Watch Out Wednesday – November 20, 2024

Home » Watch Out Wednesday – November 20, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Hash Elements

Vulnerability: Missing Authorization to Unauthenticated Draft Post Title Exposure
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Quick Learn

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Dashboard Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Responsive Video

Plugin: ParOne Feeds

Plugin: ESB Testimonials

Plugin: Beaver Builder Addons by WPZOOM

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box Widget
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: SimpleForm – Contact form made simple

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Listings Pro

Plugin: WE – Client Logo Carousel

Plugin: WP AdCenter – Ad Manager & Adsense Ads

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpadcenter_ad Shortcode
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: Blogger 301 Redirect

Vulnerability: Unauthenticated SQL Injection via br
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BuddyPress Builder for Elementor – BuddyBuilder

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Forms

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Elfsight Telegram Chat CC

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.1.47
Recommended Action: Update to version 3.1.47, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 4.1.17
Recommended Action: Update to version 4.1.17, or a newer patched version

Plugin: Ultimate Flipbox Addon for Elementor

Plugin: SimpleForm Contact Form Submissions

Plugin: DuoGeek – Gutenberg Blocks

Plugin: Weather Atlas Widget

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Arkhe Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.27.0
Recommended Action: Update to version 2.27.0, or a newer patched version

Plugin: Sp*tify Play Button for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.11
Recommended Action: Update to version 2.11, or a newer patched version

Plugin: AzonBox

Plugin: 3DPrint Lite

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: GDPR-Extensions-com – Consent Manager

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Product Delivery Date for WooCommerce – Lite

Vulnerability: Lite <= 2.8.0
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Inline Click To Tweet

Plugin: Restaurant Menu – Food Ordering System – Table Reservation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Indeed Membership Pro

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 12.8
Recommended Action: Update to version 12.8, or a newer patched version

Plugin: User Management

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Wezido – Elementor Addon Based on Easy Digital Downloads

Plugin: Assist24 Help Desk

Plugin: Classified Listing – Classified ads & Business Directory Plugin

Vulnerability: Authenticated (Subscriber+) Limited Arbitrary Option Update
Patched Version: 3.1.16
Recommended Action: Update to version 3.1.16, or a newer patched version

Plugin: Search order by product SKU for WooCommerce

Plugin: What Would Seth Godin Do

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Clone

Vulnerability: Unauthenticated PHP Object Injection via ‘recursive_unserialized_replace’
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: IA Map Analytics Basic

Plugin: Advanced Personalization

Plugin: B-Banner Slider

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via youzify_media Shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: TinyCode

Plugin: Popularis Extra

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Push Notifications for WordPress by PushAssist

Plugin: Luzuk Slider

Plugin: Buying Buddy IDX CRM

Vulnerability: Cross-Site Request Forgery to PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ortto

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.21
Recommended Action: Update to version 1.0.21, or a newer patched version

Plugin: TeleAdmin

Plugin: Post By Email

Plugin: System Dashboard

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.8.15
Recommended Action: Update to version 2.8.15, or a newer patched version

Plugin: Music Player for Elementor – Audio Player & Podcast Player

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Template Import
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 4.8.5
Recommended Action: Update to version 4.8.5, or a newer patched version

Plugin: Websand Subscription Form

Plugin: Login using WordPress Users ( WP as SAML IDP )

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.15.7
Recommended Action: Update to version 1.15.7, or a newer patched version

Plugin: Buy one click WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Export
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Lis Video Gallery

Plugin: CRM 2go – Formulario de contacto

Plugin: CDI – Collect and Deliver Interface for Woocommerce

Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload
Patched Version: 5.5.6
Recommended Action: Update to version 5.5.6, or a newer patched version

Plugin: 404 Solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.35.20
Recommended Action: Update to version 2.35.20, or a newer patched version

Plugin: Share Buttons – Social Media

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: OS BXSlider

Plugin: WP Chat App

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version

Plugin: PJW Mime Config

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Edwiser Bridge – WordPress Moodle LMS Integration

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: WPHelpful

Plugin: Social Locker – Increase Traffic

Plugin: WordPress Video Robot – The Ultimate Video Importer

Vulnerability: Authenticated (Subscriber+) Privilege Escalation via User Meta Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MDC YouTube Downloader

Plugin: LUNA RADIO PLAYER

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.24.11.15
Recommended Action: Update to version 6.24.11.15, or a newer patched version

Plugin: Convert Docx2post

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Yotpo: Product & Photo Reviews for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.10
Recommended Action: Update to version 1.7.10, or a newer patched version

Plugin: Team Rosters

Plugin: WP Ultimate Review

Vulnerability: IP Spoofing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Dynamic Post Grid Elementor Addon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: WP e-Commerce Style Email

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Author+) Sensitive Information Exposure to Privilege Escalation
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version

Plugin: Banner System

Vulnerability: Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mapme

Plugin: Leopard – WordPress Offload Media

Vulnerability: WordPress offload media <= 2.0.36
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: RSV 360 View

Plugin: HB AUDIO GALLERY

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PDF Generator Addon for Elementor Page Builder

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

Vulnerability: Unauthentiated Stored Cross-Site Scripting via Form File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Google Maps Widget
Patched Version: 1.7.1002
Recommended Action: Update to version 1.7.1002, or a newer patched version

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: codeSnips

Plugin: Luzuk Team

Plugin: Indeed Membership Pro

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 12.8
Recommended Action: Update to version 12.8, or a newer patched version

Plugin: Map Store Locator

Plugin: Adventure Bucket List

Plugin: WP Popup Window Maker

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Carousel Shortcode

Plugin: Mapster WP Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Bamboo Enquiries

Plugin: LeadBoxer

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure
Patched Version: 10.0.2
Recommended Action: Update to one of the following versions, or a newer patched version: 10.0.2, 10.1.2, 10.2.3, 10.3.2, 10.4.2, 10.5.3, 10.6.2, 10.7.2, 10.8.2, 10.9.3, 11.0.2, 11.1.4, 11.2.2, 11.3.4, 11.4.2, 11.5.3, 11.6.2, 11.7.3, 11.8.6, 11.9.3, 12.0.2, 12.1.2, 12.2.2, 12.3.1, 12.4.1, 12.5.1, 12.6.3, 12.7.2, 12.8.2, 12.9.4, 13.0.1, 13.1.4, 13.2.3, 13.3.2, 13.4.4, 13.5.1, 13.6.1, 13.7.1, 13.8.2, 13.9.1, 3.9.10, 4.0.7, 4.1.4, 4.2.5, 4.3.5, 4.4.5, 4.5.3, 4.6.3, 4.7.4, 4.8.5, 4.9.3, 5.0.3, 5.1.4, 5.2.5, 5.3.4, 5.4.4, 5.5.5, 5.6.5, 5.7.5, 5.8.4, 5.9.4, 6.0.4, 6.1.5, 6.2.5, 6.3.7, 6.4.6, 6.5.4, 6.6.5, 6.7.4, 6.8.5, 6.9.4, 7.0.5, 7.1.5, 7.2.5, 7.3.5, 7.4.5, 7.5.7, 7.6.4, 7.7.6, 7.8.4, 7.9.4, 8.0.3, 8.1.4, 8.2.6, 8.3.3, 8.4.5, 8.5.3, 8.6.4, 8.7.4, 8.8.5, 8.9.4, 9.0.5, 9.1.3, 9.2.4, 9.3.5, 9.4.4, 9.5.5, 9.6.4, 9.7.3, 9.8.3, 9.9.3

Plugin: Hide Links

Vulnerability: Unauthenticated Shortcode Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PF Timer

Plugin: OS Our Team

Plugin: Simple Pricing Table

Plugin: Disable Admin Notices individually

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Posts Search

Plugin: WP Githuber MD – WordPress Markdown Editor

Plugin: WP Activity Log

Vulnerability: Unauthenticated Stored Cross-Site Scripting via User_id Parameter
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: Simple Side Tab

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Minical Hotel Booking Plugin

Plugin: Pay With Stripe – Your WordPress Payments Stripe Gateway

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.8
Recommended Action: Update to version 6.0.8, or a newer patched version

Plugin: WP Quick Setup

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin/Theme Installation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Surfer – WordPress Plugin

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.6.0.523
Recommended Action: Update to version 1.6.0.523, or a newer patched version

Plugin: Youneeq Recommendations

Plugin: Icon Widget

Plugin: AchillesTheme-shortcodes

Plugin: Social Proof (Testimonial) Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via spslider-block Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Missing Authorization to Project Milestone and Task Creation/Deletion
Patched Version: 2.6.15
Recommended Action: Update to version 2.6.15, or a newer patched version

Plugin: best bootstrap widgets for elementor

Plugin: Gboy Custom Google Map

Plugin: AtaraPay WooCommerce Payment Gateway

Plugin: Simplistic SEO

Plugin: My Restaurant Menu

Plugin: Website remote Install vor Gravity, WPForms, Formidable, Ninja, Caldera

Plugin: All Post Contact Form

Plugin: Be Shortcodes

Plugin: Infinite Slider

Plugin: amr shortcodes

Plugin: SVT Simple

Plugin: SK WP Settings Backup

Plugin: Saragna – Social Stream WordPress

Plugin: Explara Events

Plugin: Alert Me!

Plugin: LUNA RADIO PLAYER

Vulnerability: Unauthenticated Arbitrary File Read
Patched Version: 6.24.11.07
Recommended Action: Update to version 6.24.11.07, or a newer patched version

Plugin: NV Slider

Plugin: Writer Helper

Plugin: Ultimate Accordion

Plugin: OpenCart Product Display

Plugin: Fancy User List

Plugin: OSM – OpenStreetMap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.1.3
Recommended Action: Update to version 6.1.3, or a newer patched version

Plugin: Tigris Flexplatform

Plugin: Parallax Image

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via position Parameter
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: SimpleGMaps

Plugin: Featured product by category name

Plugin: Awesome Fitness Testimonials

Plugin: Photographer Connections

Plugin: 404 Error Monitor

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update via updatePluginSettings Function
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.39.5
Recommended Action: Update to version 3.39.5, or a newer patched version

Plugin: Razorpay Payment Button Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Estatik Mortgage Calculator

Plugin: Library Bookshelves

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: VP Sitemap

Plugin: LIQUID BLOCKS – Slider, Carousel, Accordion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Keymaster Chord Notation Free

Plugin: Ultimate Classified Listings

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Page With Google Map

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Add Ribbon Shortcode

Plugin: Topbar ID for Elementor

Plugin: Boombox Shortcode Plugin

Plugin: The Novel Design Store Directory

Plugin: Community Yard Sale

Plugin: Kings Tab Slider

Plugin: Creative Blocks – Ultimate Blocks for Gutenberg

Plugin: de:branding

Plugin: Embed documents shortcode

Plugin: Gallery Manager

Plugin: Drozd – Addons for Elementor

Plugin: Google for WooCommerce

Vulnerability: Information Disclosure via Publicly Accessible PHP Info File
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: LeanPress

Plugin: Edwiser Bridge – WordPress Moodle LMS Integration

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: CF7 Reply Manager

Plugin: Extensions for Elementor

Plugin: System Dashboard

Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: 2.8.15
Recommended Action: Update to version 2.8.15, or a newer patched version

Plugin: User registration & user profile – UserPlus

Plugin: yPHPlista

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Cross-Site Request Forgery (CSRF) to Plugin’s Log Deletion
Patched Version: 1.9.2.1
Recommended Action: Update to version 1.9.2.1, or a newer patched version

Plugin: Stylish Internal Links

Plugin: Ekiline Block Collection

Plugin: Boostify Header Footer Builder for Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Dynamic URL SEO

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Cookie Consent’
Patched Version: 5.10.3
Recommended Action: Update to version 5.10.3, or a newer patched version

Plugin: Geoportail Shortcode

Plugin: scrollup

Plugin: AI Responsive Gallery Album

Plugin: Экспресс Платежи платежный модуль

Vulnerability: Unauthenticated SQL Injection via type_id
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Parallaxer – Parallax Effect on Content

Plugin: Social button

Plugin: Copy Anything to Clipboard

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: WP Contest

Plugin: Open edX LMS and WordPress integrator (LITE)

Plugin: Hacklog DownloadManager

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Text Advertisements

Plugin: SVGPlus

Plugin: Faltu Testimonial Rotator

Plugin: CRM WordPress Plugin – RepairBuddy

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.8116
Recommended Action: Update to version 3.8116, or a newer patched version

Plugin: OS Pricing Tables

Plugin: Mobile Kiosk

Plugin: SVG Block

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.25
Recommended Action: Update to version 1.1.25, or a newer patched version

Plugin: WordPress Bootscraper

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Plenigo

Plugin: wp_automatic_widget

Plugin: Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme

Plugin: Really Simple Security Pro multisite

Vulnerability: 9.1.1.1
Patched Version: 9.1.2
Recommended Action: Update to version 9.1.2, or a newer patched version

Plugin: Brand my Footer

Plugin: Rig Elements For Elementor

Plugin: Hola Free Video Player

Plugin: News Ticker

Plugin: nBlocks – Responsive Gutenberg News Blocks

Plugin: Ads Booster by Ads Pro

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Postcasa Shortcode

Plugin: Gallerio

Plugin: Mage Front End Forms

Plugin: PT Addons for Elementor Lite

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CSV to html

Plugin: EventPress

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sonaar_audioplayer Shortcode
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: NIX Anti-Spam Light

Plugin: RSV PDF Preview

Plugin: WDES Responsive Mobile Menu

Plugin: Exclusive Content Password Protect

Plugin: Postify: Post Layout For Elementor

Plugin: Xpresslane Fast Checkout

Plugin: SV Forms

Plugin: Persian Nested Show/Hide Text

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.13
Recommended Action: Update to version 2.0.13, or a newer patched version

Plugin: Testimonial Slider Shortcode

Plugin: Smooth Maps

Plugin: WP MMenu Lite

Plugin: WooCommerce Price Alert

Plugin: User Password Reset

Plugin: Fast Video and Image Display

Plugin: GoQSmile

Plugin: Salon Booking System

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 10.9.4
Recommended Action: Update to version 10.9.4, or a newer patched version

Plugin: Olympus Shortcodes

Plugin: Document & Data Automation

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Awesome Tool Tip

Plugin: TM Islamic Helper

Plugin: Redirecter

Plugin: Razorpay Payment Button Elementor Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: AFI – The Easiest Integration Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.92.1
Recommended Action: Update to version 1.92.1, or a newer patched version

Plugin: Elementor Portfolio Builder

Plugin: Image Classify

Plugin: Tutor LMS Elementor Addons

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Referrer Detector

Plugin: Geolocator

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 0.9.108
Recommended Action: Update to version 0.9.108, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version

Plugin: Luzuk Testimonials

Plugin: Browsing History

Plugin: WP-Strava

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Visual Adverts

Plugin: WordPress GDPR

Vulnerability: Missing Authorization to Unauthenticated Arbitrary User Deletion
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Deletion
Patched Version: 5.9.3.7
Recommended Action: Update to version 5.9.3.7, or a newer patched version

Plugin: Location Click Map

Plugin: Wc Recently viewed products

Plugin: WordPress User Extra Fields

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 16.7
Recommended Action: Update to version 16.7, or a newer patched version

Plugin: MailChimp Forms by MailMunch

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Unauthenticated PHP Object Injection via Order Details
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version

Plugin: Pro Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Styler for Ninja Forms

Vulnerability: Authenticated (Subscriber+) Arbitrary Option Deletion via deactivate_license
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Web Stories Widgets For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: WP-Basics

Plugin: Sales Page Addon – Elementor & Beaver Builder

Plugin: imPress

Plugin: Kognetiks Chatbot for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Assistant Addition
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Premium Packages – Sell Digital Products Securely

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: IntelliWidget Elements

Plugin: Woo Manage Fraud Orders

Vulnerability: Unauthenticated Information Exposure via Log Files
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: L Squared Hub WP – Virtual Device Plugin

Plugin: WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup

Vulnerability: Unauthenticated Arbitrary Shortcode Execution via wpb_pcf_fire_contact_form
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 1.7.1002
Recommended Action: Update to version 1.7.1002, or a newer patched version

Plugin: SrcSet Responsive Images for WordPress

Plugin: Multifox Plus

Plugin: GoQMieruca

Plugin: Simple Modal

Plugin: Semantic Shortcode

Plugin: audioCase

Plugin: GreenCon – Table, Listing, Marketing builder for Gutenberg

Plugin: WordPress User Extra Fields

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 16.7
Recommended Action: Update to version 16.7, or a newer patched version

Plugin: Buy one click WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Order Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ra_qrcode

Plugin: Responsive Filterable Portfolio

Vulnerability: Server-Side Request Forgery
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version

Plugin: Linear

Plugin: Post Ideas

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Opal Woo Custom Product Variation

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Wd-image-magnifier-xoss

Plugin: Easy Social Sharebar

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.8.31
Recommended Action: Update to version 1.8.31, or a newer patched version

Plugin: Steel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via btn Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Agenda

Plugin: WordPress Video Robot – The Ultimate Video Importer

Vulnerability: The Ultimate Video Importer <= 1.20.0
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.15.8
Recommended Action: Update to version 4.15.8, or a newer patched version

Plugin: Fabrica Synced Pattern Instances

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Buy one click WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Import
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress BasePress Migration Tools

Plugin: HTML5 Lyrics Karaoke Player

Plugin: WP PagSeguro Payments

Plugin: Sell Media File with Stripe

Plugin: Surbma | Font Awesome

Plugin: Indeed Membership Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 12.8
Recommended Action: Update to version 12.8, or a newer patched version

Plugin: Beacon For Help Scout

Plugin: WooCommerce Upload Files

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 84.4
Recommended Action: Update to version 84.4, or a newer patched version

Plugin: wp-login customizer

Plugin: Responsive Data Table

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Unauthenticated Arbitrary Shortcode Execution via gamipress_get_user_earnings
Patched Version: 7.1.6
Recommended Action: Update to version 7.1.6, or a newer patched version

Plugin: Advanced Video Player with Analytics

Plugin: BulkPress

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Form Builder Widget
Patched Version: 1.7.1002
Recommended Action: Update to version 1.7.1002, or a newer patched version

Plugin: BU Slideshow

Plugin: Realty by BestWebSoft

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Posts Filter

Plugin: Full Screen (Page) Background Image Slideshow

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress GDPR

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Custom URL Shortener

Plugin: drop in image slideshow gallery

Plugin: AA Audio Player

Plugin: Wp Slide Categorywise

Plugin: AJAX Login and Registration modal popup + inline form

Plugin: Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: ConvertCalculator for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id and type Parameter
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: EleForms – All In One Form Integration including DB for Elementor

Plugin: Simple Social Share Block

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Missing Authorization to Unauthenticated Limited Options Update
Patched Version: 4.9.8
Recommended Action: Update to version 4.9.8, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.2.4
Recommended Action: Update to version 7.2.4, or a newer patched version

Plugin: Hide My WP Ghost – Security & Firewall

Vulnerability: Reflected Cross-Site Scripting via URL
Patched Version: 5.3.02
Recommended Action: Update to version 5.3.02, or a newer patched version

Plugin: Ultimate Classified Listings

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Virtual Room Configurator

Plugin: Multi-day Booking Calendar

Plugin: LearnPress Export Import – WordPress extension for LearnPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.5.16
Recommended Action: Update to version 3.5.16, or a newer patched version

Plugin: Admin Amplify

Plugin: Simpul Events by Esotech

Plugin: BeBetter Social Icons

Plugin: WooCommerce Product Table Lite

Vulnerability: Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: AJAX Random Posts

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version

Plugin: Gps Plotter

Plugin: Popup Image

Plugin: My Geo Posts Free

Plugin: Estatik Mortgage Calculator

Plugin: Kognetiks Chatbot for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Assistant Update
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Pdf Embedder Fay

Plugin: Email Template Customizer for WooCommerce

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 1.2.9.2
Recommended Action: Update to version 1.2.9.2, or a newer patched version

Plugin: Magic Slider

Plugin: GPX Viewer

Vulnerability: Authenticated (Subscriber+) Arbitrary File Creation
Patched Version: 2.2.10
Recommended Action: Update to version 2.2.10, or a newer patched version

Plugin: Provide Forex Signals

Plugin: AgendaPress – Easily Publish Meeting Agendas and Programs on WordPress

Plugin: Bitcoin Payments

Plugin: Bounce Handler MailPoet 3

Plugin: Combo WP Rewrite Slugs

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: File Select Control For Elementor

Plugin: Banner System

Plugin: Anant Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: External Database Based Actions

Vulnerability: Authenticated (Subscriber+) Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chartify – WordPress Chart Plugin

Vulnerability: Unauthenticated Local File Inclusion via source
Patched Version: 2.9.6
Recommended Action: Update to version 2.9.6, or a newer patched version

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Option Deletion
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: Kognetiks Chatbot for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: 404 Solution

Vulnerability: Missing Authentication to Sensitive Information Exposure
Patched Version: 2.35.18
Recommended Action: Update to version 2.35.18, or a newer patched version

Plugin: SVG Case Study

Plugin: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Wawp OTP Verification, Order Notifications, and Country Code Selector for WooCommerce

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 3.0.18
Recommended Action: Update to version 3.0.18, or a newer patched version

Plugin: Utech Spinning Earth

Plugin: Themify Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.6.6
Recommended Action: Update to version 7.6.6, or a newer patched version

Plugin: MultiManager WP – Manage All Your WordPress Sites Easily

Vulnerability: Authentication Bypass via User Impersonation
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Insecure Direct Object Reference to Unauthenticated Authorization Bypass
Patched Version: 2.6.14
Recommended Action: Update to version 2.6.14, or a newer patched version

Plugin: DS CF7 Math Captcha

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: PeproDev WooCommerce Receipt Uploader

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Lewe Bootstrap Visuals

Plugin: Simple Local Avatars

Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Cache Clearing
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Import Cancellation
Patched Version: 5.62.0
Recommended Action: Update to version 5.62.0, or a newer patched version

Plugin: WP Log Viewer

Plugin: Shortcode Collection

Plugin: Awesome Studio

Plugin: Google Visualization Charts

Plugin: Popup by Supsystic

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MailPoet – Newsletters, Email Marketing, and Automation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: Team Showcase and Slider – Team Members Builder

Plugin: Bg Patriarchia BU

Plugin: PT Addons for Elementor Lite

Plugin: Horsemanager

Plugin: QRMenu Restaurant QR Menu Lite

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Moka Get Posts Shortcode

Plugin: News Articles

Plugin: WP Booking Calendar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 10.6.3
Recommended Action: Update to version 10.6.3, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 12.3.21
Recommended Action: Update to version 12.3.21, or a newer patched version

Plugin: Kognetiks Chatbot for WordPress

Vulnerability: Cross-Site Request Forgery to Authenticated (Subscriber+) Assistant Modification
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Uix Slideshow

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event Tickets with Ticket Scanner

Vulnerability: Authenticated (Author+) Remote Code Execution
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: Cookie Nonsense for YT

Plugin: WoW Guild Armory Roster

Plugin: UW Freelancer

Plugin: Twitter real time search scrolling

Plugin: Kognetiks Chatbot for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Assistant Deletion
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 10.6.5
Recommended Action: Update to version 10.6.5, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version

Plugin: Blocks Post Grid

Plugin: LGPD Framework By Data443

Plugin: Email Subscription Popup

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via print_email_subscribe_form Shortcode
Patched Version: 1.2.23
Recommended Action: Update to version 1.2.23, or a newer patched version

Plugin: Christian Science Bible Lesson Subjects

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Chameleoni Jobs

Plugin: Pull This

Plugin: Drop Shadow Boxes

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 1.7.15
Recommended Action: Update to version 1.7.15, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.9.10
Recommended Action: Update to version 2.9.10, or a newer patched version

Plugin: Fediverse Embeds

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Trendy Restaurant Menu – Best Restaurant Plugin for WordPress

Plugin: Aqua SVG Sprite

Plugin: Backup and Staging by WP Time Capsule

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.22.22
Recommended Action: Update to version 1.22.22, or a newer patched version

Plugin: Multiple Votes in one page

Plugin: PropertyShift

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.