Watch Out Wednesday – November 6, 2024

Home » Watch Out Wednesday – November 6, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Download Monitor

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 5.0.14
Recommended Action: Update to version 5.0.14, or a newer patched version

Plugin: Multi Purpose Mail Form

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CodePen Embedded Pens Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Auto Login using a secure tokenized url. Role wise login restriction.

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HT Politic – For Political WordPress Themes / Website

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Custom Icons for Elementor

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 0.3.4
Recommended Action: Update to version 0.3.4, or a newer patched version

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.1.47
Recommended Action: Update to version 3.1.47, or a newer patched version

Plugin: SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Open Redirect
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version

Plugin: Satisfaction Reports from Help Scout

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ML Responsive Audio player with playlist Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Goods

Plugin: Domain Sharding

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Plug your WooCommerce into the largest catalog of customized print products from Helloprint

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: WordPress eCommerce – ScottCart

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kata Plus – Addons for Elementor – Widgets, Extensions and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Daily Image

Plugin: Market 360 Viewer

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: 3D Work In Progress

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YITH WooCommerce Product Add-Ons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.14.2
Recommended Action: Update to version 4.14.2, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 6.14.1
Recommended Action: Update to version 6.14.1, or a newer patched version

Plugin: myCred Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Ads.txt & App-ads.txt Manager for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: Textboxes

Plugin: ElementsReady Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.4.4
Recommended Action: Update to version 6.4.4, or a newer patched version

Plugin: leenk.me

Plugin: Golf Tracker

Plugin: Bold Page Builder

Vulnerability: Missing Authorization
Patched Version: 5.1.4
Recommended Action: Update to version 5.1.4, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Custom Gallery Widget
Patched Version: 5.10.2
Recommended Action: Update to version 5.10.2, or a newer patched version

Plugin: Extender All In One For Elementor

Plugin: Search order by product SKU for WooCommerce

Plugin: Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: MyOrderDesk

Plugin: Call / Contact Button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.10
Recommended Action: Update to version 4.7.10, or a newer patched version

Plugin: Website price calculator

Plugin: Selection Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version

Plugin: EzyOnlineBookings Online Booking System Widget

Plugin: Geotagged Media

Plugin: RSVP ME

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TeleAdmin

Plugin: Woocommerce Quote Calculator

Plugin: GDReseller

Plugin: Zotpress

Vulnerability: Missing Authorization
Patched Version: 7.3.13
Recommended Action: Update to version 7.3.13, or a newer patched version

Plugin: Mega Elements – Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Scrollbar by webxapp – Best vertical/horizontal scrollbars plugin

Plugin: Widget or Sidebar Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BTEV

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.1.17
Recommended Action: Update to version 1.1.17, or a newer patched version

Plugin: Group Chat & Video Chat by AtomChat

Vulnerability: Missing Authorization via credits REST API Endpoint
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Awesome Shortcodes For Genesis

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Namaste! LMS

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.6.4.1
Recommended Action: Update to version 2.6.4.1, or a newer patched version

Plugin: T(-) Countdown

Plugin: Paytium: Mollie payment forms & donations

Vulnerability: Missing Authorization
Patched Version: 4.4.11
Recommended Action: Update to version 4.4.11, or a newer patched version

Plugin: Logo Manager For Enamad

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.7.3
Recommended Action: Update to version 0.7.3, or a newer patched version

Plugin: TradeMe widgets

Plugin: Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version

Plugin: Custom Admin Menu

Plugin: Simple Business Manager

Plugin: While Loading

Plugin: Custom post type templates for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version

Plugin: 1-Click Login: Passwordless Authentication

Vulnerability: Authentication Bypass via Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: aDirectory – WordPress Directory Listing Plugin

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: AI Image Generator for Your Content & Featured Images – AI Postpix

Plugin: Cozy Blocks – Page Builder for Gutenberg & Site Editor with Post Blocks, WooCommerce Blocks, Magazine Blocks & WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.19
Recommended Action: Update to version 2.0.19, or a newer patched version

Plugin: Alphabetical List

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Awesome Progress Bar

Plugin: Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder

Plugin: W3SPEEDSTER

Vulnerability: Authenticated (Administrator+) Remote Code Execution
Patched Version: 7.27
Recommended Action: Update to version 7.27, or a newer patched version

Plugin: CM Table Of Contents – WordPress TOC Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: WPHelpful

Plugin: Google Docs RSVP, WordPress Plugin

Plugin: Black Widgets For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: BuddyPress Greeting Message

Plugin: Amazon Associate Filter

Plugin: aThemes Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Interactive World Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: Master Bar

Plugin: WP Team – WordPress Team Member Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via htteamember Shortcode
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: WP Feature Box

Plugin: WP Hotel Booking

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Vulnerability: Missing Authorization
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version

Plugin: FraudLabs Pro SMS Verification

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.10.2
Recommended Action: Update to version 1.10.2, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Author+) External Entity Injection
Patched Version: 1.3.981
Recommended Action: Update to version 1.3.981, or a newer patched version

Plugin: Property Lot Management System

Vulnerability: Authenticated (Salesman+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bstone Demo Importer

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ThemeFuse Maintenance Mode

Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.16
Recommended Action: Update to version 2.5.16, or a newer patched version

Plugin: Risk Warning Bar

Plugin: Doofinder

Plugin: NMR Strava activities

Plugin: Easy Addons for Elementor

Plugin: Emoji Shortcode

Plugin: Portfolleo

Plugin: amazing neo icon font for elementor

Plugin: W3P SEO

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template
Patched Version: 1.4.6.1
Recommended Action: Update to version 1.4.6.1, or a newer patched version

Plugin: MyCurator Content Curation

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.79
Recommended Action: Update to version 3.79, or a newer patched version

Plugin: Signup Page

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointmind

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Seo Free

Plugin: Easy Accordion Gutenberg Block

Vulnerability: Missing Authorization
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Display Terms Shortcode

Plugin: YaDisk Files

Plugin: World Prayer Time

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Bootstrap Elements for Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Backup and Staging by WP Time Capsule

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 1.22.22
Recommended Action: Update to version 1.22.22, or a newer patched version

Plugin: Clyp

Plugin: Administrator Z

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Header Footer Composer for Elementor

Plugin: Basticom Framework

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Loginplus

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.81
Recommended Action: Update to version 2.3.81, or a newer patched version

Plugin: Bet WC 2018 Russia

Plugin: Sticky Social Bar

Plugin: School Management System – WPSchoolPress

Vulnerability: Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version

Plugin: WP EASY RECIPE

Plugin: Featured Posts Scroll

Plugin: Code Explorer

Vulnerability: Authenticated (Admin+) External File Reading
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Namaste! LMS

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: SIP Reviews Shortcode for WooCommerce

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: (dp) AddThis

Plugin: Custom Author URL

Plugin: LaTeX2HTML

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: Woocommerce Quote Calculator

Plugin: Woocommerce Product Design

Plugin: Kodex Posts likes

Plugin: Easy SVG Upload

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quran Shortcode

Plugin: Namaste! LMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Get Quote For Woocommerce – Request A Quote For Woocommerce

Vulnerability: Missing Authorization to Unauthenticated Quote PDF and CSV Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate TinyMCE

Plugin: Simplistic SEO

Plugin: RLM Elementor Widgets Pack

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Namaste! LMS

Vulnerability: Authenticated (Student+) Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Video Gallery for WooCommerce

Vulnerability: Missing Authorization to Unauthenticated Limited File Deletion
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version

Plugin: Multi Step Form

Vulnerability: Missing Authorization via fw_delete_files
Patched Version: 1.7.22
Recommended Action: Update to version 1.7.22, or a newer patched version

Plugin: All Post Contact Form

Plugin: SVT Simple

Plugin: Twitter @Anywhere Plus

Plugin: chatplusjp

Plugin: Envo's Elementor Templates & Widgets for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.20
Recommended Action: Update to version 1.4.20, or a newer patched version

Plugin: Saragna – Social Stream WordPress

Plugin: Hoo Addons for Elementor

Plugin: AffiliateX – Amazon Affiliate Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9.1
Recommended Action: Update to version 1.2.9.1, or a newer patched version

Plugin: Media File Rename, Find Unused File, Add Alt text, Caption, Desc For Image SEO – Media Library Tools

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Simple Job Manager

Plugin: Advanced Control Manager for WordPress by ItalyStrap

Plugin: Todo Custom Field

Plugin: HT Builder – WordPress Theme Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.39.5
Recommended Action: Update to version 3.39.5, or a newer patched version

Plugin: Futurio Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version

Plugin: Realty Workstation

Vulnerability: Authentication Bypass to Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Loginizer Security

Vulnerability: Authentication Bypass
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Conversion Helper

Plugin: BetterLinks – An Advanced Solution for Affiliate Link Management, Link Shortening, Link Tracking, Link Branding & Marketing

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Black Widgets For Elementor

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Church Admin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: DocumentPress

Plugin: Restaurant & Cafe Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.13.3
Recommended Action: Update to version 1.13.3, or a newer patched version

Plugin: Automatic Translation

Plugin: SEOPress – On-site SEO

Vulnerability: Missing Authorization
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 5.10.3
Recommended Action: Update to version 5.10.3, or a newer patched version

Plugin: Cozy Blocks – Page Builder for Gutenberg & Site Editor with Post Blocks, WooCommerce Blocks, Magazine Blocks & WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.16
Recommended Action: Update to version 2.0.16, or a newer patched version

Plugin: Smart Mockups

Plugin: Heateor Social Login WordPress

Vulnerability: Authentication Bypass
Patched Version: 1.1.36
Recommended Action: Update to version 1.1.36, or a newer patched version

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress

Vulnerability: Reflected Cross-Site Scripting via URL
Patched Version: 1.9.245
Recommended Action: Update to version 1.9.245, or a newer patched version

Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Gutenberg Block <= 3.0.3
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: MaanStore API

Plugin: Agile Video Player Lite

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.94
Recommended Action: Update to version 2.2.94, or a newer patched version

Plugin: Events Manager Pro – extended

Plugin: Tickera – WordPress Event Ticketing

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 3.5.4.6
Recommended Action: Update to version 3.5.4.6, or a newer patched version

Plugin: Classy Addons for Elementor

Plugin: WPC Shop as a Customer for WooCommerce

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: My Wp Brand – Hide menu & Hide Plugin

Vulnerability: Missing Authorization
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Training – Courses

Plugin: Qode Essential Addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Stars SMTP Mailer

Plugin: WP Sessions Time Monitoring Full Automatic

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: WooCommerce – Social Login

Vulnerability: WordPress / WooCommerce Plugin <= 2.7.7
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: SKSDEV Toolkit

Plugin: Tumult Hype Animations

Vulnerability: Missing Authorization
Patched Version: 1.9.15
Recommended Action: Update to version 1.9.15, or a newer patched version

Plugin: Product Filter by WBW

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Bitly's WordPress Plugin

Vulnerability: Missing Authorization
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Easy Gallery

Plugin: SVG Captcha

Plugin: ReCaptcha Integration for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: MDR Webmaster Tools

Plugin: Media Modal

Plugin: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Premium SEO Pack – WP SEO Plugin

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.6.002
Recommended Action: Update to version 1.6.002, or a newer patched version

Plugin: YaDisk Files

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: eewee admin custom

Plugin: WP EIS

Plugin: ACL Floating Cart for WooCommerce

Plugin: WP Course Manager

Plugin: Elo Rating Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Beds24 Online Booking

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.26
Recommended Action: Update to version 2.0.26, or a newer patched version

Plugin: Client Power Tools Portal

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Meetup

Plugin: Super Addons for Elementor

Plugin: Astra Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.15
Recommended Action: Update to version 1.2.15, or a newer patched version

Plugin: Responsive Flickr Gallery

Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.4.2
Recommended Action: Update to version 3.0.4.2, or a newer patched version

Plugin: MasterBip para Elementor

Plugin: Delisho – Recipe Widgets and Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Slicko

Plugin: 3D Work In Progress

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: bpmn.io

Plugin: Clever Addons for Elementor

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Missing Authorization
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Acnoo Flutter API

Plugin: Lodgix.com Vacation Rental Website Builder

Plugin: Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud!

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: RSVP ME

Plugin: Multi Purpose Mail Form

Plugin: Dynamic Widgets

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Verbalize WP

Plugin: Advanced PDF Generator

Plugin: FriendStore for WooCommerce

Plugin: WPAdverts – Classifieds Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting via adverts_add Shortcode
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.3.3.5
Recommended Action: Update to version 1.3.3.5, or a newer patched version

Plugin: Banner Slider

Plugin: WP Abstracts

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: WP MMenu Lite

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Map Block
Patched Version: 2.94.2
Recommended Action: Update to version 2.94.2, or a newer patched version

Plugin: User Password Reset

Plugin: WooCommerce Maintenance Mode (Free)

Plugin: XT Floating Cart for WooCommerce

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Copyscape Premium

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Ancient World Linked Data for WordPress

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate
Patched Version: 5.10.2
Recommended Action: Update to version 5.10.2, or a newer patched version

Plugin: Advanced Sermons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Code Generate

Plugin: Medical Addon for Elementor

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.3.9
Recommended Action: Update to version 2.8.3.9, or a newer patched version

Plugin: Mobilize

Plugin: Whitelist

Plugin: Marketing Automation by AZEXO

Plugin: Woocommerce Custom Profile Picture

Plugin: Firework Shoppable Live Video

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3.5
Recommended Action: Update to version 1.3.3.5, or a newer patched version

Plugin: Shortcodes Blocks Creator Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: ID-SK Toolkit

Plugin: RSVPMaker for Toastmasters

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 6.2.5
Recommended Action: Update to version 6.2.5, or a newer patched version

Plugin: WooCommerce Advanced Bulk Edit Products, Orders, Coupons, Any WordPress Post Type – Smart Manager

Vulnerability: Missing Authorization
Patched Version: 8.46.0
Recommended Action: Update to version 8.46.0, or a newer patched version

Plugin: Taskbuilder – WordPress Project & Task Management plugin

Vulnerability: Authenticated (Admin+) SQL injection
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Naver Blog

Plugin: Editor Custom Color Palette

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: Advanced Online Ordering and Delivery Platform

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Visual Adverts

Plugin: Genoo

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.13
Recommended Action: Update to version 6.0.13, or a newer patched version

Plugin: Audio Comparison Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Admin SMS Alert

Vulnerability: Cross-Site Request Forgery to Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Missing Authorization
Patched Version: 9.8
Recommended Action: Update to version 9.8, or a newer patched version

Plugin: BBP Core – Expand bbPress powered forums with useful features

Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: WP-Basics

Plugin: Sales Page Addon – Elementor & Beaver Builder

Plugin: imPress

Plugin: Flash Show And Hide Box

Plugin: Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder

Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pricing Tables WordPress Plugin – Easy Pricing Tables

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Woo Manage Fraud Orders

Vulnerability: Unauthenticated Information Exposure via Log Files
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Meta Store Elements

Plugin: Bing Search API Integration

Plugin: Extra Privacy for Elementor

Plugin: Subscribe to Comments

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Pricer Ninja: Create and add responsive Pricing Tables to your website on-the-fly

Plugin: UPDATE NOTIFICATIONS

Plugin: WP Booking System – Booking Calendar

Vulnerability: Missing Authorization via wpbs_refresh_calendar_editor
Patched Version: 2.0.19.11
Recommended Action: Update to version 2.0.19.11, or a newer patched version

Plugin: SrcSet Responsive Images for WordPress

Plugin: SIP Reviews Shortcode for WooCommerce

Plugin: Plugin Name: iBryl Switch User

Vulnerability: Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Show Visitor IP Address

Plugin: Bigmart Elements

Plugin: Simple Modal

Plugin: Skip To

Plugin: Great Restaurant Menu WP

Vulnerability: Missing Authorization
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Hover Video Preview

Plugin: WP Query Console

Plugin: Responsive Filterable Portfolio

Vulnerability: Server-Side Request Forgery
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version

Plugin: Selar.co Widget

Plugin: MG Post Contributors

Plugin: LH QR Codes

Plugin: Local Business Addons For Elementor (Formally Waze Map)

Plugin: Plugin Propagator

Plugin: Survey Maker

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: Download-Mirror-Counter

Plugin: Step by Step

Plugin: Fabrica Synced Pattern Instances

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Manage User Columns

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: 3D Presentation

Plugin: Themedy Toolbox

Plugin: Simple Load More

Plugin: Simple Membership

Vulnerability: Unauthenticated Open Redirect
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: WeChat Subscribers Lite 微信公众订阅号插件

Plugin: Addressbook

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Platform.ly Official

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version

Plugin: Affiliate Platform

Plugin: Simple Custom Admin

Plugin: Responsive Data Table

Plugin: AwesomePress

Plugin: Planning Center Online Giving

Plugin: HQ60 Fidelity Card

Plugin: Realty by BestWebSoft

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: HD Quiz – Save Results Light

Vulnerability: Missing Authorization
Patched Version: 0.6
Recommended Action: Update to version 0.6, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Authenticated (Administrator+) Remote Code Execution
Patched Version: 3.20
Recommended Action: Update to version 3.20, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.31
Recommended Action: Update to version 1.8.31, or a newer patched version

Plugin: Content Syndication Toolkit Reader

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: Wp Slide Categorywise

Plugin: Group Chat & Video Chat by AtomChat

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via atomchat Shortcode
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Blrt WP Embed

Plugin: WM Zoom

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Authentication Bypass
Patched Version: 7.14
Recommended Action: Update to version 7.14, or a newer patched version

Plugin: Buooy Sticky Header

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: Don’t Break The Code

Plugin: Reftagger Shortcode

Plugin: Admin Amplify

Plugin: Booking Plugin for Your WordPress Appointments – Time Slot

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Elementary Addons

Plugin: WordPress Business Plugin

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+ Stored Cross-Site Scripting via Open Map Widget
Patched Version: 5.10.3
Recommended Action: Update to version 5.10.3, or a newer patched version

Plugin: WP Flow Plus

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: WP Baidu Map

Plugin: Qi Blocks

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: AI Power: Complete AI Pack

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.8.90
Recommended Action: Update to version 1.8.90, or a newer patched version

Plugin: WPKoi Templates for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Raptor Editor

Plugin: SH Slideshow

Plugin: Monitor.chat – Monitor WordPress with Instant Messages

Plugin: BP Member Type Manager

Plugin: WP Pocket URLs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: WooCommerce Report

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Coub

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.2.22
Recommended Action: Update to version 3.2.22, or a newer patched version

Plugin: Trip Plan

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Widget
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: DataMentor – Best DataTables Plugin for Elementor

Plugin: Amilia Store

Plugin: Accept Stripe Donation and Payments – AidWP

Vulnerability: Missing Authorization
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Plugin Name: GMO Social Connection

Plugin: uCAT – Next Story

Plugin: WP Simple Anchors Links

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpanchor Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Themes4WP YouTube External Subtitles

Plugin: Gmap Point List

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Knowledge Base

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Jigoshop – Store Exporter

Plugin: Tida URL Screenshot

Plugin: Sudan Payment Gateway for WooCommerce

Plugin: Alley Elementor Widget

Plugin: WPGlobus Translate Options

Plugin: Accordion title for Elementor

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: PDF Generator Addon for Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Ajax Content Filter

Plugin: Porsline

Plugin: Conditional Fields for Contact Form 7

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.9.1.6
Recommended Action: Update to version 1.9.1.6, or a newer patched version

Plugin: Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages

Vulnerability: Missing Authorization
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Bricksable for Bricks Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.60
Recommended Action: Update to version 1.6.60, or a newer patched version

Plugin: CWD 3D Image Gallery

Plugin: Simple Page Specific Sidebars

Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Firelight Lightbox

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Team Showcase and Slider – Team Members Builder

Plugin: GEO my WP

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Breeze – WordPress Cache Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: Dashing Memberships

Plugin: EndomondoWP

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Missing Authorization
Patched Version: 3.2.10
Recommended Action: Update to version 3.2.10, or a newer patched version

Plugin: e-shopsカート2

Plugin: Random Featured Post

Plugin: SmartLink Dynamic URLs

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Exam Matrix

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Курс валют UAH

Plugin: Kento Ads Rotator

Plugin: AMP Img Shortcode

Plugin: Campus Explorer Widget

Plugin: Sided

Plugin: Import and export users and customers

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.27.6
Recommended Action: Update to version 1.27.6, or a newer patched version

Plugin: SEOPress – On-site SEO

Vulnerability: Missing Authorization
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free | RRatingg

Plugin: Narnoo Commerce Manager

Plugin: Cresta Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Jigoshop – Store Toolkit

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 12.3.21
Recommended Action: Update to version 12.3.21, or a newer patched version

Plugin: Enable Shortcodes inside Widgets,Comments and Experts

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Aajoda Testimonials

Plugin: ThemeShark Templates & Widgets for Elementor

Plugin: Seriously Simple Podcasting

Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: AmaDiscount Plugin

Plugin: Breeze – WordPress Cache Plugin

Vulnerability: Missing Authorization
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: UW Freelancer

Plugin: Schema & Structured Data for WP & AMP

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.36
Recommended Action: Update to version 1.36, or a newer patched version

Plugin: Twitter real time search scrolling

Plugin: PegaPoll

Plugin: Bonway Static Block Editor

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.29
Recommended Action: Update to version 1.8.29, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.13
Recommended Action: Update to version 4.1.13, or a newer patched version

Plugin: Webriti Custom Login

Plugin: Marquee Elementor with Posts

Plugin: GRÜN spendino Spendenformular – Mehr Spenden! Weniger Arbeit!

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Insecure Direct Object Reference to Submission Manipulation
Patched Version: 1.36.1
Recommended Action: Update to version 1.36.1, or a newer patched version

Plugin: Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder

Plugin: Woo Manage Fraud Orders

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Unauthenticated SQL Injection
Patched Version: 24.0.4
Recommended Action: Update to version 24.0.4, or a newer patched version

Plugin: APK Downloader

Plugin: Forms: 3rd-Party Post Again

Plugin: SEOPress – On-site SEO

Vulnerability: Missing Authorization
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: INK Official

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Definitive Addons for Elementor

Plugin: DarkMySite – Advanced Dark Mode Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PropertyShift

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.