Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Booster for WooCommerce
Vulnerability: Missing Authorization to Product Creation/Modification
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version
Plugin: MyBookTable Bookstore by Stormhill Media
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: License Manager for WooCommerce
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version
Plugin: File Gallery
Vulnerability: Reflected Cross-Site Scripting via post_id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Salon Booking System
Vulnerability: Authenticated (Editor+) Privilege Escalation
Patched Version: 8.7
Recommended Action: Update to version 8.7, or a newer patched version
Plugin: WordPress Brute Force Protection – Stop Brute Force Attacks
Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: Porto Theme – Functionality
Vulnerability: Functionality <= 2.11.1
Patched Version: 2.12.1
Recommended Action: Update to version 2.12.1, or a newer patched version
Plugin: Contact Form – Custom Builder, Payment Form, and More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon
Vulnerability: Reflected Cross-Site Scripting via keyword
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: canvasio3D Light
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Theme My Login 2fa
Vulnerability: 2FA Bypass via Brute Force
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version
Plugin: SpiderVPlayer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mondial Relay & Chronopost plugin for WooCommerce – WCMultiShipping
Vulnerability: WCMultiShipping <= 2.3.7
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version
Plugin: Display Custom Post
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chartify – WordPress Chart Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: JetSearch
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2.1
Recommended Action: Update to version 3.1.2.1, or a newer patched version
Plugin: SiteOrigin Widgets Bundle
Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.51.0
Recommended Action: Update to version 1.51.0, or a newer patched version
Plugin: Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back
Vulnerability: Cross-Site Request Forgery via cbb_submit_settings_data
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Frontier Post
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Roadmap – Product Feedback Board
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: 360 Javascript Viewer
Vulnerability: Missing Authorization
Patched Version: 1.7.12
Recommended Action: Update to version 1.7.12, or a newer patched version
Plugin: JetBlocks for Elementor
Vulnerability: Reflected Cross Site Scripting
Patched Version: 1.3.8.1
Recommended Action: Update to version 1.3.8.1, or a newer patched version
Plugin: WP Forms Puzzle Captcha
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Accept Stripe Payments
Vulnerability: Unauthenticated Content Injection
Patched Version: 2.0.80
Recommended Action: Update to version 2.0.80, or a newer patched version
Plugin: Simply Exclude
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: salient-core
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Mail Bank – #1 Mail SMTP Plugin for WordPress
Vulnerability: #1 Mail SMTP Plugin for WordPress <= 4.0.14
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.39
Recommended Action: Update to version 3.39, or a newer patched version
Plugin: Debug Log Manager
Vulnerability: Missing Authorization
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: teachPress
Vulnerability: Cross-Site Request Forgery via delete_database()
Patched Version: 9.0.6
Recommended Action: Update to version 9.0.6, or a newer patched version
Plugin: Yoast SEO
Vulnerability: Authenticated (Seo Manager+) Stored Cross-Site Scripting
Patched Version: 21.1
Recommended Action: Update to version 21.1, or a newer patched version
Plugin: YASR – Yet Another Star Rating Plugin for WordPress
Vulnerability: Missing Authorization via init
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: Participants Database
Vulnerability: Missing Authorization
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version
Plugin: Fast Custom Social Share by CodeBard
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JetEngine
Vulnerability: Missing Authorization
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: Bulk Comment Remove
Vulnerability: Cross-Site Request Forgery via brc_admin()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Prevent Landscape Rotation
Vulnerability: Cross-Site Request Forgery via adminpage.php
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: WP All Export Pro
Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: Qode Essential Addons
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Accept Stripe Payments
Vulnerability: Insecure Direct Object Reference
Patched Version: 2.0.80
Recommended Action: Update to version 2.0.80, or a newer patched version
Plugin: Export WP Page to Static HTML/CSS
Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: My Calendar – Accessible Event Manager
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.4.22
Recommended Action: Update to version 3.4.22, or a newer patched version
Plugin: Availability Calendar
Vulnerability: Cross-Site Request Forgery via add_availability_calendar_create_admin_page()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 12 Step Meeting List
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.14.25
Recommended Action: Update to version 3.14.25, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Insecure Direct Object Reference to Information Disclosure
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Missing Authorization via wpas_edit_reply_ajax()
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: Customer Reviews Collector for WooCommerce
Vulnerability: No subtitle
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: SoundCloud Shortcode
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Abandoned Cart Lite for WooCommerce
Vulnerability: Missing Authorization via multiple AJAX functions
Patched Version: 5.16.2
Recommended Action: Update to version 5.16.2, or a newer patched version
Plugin: MyTube PlayList
Vulnerability: Reflected Cross-Site Scripting via addplaylistid
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)
Vulnerability: Sensitive Information Exposure
Patched Version: 6.4.6
Recommended Action: Update to version 6.4.6, or a newer patched version
Plugin: WooCommerce Login Redirect
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version
Plugin: WP Catalogue
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP CleanFix
Vulnerability: Missing Authorization via register
Patched Version: 5.7.0
Recommended Action: Update to version 5.7.0, or a newer patched version
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Cross-Site Request Forgery via wpas_edit_reply_ajax()
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: IdeaPush
Vulnerability: Missing Authorization
Patched Version: 8.58
Recommended Action: Update to version 8.58, or a newer patched version
Plugin: WP Forms Puzzle Captcha
Vulnerability: Captcha Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mollie Payments for WooCommerce
Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload
Patched Version: 7.3.12
Recommended Action: Update to version 7.3.12, or a newer patched version
Plugin: WP Mail Log
Vulnerability: Authenticated (Contributor+) SQL injection via key
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors
Vulnerability: Authenticated (Shop manager+) SQL Injection via search dates
Patched Version: 2.4.7.1
Recommended Action: Update to version 2.4.7.1, or a newer patched version
Plugin: Quantity Plus Minus Button for WooCommerce by CodeAstrology
Vulnerability: Cross-Site Request Forgery via wqpmb_form_submit
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Simple Long Form
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hide login page, Hide wp admin – stop attack on login page
Vulnerability: Login Page Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MkRapel Regiones y Ciudades de Chile para WC
Vulnerability: Cross-Site Request Forgery via multiple functions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.0.77
Recommended Action: Update to version 1.0.77, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: Media File Renamer: Rename for better SEO (AI-Powered)
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 5.7.0
Recommended Action: Update to version 5.7.0, or a newer patched version
Plugin: Aruba HiSpeed Cache
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Button Generator – easily Button Builder
Vulnerability: Missing Authorization
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: JetTabs for Elementor
Vulnerability: Missing Authorization to Unauthenticated Unauthorized Action
Patched Version: 2.1.25.2
Recommended Action: Update to version 2.1.25.2, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.3.0
Recommended Action: Update to version 5.2.3.0, or a newer patched version
Plugin: Product Size Chart For WooCommerce
Vulnerability: Cross-Site Request Forgery via get_save_option
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Formzu WP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Prime Mover – Migrate WordPress Website & Backups
Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version
Plugin: BSK Forms Blacklist
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version
Plugin: Swift Performance Lite
Vulnerability: Missing Authorization to Unauthenticated Settings Export
Patched Version: 2.3.6.15
Recommended Action: Update to version 2.3.6.15, or a newer patched version
Plugin: JetSearch
Vulnerability: Missing Authorization
Patched Version: 3.1.2.1
Recommended Action: Update to version 3.1.2.1, or a newer patched version
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.3.11
Recommended Action: Update to version 6.3.11, or a newer patched version
Plugin: Multiple Post Passwords
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Events Manager – Calendar, Bookings, Tickets, and more!
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.6
Recommended Action: Update to version 6.4.6, or a newer patched version
Plugin: Vrm 360 3D Model Viewer
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TriPay Payment Gateway
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: AMP for WP – Accelerated Mobile Pages
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.0.89
Recommended Action: Update to version 1.0.89, or a newer patched version
Plugin: teachPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 9.0.5
Recommended Action: Update to version 9.0.5, or a newer patched version
Plugin: Broken Link Checker for YouTube
Vulnerability: Cross-Site Request Forgery via plugin_settings_page()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Currency Converter Calculator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: TextMe SMS
Vulnerability: Missing Authorization via tetxme_update_option_page()
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: WP Mail Log
Vulnerability: Authenticated (Contributor+) Arbitrary File Read
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Campaign Monitor for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.14
Recommended Action: Update to version 2.8.14, or a newer patched version
Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vulnerability: Missing Authorization via hide_free_sidebar()
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version
Plugin: Email Address Encoder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version
Plugin: Easy Social Icons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: Ocean Extra
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: JetEngine
Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: salient-core
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Captcha Code
Vulnerability: Captcha Bypass
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Simple Testimonials Showcase
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Credit Tracker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Email
Vulnerability: Captcha Bypass
Patched Version: 1.3.42
Recommended Action: Update to version 1.3.42, or a newer patched version
Plugin: WP All Export Pro
Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: Button Generator – easily Button Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Unauthenticated SQL Injection via search terms
Patched Version: 1.3.4.3
Recommended Action: Update to version 1.3.4.3, or a newer patched version
Plugin: SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer
Vulnerability: Unauthenticated Password Protected Post Disclosure
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version
Plugin: WP Mail Log
Vulnerability: Incorrect Authorization to Authenticated (Contributor+) Data Viewing and Deletion
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Simple Calendar – Google Calendar Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages
Vulnerability: Open Redirect
Patched Version: 1.5.1.6
Recommended Action: Update to version 1.5.1.6, or a newer patched version
Plugin: Add to Cart Text Changer and Customize Button, Add Custom Icon
Vulnerability: Cross-Site Request Forgery via wactc_text_form
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: WordPress Job Board and Recruitment Plugin – JobWP
Vulnerability: Sensitive Information Exposure
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: GoDaddy Email Marketing
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Crowdfunding
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: eDoc Employee Job Application – Best WordPress Job Manager for Employees
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher
Vulnerability: Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Missing Authorization via woof_meta_get_keys()
Patched Version: 1.3.4.3
Recommended Action: Update to version 1.3.4.3, or a newer patched version
Plugin: JetElements
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Attachment Download
Patched Version: 2.6.13.1
Recommended Action: Update to version 2.6.13.1, or a newer patched version
Plugin: Import Spreadsheets from Microsoft Excel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 10.1.4
Recommended Action: Update to version 10.1.4, or a newer patched version
Plugin: Super Progressive Web Apps
Vulnerability: Missing Authorization
Patched Version: 2.2.22
Recommended Action: Update to version 2.2.22, or a newer patched version
Plugin: Crypto Converter ⚡ Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version
Plugin: Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Order Information Disclosure
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.7.9
Recommended Action: Update to version 4.7.9, or a newer patched version
Plugin: SVGator – Add Animated SVG Easily
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.12.5
Recommended Action: Update to version 6.12.5, or a newer patched version
Plugin: Parcel Pro
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.12
Recommended Action: Update to version 1.6.12, or a newer patched version
Plugin: Seraphinite Post .DOCX Source
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.16.7
Recommended Action: Update to version 2.16.7, or a newer patched version
Plugin: Chatbot for WordPress by Collect.chat ⚡️
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: BigCommerce For WordPress
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates
Vulnerability: Cross-Site Request Forgery via process_bulk_action
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version
Plugin: Razorpay for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.7
Recommended Action: Update to version 4.5.7, or a newer patched version
Plugin: Aparat
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Taxonomy Filter
Vulnerability: Cross-Site Request Forgery via taxonomy_filter_save_main_settings()
Patched Version: 2.2.10
Recommended Action: Update to version 2.2.10, or a newer patched version
Plugin: BackWPup – WordPress Backup & Restore Plugin
Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: CommentLuv
Vulnerability: Server Side Request Forgery via do_click
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: League Table – WordPress Table Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version
Plugin: JetFormBuilder — Dynamic Blocks Form Builder
Vulnerability: Unauthenticated Content Injection
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: Delete Post Revisions In WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bravo Translate
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JobSearch WP Job Board
Vulnerability: Authentication Bypass
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: Razorpay for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 4.5.7
Recommended Action: Update to version 4.5.7, or a newer patched version
Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: Porto Theme – Functionality
Vulnerability: Functionality <= 2.11.1
Patched Version: 2.12.1
Recommended Action: Update to version 2.12.1, or a newer patched version
Plugin: Antispam Bee
Vulnerability: IP Address Spoofing via get_client_ip
Patched Version: 2.11.4
Recommended Action: Update to version 2.11.4, or a newer patched version
Plugin: Consensu.io | Conformidade e Consentimento de Cookies para LGPD
Vulnerability: Missing Authorization via update_config_db()
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.2.7.0
Recommended Action: Update to version 6.2.7.0, or a newer patched version
Plugin: WP All Export Pro
Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: Form builder to get in touch with visitors and grow your email list — Happyforms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.25.10
Recommended Action: Update to version 1.25.10, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
