a newer patched version
Plugin: Word Balloon
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.20.3
Recommended Action: Update to version 4.20.3, or a newer patched version
Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version
Plugin: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms
Vulnerability: Open Redirect
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Simply Excerpts
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification
Vulnerability: Missing Authorization via dismiss_notice
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version
Plugin: TwitterPosts
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woo Custom and Sequential Order Number
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Footer Putter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Status Notifier Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.11.1
Recommended Action: Update to version 1.11.1, or a newer patched version
Plugin: Permalinks Customizer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: avalex – Automatisch sichere Rechtstexte
Vulnerability: Missing Authorization
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Ultimate Addons for Contact Form 7
Vulnerability: Missing Authorization
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version
Plugin: Slider Revolution
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.6.15
Recommended Action: Update to version 6.6.15, or a newer patched version
Plugin: MainWP Dashboard: WordPress Management without the SaaS
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.4.3.4
Recommended Action: Update to version 4.4.3.4, or a newer patched version
Plugin: Ultimate Dashboard – Custom WordPress Dashboard
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version
Plugin: Contact Form Email
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.44
Recommended Action: Update to version 1.3.44, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: WP Maintenance
Vulnerability: IP Restriction Bypass
Patched Version: 6.1.4
Recommended Action: Update to version 6.1.4, or a newer patched version
Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: WP Custom Admin Interface
Vulnerability: Missing Authorization via wpcai_pro_notice_disable
Patched Version: 7.32
Recommended Action: Update to version 7.32, or a newer patched version
Plugin: EasyAzon – Amazon Associates Affiliate Plugin
Vulnerability: Missing Authorization on AJAX actions
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version
Plugin: LayerSlider
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.7.10
Recommended Action: Update to version 7.7.10, or a newer patched version
Plugin: Big File Uploads – Increase Maximum File Upload Size
Vulnerability: Cross-Site Request Forgery via actions
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Swift SMTP (formerly Welcome Email Editor)
Vulnerability: Missing Authorization via ajax_handler
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version
Plugin: Preloader Matrix
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Product Enquiry
Vulnerability: Unauthenticated Self-Based Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version
Plugin: WP Blogs' Planetarium
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mini Cart Drawer For WooCommerce
Vulnerability: Missing Authorization via AJAX
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Plugin: Youtube SpeedLoad
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Qi Addons For Elementor
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: Restaurant & Cafe Addon for Elementor
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: WP Not Login Hide (WPNLH)
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Conditional Fields for Contact Form 7
Vulnerability: Missing Authorization
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: CodeBard's Patron Button and Widgets for Patreon
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Stripe Payment forms for WordPress – WP Full Pay
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.0.18
Recommended Action: Update to version 7.0.18, or a newer patched version
Plugin: WooCommerce Bookings
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Team Members Showcase
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Premmerce Redirect Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg()
Patched Version: 3.16.5
Recommended Action: Update to version 3.16.5, or a newer patched version
Plugin: Frontend File Manager Plugin
Vulnerability: Authenticated (Editor+) Directory Traversal
Patched Version: 22.6
Recommended Action: Update to version 22.6, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.24.1
Recommended Action: Update to version 4.24.1, or a newer patched version
Plugin: Plainview Protect Passwords
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ARI Stream Quiz – WordPress Quizzes Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Pz-LinkCard
Vulnerability: Cross-Site Request Forgery via page_cacheman
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: Events Addon for Elementor
Vulnerability: Missing Authorization
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.26
Recommended Action: Update to version 3.3.26, or a newer patched version
Plugin: Additional Order Filters for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version
Plugin: Qi Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: Plainview Protect Passwords
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Vulnerability: Missing Authorization via AJAX actions
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: Contact Form – Custom Builder, Payment Form, and More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Hreflang Manager – Hreflang Implementation for International SEO
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.07
Recommended Action: Update to version 1.07, or a newer patched version
Plugin: WP Category Post List Widget
Vulnerability: Cross-Site Request Forgery via gen_set_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Missing Authorization to Arbitrary Attachment Read
Patched Version: 3.16.5
Recommended Action: Update to version 3.16.5, or a newer patched version
Plugin: Namaste! LMS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.1.2
Recommended Action: Update to version 2.6.1.2, or a newer patched version
Plugin: EWWW Image Optimizer
Vulnerability: Unauthenticated Sensitive Information Exposure via Debug Log
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version
Plugin: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
Vulnerability: Missing Authorization
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Website Optimization – Plerdy
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More
Vulnerability: Missing Authorization via clicked
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Slider Revolution
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 6.6.16
Recommended Action: Update to version 6.6.16, or a newer patched version
Plugin: WooCommerce Product Carousel Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced iFrame
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2023.9
Recommended Action: Update to version 2023.9, or a newer patched version
Plugin: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version
Plugin: Filr – Secure document library
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 1.2.3.6
Recommended Action: Update to version 1.2.3.6, or a newer patched version
Plugin: Uploading SVG, WEBP and ICO files
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Welcart e-Commerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: Delete Duplicate Posts
Vulnerability: Missing Authorization via AJAX Actions
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: Animator – Scroll Triggered Animations
Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 3.0.11
Recommended Action: Update to version 3.0.11, or a newer patched version
Plugin: Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.7.9
Recommended Action: Update to version 9.7.9, or a newer patched version
Plugin: Woocommerce Shipping Canada Post
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: Checkout Field Manager (Checkout Manager) for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
