Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: wpForo Forum
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Cross-Site Request Forgery to Sensitive Information Exposure
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: Disable User Login
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Audio Merchant
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.15.0
Recommended Action: Update to version 2.15.0, or a newer patched version
Plugin: Login Lockdown & Protection
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.07
Recommended Action: Update to version 2.07, or a newer patched version
Plugin: WP Mail Log
Vulnerability: Authenticated (Contributor+) SQL Injection via id
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Email Encoder – Protect Email Addresses and Phone Numbers
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Cross-Site Request Forgery via delete
Patched Version: 6.2.0.0
Recommended Action: Update to version 6.2.0.0, or a newer patched version
Plugin: Better RSS Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Autocomplete Location field Contact Form 7
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Auto Affiliate Links
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.2.6
Recommended Action: Update to version 6.4.2.6, or a newer patched version
Plugin: CataBlog
Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BlossomThemes Email Newsletter
Vulnerability: Missing Authorization
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Quttera Web Malware Scanner
Vulnerability: Sensitive Data Exposure
Patched Version: 3.4.2.1
Recommended Action: Update to version 3.4.2.1, or a newer patched version
Plugin: FormCraft – Form Builder
Vulnerability: Missing Authorization via formcraft_nag_update
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Embed Privacy
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: Grab & Save
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bootstrap Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SearchIQ – The Search Solution
Vulnerability: Missing Authorization via getSIQPluginSettings
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Cross-Site Request Forgery via logout()
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: Conditional Fields for Contact Form 7
Vulnerability: Missing Authorization
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
Vulnerability: Missing Authorization via _update_shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Sensitive Information Disclosure via Shortcode
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 2.2.23
Recommended Action: Update to version 2.2.23, or a newer patched version
Plugin: Floating Action Button
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.12.8
Recommended Action: Update to version 1.12.8, or a newer patched version
Plugin: WP Child Theme Generator
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Mondial Relay & Chronopost plugin for WooCommerce – WCMultiShipping
Vulnerability: Missing Authorization to Log Export
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version
Plugin: AppPresser – Mobile App Framework
Vulnerability: Insecure Password Reset Mechanism
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version
Plugin: Abandoned Cart Lite for WooCommerce
Vulnerability: Improper Authorization via wcal_preview_emails
Patched Version: 5.16.1
Recommended Action: Update to version 5.16.1, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute
Patched Version: 8.2.0
Recommended Action: Update to version 8.2.0, or a newer patched version
Plugin: CatalogX – Product Catalog Mode For WooCommerce
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version
Plugin: Abandoned Cart Lite for WooCommerce
Vulnerability: Improper Authorization via wcal_delete_expired_used_coupon_code
Patched Version: 5.16.1
Recommended Action: Update to version 5.16.1, or a newer patched version
Plugin: LWS Hide Login
Vulnerability: Protection Mechanism Bypass
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: Parallax Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.12.4
Recommended Action: Update to version 2.12.4, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.1.14
Recommended Action: Update to version 8.1.14, or a newer patched version
Plugin: Slider – Ultimate Responsive Image Slider
Vulnerability: Missing Authorization via AJAX action
Patched Version: 3.5.12
Recommended Action: Update to version 3.5.12, or a newer patched version
Plugin: Preloader for Website
Vulnerability: Missing Authorization via plwao_register_settings()
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: 10WebAnalytics
Vulnerability: Missing Authorization via gawd_wd_bp_install_notice_status
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Perfmatters
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Vulnerability: Authenticated (Admin+) Arbitrary OS File Access via Path Traversal
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version
Plugin: Ajax Domain Checker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Add Widgets to Page
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quick Call Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
Vulnerability: Missing Authorization to Template Import
Patched Version: 4.10.1
Recommended Action: Update to version 4.10.1, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Missing Authorization via multiple functions
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
Vulnerability: Cross-Site Request Forgery via moveToTrash and fetch_and_insert_template_data
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Missing Authorization
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Missing Authorization to Arbitrary Shortcode Execution via userpro_shortcode_template
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version
Plugin: Grab & Save
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via userpro_save_userdata
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version
Plugin: WP EXtra
Vulnerability: Cross-Site Request Forgery ToolImport
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version
Plugin: Tainacan
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.20.5
Recommended Action: Update to version 0.20.5, or a newer patched version
Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute
Patched Version: 12.8-a.3
Recommended Action: Update to version 12.8-a.3, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.2.3.0
Recommended Action: Update to version 6.2.3.0, or a newer patched version
Plugin: The Events Calendar
Vulnerability: Information Disclosure
Patched Version: 6.2.8.1
Recommended Action: Update to version 6.2.8.1, or a newer patched version
Plugin: Leadster
Vulnerability: Cross-Site Request Forgery via leadster_script_code_action
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: CataBlog
Vulnerability: Authenticated (Editor+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Addon Elements
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.12.8
Recommended Action: Update to version 1.12.8, or a newer patched version
Plugin: Live Preview for Contact Form 7
Vulnerability: Missing Authorization via update_option
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BMI Calculator Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PayTR Taksit Tablosu – WooCommerce
Vulnerability: Missing Authorization
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Bamboo Columns
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Welcart e-Commerce
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.9.6
Recommended Action: Update to version 2.9.6, or a newer patched version
Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Vulnerability: Authenticated(Contributor+) Clickjacking via Iframe Injection
Patched Version: 12.7
Recommended Action: Update to version 12.7, or a newer patched version
Plugin: Perfmatters
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Easy Call Now by ThikShare
Vulnerability: Cross-Site Request Forgery via settings_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Authenticated (Subscriber+) Membership Plan Bypass
Patched Version: 4.0.11
Recommended Action: Update to version 4.0.11, or a newer patched version
Plugin: Theme Editor
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version
Plugin: WP Githuber MD – WordPress Markdown Editor
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 1.16.3
Recommended Action: Update to version 1.16.3, or a newer patched version
Plugin: Anywhere Flash Embed
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quttera Web Malware Scanner
Vulnerability: Authenticated (Administrator+) Directory Traversal via ShowFile
Patched Version: 3.4.2.1
Recommended Action: Update to version 3.4.2.1, or a newer patched version
Plugin: Restaurant & Cafe Addon for Elementor
Vulnerability: Missing Authorization via multiple AJAX functions
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Perfmatters
Vulnerability: Missing Authorization
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Theater for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 0.18.4
Recommended Action: Update to version 0.18.4, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Cross-Site Request Forgery via manual review reminders
Patched Version: 5.38.2
Recommended Action: Update to version 5.38.2, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Authentication Bypass to Administrator
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: ARI Stream Quiz – WordPress Quizzes Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: wpMandrill
Vulnerability: Missing Authorization via getAjaxStats
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Acme Fix Images – Regenerate Thumbnails
Vulnerability: Missing Authorization via acme_fix_images_ajax_callback
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.12.8
Recommended Action: Update to version 1.12.8, or a newer patched version
Plugin: Drop Shadow Boxes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.14
Recommended Action: Update to version 1.7.14, or a newer patched version
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: Link Whisper Free
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 0.6.6
Recommended Action: Update to version 0.6.6, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Missing Authorization via manual review reminders
Patched Version: 5.38.2
Recommended Action: Update to version 5.38.2, or a newer patched version
Plugin: Perfmatters
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: Post Meta Data Manager
Vulnerability: Cross-Site Request Forgery to Post, Term, and User Meta Deletion
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Contact Form to Any API
Vulnerability: Missing Authorization via delete_cf7_records()
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: Audio Merchant
Vulnerability: Cross-Site Request Forgery to Settings Modifcation and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Like Button
Vulnerability: Missing Authorization via crublabFBLBAjax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.9.1
Recommended Action: Update to version 1.7.9.1, or a newer patched version
Plugin: DrawIt (draw.io)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Insecure Password Reset Mechanism
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: Phlox Shop
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Vulnerability: Improper Authorization via WPCom External Media REST endpoints
Patched Version: 12.7
Recommended Action: Update to version 12.7, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version
Plugin: Maspik – Advanced Spam Protection
Vulnerability: Unauthenticated Stored Cross-Site Scripting via efas_add_to_log
Patched Version: 0.9.3
Recommended Action: Update to version 0.9.3, or a newer patched version
Plugin: BP Profile Shortcodes Extra
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Cross-Site Request Forgery via multiple functions
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: ARI Stream Quiz – WordPress Quizzes Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Daily Prayer Time
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2023.10.21
Recommended Action: Update to version 2023.10.21, or a newer patched version
Plugin: Maspik – Advanced Spam Protection
Vulnerability: Bypass
Patched Version: 0.10.4
Recommended Action: Update to version 0.10.4, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.6.13
Recommended Action: Update to version 7.6.13, or a newer patched version
Plugin: Premium Portfolio Features for Phlox theme
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: WP Meta and Date Remover
Vulnerability: Cross-Site Request Forgery via updateSettings
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Cross-Site Request Forgery to PHP Object Injection
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.12.8
Recommended Action: Update to version 1.12.8, or a newer patched version
Plugin: Accordion
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via accordion settings
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
