Watch Out Wednesday – November 27, 2024

Home » Watch Out Wednesday – November 27, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: April's Call Posts

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ImbaChat

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Authenticated (Editor+) CSV Path Traversal
Patched Version: 1.0.8.4
Recommended Action: Update to version 1.0.8.4, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP AdCenter – Ad Manager & Adsense Ads

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpadcenter_ad Shortcode
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: Blizzard Quotes

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JobBoardWP – Job Board Listings and Submissions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Announcement & Notification Banner – Bulletin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.12
Recommended Action: Update to version 3.12, or a newer patched version

Plugin: LSX Tour Operator

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ashe Extra

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 1.2.92
Recommended Action: Update to version 1.2.92, or a newer patched version

Plugin: Stratum – Elementor Widgets

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profile Picture Update
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Authenticated (ShopManager+) Stored Cross-Site Scripting via wcj_product_meta Shortcode
Patched Version: 7.2.4
Recommended Action: Update to version 7.2.4, or a newer patched version

Plugin: Premium Packages – Sell Digital Products Securely

Vulnerability: Sell Digital Products Securely <= 5.9.3
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Brute Force Protection – Stop Brute Force Attacks

Plugin: Sticky Social Icons

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: Ajax Search Lite – Live Search & Filter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.12.4
Recommended Action: Update to version 4.12.4, or a newer patched version

Plugin: Restaurant Menu – Food Ordering System – Table Reservation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Moose Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Netgsm

Vulnerability: Missing Authorization
Patched Version: 2.9.33
Recommended Action: Update to version 2.9.33, or a newer patched version

Plugin: Clone

Vulnerability: Unauthenticated PHP Object Injection via ‘recursive_unserialized_replace’
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Advanced Personalization

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Devexhub Gallery

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: B-Banner Slider

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RecipePress Reloaded

Plugin: Favicon My Blog

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bard Extra

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Demo Import
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Control horas

Plugin: School Management System for WordPress

Vulnerability: Authenticated (Student+) Arbitrary File Upload
Patched Version: 92.0.0
Recommended Action: Update to version 92.0.0, or a newer patched version

Plugin: Run Contests, Raffles, and Giveaways with ContestsWP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Push Notifications for WordPress by PushAssist

Plugin: BuddyPress Moderation

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Memberlite Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via memberlite_accordion Shortcode
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: StreamWeasels Online Status Bar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version

Plugin: Pathomation

Plugin: Include Mastodon Feed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: BNE Gallery Extended

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via gallery Shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Unauthenticated Stored Cross-Site Scripting via SVG File Upload
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version

Plugin: BTEV

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Security & Malware scan by CleanTalk

Vulnerability: Authorization Bypass via Reverse DNS Spoofing to Unauthenticated SQL Injection
Patched Version: 2.145.1
Recommended Action: Update to version 2.145.1, or a newer patched version

Plugin: 코드엠샵 소셜톡

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via add_plus_friends and add_plus_talk Shortcodes
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Lis Video Gallery

Plugin: Global Gateway e4 | Payeezy Gateway |

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CDI – Collect and Deliver Interface for Woocommerce

Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload
Patched Version: 5.5.6
Recommended Action: Update to version 5.5.6, or a newer patched version

Plugin: 404 Solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.35.20
Recommended Action: Update to version 2.35.20, or a newer patched version

Plugin: Custom post type templates for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version

Plugin: Distance Based Shipping Calculator

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Designer

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.37
Recommended Action: Update to version 1.0.37, or a newer patched version

Plugin: Boat Rental Plugin for WordPress

Plugin: Floating Buttons for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation

Plugin: Convert Docx2post

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Subaccounts for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Nokaut Offers Box

Vulnerability: Cross-Site Request Forgery to Plugin Setting Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 워드프레스 결제 심플페이 – 우커머스 결제 플러그인

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting pafw_instant_payment Shortcode
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: yPHPlista

Plugin: Friendly Functions for Welcart

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Ultimate YouTube Video & Shorts Player With Vimeo

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Playlist/Video Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom CSS, JS & PHP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: W3SPEEDSTER

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.27
Recommended Action: Update to version 7.27, or a newer patched version

Plugin: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

Vulnerability: Unauthentiated Stored Cross-Site Scripting via Form File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: DeBounce Email Validator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.6.6
Recommended Action: Update to version 5.6.6, or a newer patched version

Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Content Switcher Widget Elementor Template
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Lazy load videos and sticky control

Plugin: WP User Manager – User Profile Builder & Membership

Vulnerability: Missing Authorization to Carbon Fields Custom Sidebar Addition/Removal
Patched Version: 2.9.12
Recommended Action: Update to version 2.9.12, or a newer patched version

Plugin: Hustle – Email Marketing, Lead Generation, Optins, Popups

Vulnerability: Missing Authorization to Unauthorized Form Submission
Patched Version: 7.8.6
Recommended Action: Update to version 7.8.6, or a newer patched version

Plugin: mFolio Lite

Vulnerability: Missing Authorization to Authenticated (Author+) File Upload via EXE and SVG Files
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: MP3 Sticky Player

Vulnerability: Unauthenticated Arbitrary File Read/Download
Patched Version: 8.0
Recommended Action: Update to version 8.0, or a newer patched version

Plugin: SuevaFree Essential Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Missing Authorization to Settings Update and Arbitrary File Upload
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation

Vulnerability: Unauthenticated Arbitrary Shortcode Execution via fire_contact_form
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: WP Popup Window Maker

Plugin: Chessgame Shizzle

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Advanced Event Manager

Plugin: Generic Elements

Plugin: salavat counter Plugin

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.54
Recommended Action: Update to version 3.2.54, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: Ultimate YouTube Video & Shorts Player With Vimeo

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Setting Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Login

Vulnerability: Authentication Bypass
Patched Version: 5.10.0
Recommended Action: Update to version 5.10.0, or a newer patched version

Plugin: AppPresser – Mobile App Framework

Vulnerability: Unauthenticated Privilege Escalation via Password Reset
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: WP Githuber MD – WordPress Markdown Editor

Plugin: Shine PDF Embeder

Plugin: LinkLaunder SEO

Plugin: WP Quick Setup

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin/Theme Installation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Missing Authorization on REST-API
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Missing Authorization to Project Milestone and Task Creation/Deletion
Patched Version: 2.6.15
Recommended Action: Update to version 2.6.15, or a newer patched version

Plugin: Protect Your Content

Plugin: WP Admin UI Customize

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.14
Recommended Action: Update to version 1.5.14, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via sg_content_template
Patched Version: 2.6.10
Recommended Action: Update to version 2.6.10, or a newer patched version

Plugin: Image horizontal reel scroll slideshow

Plugin: Simple Travel Map

Plugin: SK WP Settings Backup

Vulnerability: Cross-Site Request Forgery to PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Writer Helper

Plugin: IceStats

Plugin: WPDash Notes

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPAdverts – Classifieds Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: WP-ISPConfig 3

Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)

Vulnerability: Cross-Site Request Forgery to Limited Arbitrary Options Update
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Hotlink2Watermark

Plugin: NiceJob

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: Quotes llama

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version

Plugin: Debug Tool

Vulnerability: Unauthenticated Arbitrary File Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: InPost Gallery

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution via inpost_gallery_get_shortcode_template
Patched Version: 2.1.4.3
Recommended Action: Update to version 2.1.4.3, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 4.15.19
Recommended Action: Update to version 4.15.19, or a newer patched version

Plugin: Lock User Account

Vulnerability: User Lock Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Drozd – Addons for Elementor

Plugin: Google Plus Share and +1 Button

Plugin: Theater for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.18.7
Recommended Action: Update to version 0.18.7, or a newer patched version

Plugin: If-So Dynamic Content Personalization

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.9.2.2
Recommended Action: Update to version 1.9.2.2, or a newer patched version

Plugin: 胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Co-marquage service-public.fr

Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: 0.5.77
Recommended Action: Update to version 0.5.77, or a newer patched version

Plugin: TwitterPosts

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CF7 Reply Manager

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2.7.2
Recommended Action: Update to version 4.2.7.2, or a newer patched version

Plugin: kineticPay for WooCommerce

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Continue Shopping From Cart

Plugin: Enable SVG, WebP, and ICO Upload

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Booking & Appointment Plugin for WooCommerce

Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 6.10.0
Recommended Action: Update to version 6.10.0, or a newer patched version

Plugin: GD bbPress Attachments

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version

Plugin: Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One

Vulnerability: Missing Authorization
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 4.1.17
Recommended Action: Update to version 4.1.17, or a newer patched version

Plugin: UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)

Vulnerability: Insecure Direct Object Reference to Sensitive Information Exposure via UA_Template Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Parsi Date

Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: Page Parts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Theme Builder For Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Cookie Notice & Compliance for GDPR / CCPA

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.4.18
Recommended Action: Update to version 2.4.18, or a newer patched version

Plugin: Post Hits Counter

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Event Context
Patched Version: 2.11.2
Recommended Action: Update to version 2.11.2, or a newer patched version

Plugin: Checkout with Cash App on WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.3
Recommended Action: Update to version 6.0.3, or a newer patched version

Plugin: Hacklog DownloadManager

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CYAN Backup

Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Meteor Slides

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Authorization Bypass due to Missing Empty Value Check to Unauthenticated Arbitrary Plugin Installation
Patched Version: 6.45
Recommended Action: Update to version 6.45, or a newer patched version

Plugin: Picsmize

Plugin: Crypto Tool

Vulnerability: Authentication Bypass via register
Patched Version: 2.20
Recommended Action: Update to version 2.20, or a newer patched version

Plugin: Ads Booster by Ads Pro

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Instant Image Generator (One Click Image Uploads from Pixabay, Pexels and OpenAI)

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Gallerio

Plugin: My Contador lesr

Vulnerability: Missing Authorization to Unauthenticated User Registration CSV Export
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Slotti Ajanvaraus

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: CSV to html

Plugin: NIX Anti-Spam Light

Plugin: Idealien Category Enhancements

Plugin: Exclusive Content Password Protect

Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.2.4.3
Recommended Action: Update to version 3.2.4.3, or a newer patched version

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.13
Recommended Action: Update to version 2.0.13, or a newer patched version

Plugin: Office Locator

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.113.0
Recommended Action: Update to version 1.113.0, or a newer patched version

Plugin: Tribute Testimonials – WordPress Testimonial Grid/Slider

Plugin: Easy Liveblogs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via “Labels”
Patched Version: 4.15.15
Recommended Action: Update to version 4.15.15, or a newer patched version

Plugin: ITERAS

Plugin: Constant Contact Forms by MailMunch

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Anonymous Restricted Content

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: .htaccess File Manipulation to Remote Code Execution
Patched Version: 1.0.232
Recommended Action: Update to version 1.0.232, or a newer patched version

Plugin: Skt NURCaptcha

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version

Plugin: Tailored Tools

Plugin: HIPAA Compliant Forms with Drag’n’Drop HIPAA Form Builder. Sign HIPAA documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via JKit
Patched Version: 2.6.10
Recommended Action: Update to version 2.6.10, or a newer patched version

Plugin: Button Block – Get fully customizable & multi-functional buttons

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Fintelligence Calculator

Plugin: Referrer Detector

Plugin: Kevin's Plugin

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WP User Manager – User Profile Builder & Membership

Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Meta Key Enumeration
Patched Version: 2.9.12
Recommended Action: Update to version 2.9.12, or a newer patched version

Plugin: Contact Form 7 To PDF Viewer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Deletion
Patched Version: 5.9.3.7
Recommended Action: Update to version 5.9.3.7, or a newer patched version

Plugin: LocateAndFilter

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.6.16
Recommended Action: Update to version 1.6.16, or a newer patched version

Plugin: Rescue Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via rescue_progressbar Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: MailChimp Forms by MailMunch

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Slick Sitemap

Plugin: Absolute Addons For Elementor

Plugin: Premium Packages – Sell Digital Products Securely

Vulnerability: Reflected Cross-Site Scripting via add_query_arg
Patched Version: 5.9.4
Recommended Action: Update to version 5.9.4, or a newer patched version

Plugin: FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.2.83
Recommended Action: Update to version 2.2.83, or a newer patched version

Plugin: Grid View Gallery

Vulnerability: Authenticated (Editor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sp*tify Play Button for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via spotifyplaybutton Shortcode
Patched Version: 2.12
Recommended Action: Update to version 2.12, or a newer patched version

Plugin: Premium Packages – Sell Digital Products Securely

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy CSV Importer BETA

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via “Product Files”
Patched Version: 4.15.15
Recommended Action: Update to version 4.15.15, or a newer patched version

Plugin: RealtyCandy IDX Broker Extended

Plugin: Do That Task

Plugin: Block Editor Bootstrap Blocks

Vulnerability: Reflected Cross-Site Scripting via tab
Patched Version: 6.6.2
Recommended Action: Update to version 6.6.2, or a newer patched version

Plugin: Constant Contact Forms by MailMunch

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: ZIJ KART

Plugin: iPhone Webclip Manager

Plugin: Datasets Manager by Arttia Creative

Plugin: VdoCipher: Secure Video Player and Hosting

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version

Plugin: SP Blog Designer

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.25.8
Recommended Action: Update to version 3.25.8, or a newer patched version

Plugin: Dino Game – Embed Google Chrome Dinosaur Game in your website

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: MailMunch – Grow your Email List

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: WordPress Video Robot – The Ultimate Video Importer

Vulnerability: The Ultimate Video Importer <= 1.20.0
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.15.8
Recommended Action: Update to version 4.15.8, or a newer patched version

Plugin: WordPress BasePress Migration Tools

Plugin: Ahmeti Wp Güzel Sözler

Plugin: F4 Improvements

Plugin: wp-login customizer

Plugin: Post Layouts for Gutenberg

Plugin: WPGYM – WordPress Gym Management System

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 67.2.0
Recommended Action: Update to version 67.2.0, or a newer patched version

Plugin: Enable SVG, WebP, and ICO Upload

Vulnerability: Arbitrary File Upload
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Matix Popup Builder

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Unauthenticated SQL Injection via rating_filter
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: Hebrew Dates

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Custom Shortcode Sidebars

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: User Registration Setting Bypass to Unauthorized User Registration
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: Pure CSS Circle Progress bar

Plugin: Simple Membership

Vulnerability: Exposure of Private Personal Information to an Unauthorized Actor
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version

Plugin: KBucket: Your Curated Content in WordPress

Plugin: ConvertCalculator for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id and type Parameter
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.2.4
Recommended Action: Update to version 7.2.4, or a newer patched version

Plugin: wp auto top

Plugin: PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.5.16
Recommended Action: Update to version 3.5.16, or a newer patched version

Plugin: WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Vulnerability: Missing Authorization to Authenticated (Contributor+) Plugin Settings Update
Patched Version: 6.2.2
Recommended Action: Update to version 6.2.2, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Product Table Lite

Vulnerability: Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: Add Chat App Button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: I Plant A Tree

Plugin: AJAX Random Posts

Plugin: My Geo Posts Free

Plugin: Zajax – Ajax Navigation

Plugin: WPGYM – WordPress Gym Management System

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 67.2.0
Recommended Action: Update to version 67.2.0, or a newer patched version

Plugin: WPBakery Visual Composer WHMCS Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via void_wbwhmcse_laouts_search Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pricing table addon for elementor

Plugin: Additional Order Filters for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.22
Recommended Action: Update to version 1.22, or a newer patched version

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Option Deletion
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation
Patched Version: 6.44
Recommended Action: Update to version 6.44, or a newer patched version

Plugin: Contact Form 7 Email Add on

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Support SVG – Upload svg files in wordpress without hassle

Vulnerability: Authenticated (Author+) Stored Cross-site Scripting via SVG File Upload
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Feeds For Twitter

Vulnerability: Authenticated (Contributor+) Post Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Reflected Cross-Site Scripting via Custom HTML Form Parameter
Patched Version: 6.16.2
Recommended Action: Update to version 6.16.2, or a newer patched version

Plugin: 우커머스 네이버페이

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mnp_purchase Shortcode
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Multi Feed Reader

Plugin: CM WordPress Search And Replace Plugin

Vulnerability: Reflected Cross-Site Scripting via cminds_free_guide Shortcode
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: WIP Incoming Lite

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Crypto and DeFi Widgets – Web3 Cryptocurrency Shortcodes

Plugin: Dynamic “To Top” Plugin

Plugin: PeproDev WooCommerce Receipt Uploader

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Nokaut Offers Box

Plugin: Beds24 Online Booking

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via beds24-link Shortcode
Patched Version: 2.0.28
Recommended Action: Update to version 2.0.28, or a newer patched version

Plugin: Realtyna Organic IDX plugin + WPL Real Estate

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 4.14.14
Recommended Action: Update to version 4.14.14, or a newer patched version

Plugin: BigCommerce For WordPress

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Mailster

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.17.0
Recommended Action: Update to version 1.8.17.0, or a newer patched version

Plugin: Product Input Fields for WooCommerce

Vulnerability: Authenticated (Contributor+) Arbitrary File Read
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: MaxUploader – Increase Media Upload File Size | Increase Execution Time

Vulnerability: Authenticated (Author+) Full Path Disclosure
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Popup by Supsystic

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Table for WooCommerce by CodeAstrology (wooproducttable.com)

Vulnerability: Information Exposure
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: AutoListicle: Automatically Update Numbered List Articles

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Wishlist for WooCommerce: Multi Wishlists Per Customer PRO

Vulnerability: 3.1.2
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Branda – Branda – White Label & Branding, Custom Login Page Customizer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.22
Recommended Action: Update to version 3.4.22, or a newer patched version

Plugin: Hustle – Email Marketing, Lead Generation, Optins, Popups

Vulnerability: Missing Authorization to Unpublished Form Exposure
Patched Version: 7.8.6
Recommended Action: Update to version 7.8.6, or a newer patched version

Plugin: DigiPass

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Print PDF Generator and Publisher

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Shopready – Elementor addons for WooCommerce Page Builder

Plugin: Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Fence URL wp-login.php

Plugin: PDF Invoices & Packing Slips Generator for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Event Tickets with Ticket Scanner

Vulnerability: Authenticated (Author+) Remote Code Execution
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: Silverlight Video Player

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Footer Flyout Widget

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version

Plugin: WP-Orphanage Extended

Vulnerability: Cross-Site Request Forgery to Orphan Account Privilege Escalation
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: AI Quiz | Quiz Maker

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pie Register Premium

Vulnerability: Missing Authorization
Patched Version: 3.8.3.3
Recommended Action: Update to version 3.8.3.3, or a newer patched version

Plugin: FireCask’s Twitter Follow Button

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via username Parameter
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version

Plugin: Grey Owl Lightbox

Plugin: Backup and Staging by WP Time Capsule

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.22.22
Recommended Action: Update to version 1.22.22, or a newer patched version

Plugin: School Management System for WordPress

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 92.0.0
Recommended Action: Update to version 92.0.0, or a newer patched version

Plugin: Enter Addons – Ultimate Template Builder for Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.