Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks
Vulnerability: Race Condition to Multiple User Voting
Patched Version: 5.4.6
Recommended Action: Update to version 5.4.6, or a newer patched version
Plugin: Category Post List Widget
Vulnerability: Unauthenticated Stored Cross-Site Scripting via custom_css
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CatalogX – Product Catalog Mode For WooCommerce
Vulnerability: Missing Authorization
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version
Plugin: Advance Menu Manager
Vulnerability: Missing Authorization
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: Category Post List Widget
Vulnerability: Cross-Site Request Forgery via get_cplw_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Telephone Number Linker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Featured Image Caption
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.8.11
Recommended Action: Update to version 0.8.11, or a newer patched version
Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin
Vulnerability: Missing Authorization via doc_one_page and edit_doc_one_page
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version
Plugin: ANAC XML Bandi di Gara
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Affiliate Disclosure
Vulnerability: Cross-Site Request Forgery via check_capability
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Icons Font Loader – Load Various Web Fonts & Icons on WP
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Category Update
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Dynamic Word Spinner: CSS3 Animated Rotation
Vulnerability: Cross-Site Request Forgery via save_admin_options
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: Drag and Drop Multiple File Upload – Contact Form 7
Vulnerability: Contact Form 7 <= 1.3.7.3
Patched Version: 1.3.7.4
Recommended Action: Update to version 1.3.7.4, or a newer patched version
Plugin: Great Restaurant Menu WP
Vulnerability: Cross-Site Request Forgery via menu_page
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Limit Login Attempts Reloaded
Vulnerability: Missing Authorization
Patched Version: 2.25.26
Recommended Action: Update to version 2.25.26, or a newer patched version
Plugin: Simple Job Board
Vulnerability: Missing Authorization
Patched Version: 2.10.6
Recommended Action: Update to version 2.10.6, or a newer patched version
Plugin: Add Local Avatar
Vulnerability: Cross-Site Request Forgery via manage_avatar_cache
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: iPages Flipbook For WordPress
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Code Snippets
Vulnerability: Cross-Site Request Forgery via load
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: SendPress Newsletters
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Sliders & Post Grids
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.21
Recommended Action: Update to version 1.0.21, or a newer patched version
Plugin: Bitly's WordPress Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version
Plugin: ImageMapper
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Page/Post Deletion via imgmap_delete_area_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Basic Interactive World Map
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Plugin: SEO Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Amazonify
Vulnerability: Cross-Site Request Forgery to Amazon Tracking ID Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Edit WooCommerce Templates
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Under Construction / Maintenance Mode from Acurax
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ANAC XML Bandi di Gara
Vulnerability: Cross-Site Request Forgery via settings.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting via edit_doc_one_page
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version
Plugin: Extra Product Options for WooCommerce
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Auto Publish for Google My Business
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Arbitrary Post Deletion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3.23
Recommended Action: Update to version 1.2.3.23, or a newer patched version
Plugin: Amazonify
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dynamic Word Spinner: CSS3 Animated Rotation
Vulnerability: Missing Authorization via save_admin_options
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: BZScore – Live Score
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woocommerce Vietnam Checkout
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: WooCommerce Product Table Lite
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: Restrict Categories
Vulnerability: Reflected Cross-Site Scripting via rc-search
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Edit Username
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Patreon WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version
Plugin: WordPress Online Booking and Scheduling Plugin – Bookly
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 22.5
Recommended Action: Update to version 22.5, or a newer patched version
Plugin: Social Feed | All social media in one place
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting]
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Apollo13 Framework Extensions
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Ovic Responsive WPBakery
Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Actueel Financieel Nieuws – Denk Internet Solutions
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version
Plugin: Gift Up Gift Cards for WordPress and WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.20.2
Recommended Action: Update to version 2.20.2, or a newer patched version
Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.13
Recommended Action: Update to version 3.13, or a newer patched version
Plugin: Direct Checkout – Quick View – Buy Now For WooCommerce
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting via Custom CSS Code
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: BadgeOS
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Security & Malware scan by CleanTalk
Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: 2.121
Recommended Action: Update to version 2.121, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Cross-Site Scripting
Patched Version: 2.4.30
Recommended Action: Update to version 2.4.30, or a newer patched version
Plugin: Who Hit The Page – Hit Counter
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Solid Central – Site Management, Backups, Security, and Reporting
Vulnerability: Stored Cross-Site Scripting via packages
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Comments Ratings
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Redirect 404 Error Page to Homepage or Custom Page with Logs
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version
Plugin: Recently viewed and most viewed products
Vulnerability: Authenticated (Shop Manager+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Test Email Sending
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Pinyin Slugs
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Defender Security – Malware Scanner, Login Security & Firewall
Vulnerability: Masked Login Area Security Feature Bypass
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: masterslider
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Enquiry for WooCommerce
Vulnerability: Unauthenticated Stored Cross-Site Scripting via name
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: Interact: Embed A Quiz On Your Site
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Medialist
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Vulnerability: Authenticated(Administrator+) Directory Traversal to Arbitrary CSV File Deletion
Patched Version: 7.5.0
Recommended Action: Update to version 7.5.0, or a newer patched version
Plugin: Layer Slider
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to New Category Creation
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: WP Links Page
Vulnerability: Cross-Site Request Forgery via wplf_ajax_update_screenshots
Patched Version: 4.9.5
Recommended Action: Update to version 4.9.5, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Martins Free And Easy SEO BackLink Link Building Network, Improve Rankings And Traffic
Vulnerability: Reflected Cross-Site Scripting via _wpnonce
Patched Version: 1.2.30
Recommended Action: Update to version 1.2.30, or a newer patched version
Plugin: Kadence WooCommerce Email Designer
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.12
Recommended Action: Update to version 1.5.12, or a newer patched version
Plugin: Dragfy Addons for Elementor
Vulnerability: Missing Authorization via save_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WebToffee WP Backup and Migration
Vulnerability: Missing Authorization to Settings Update
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: Web Push Notifications – Webpushr
Vulnerability: Missing Authorization to Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.35.0
Recommended Action: Update to version 4.35.0, or a newer patched version
Plugin: Top 10 – WordPress Popular posts by WebberZone
Vulnerability: Cross-Site Request Forgery via edit_count_ajax
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: WP MapIt
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: WP Crowdfunding
Vulnerability: Reflected Cross-Site Scripting via postid
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Donations Made Easy – Smart Donations
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Pricing Table
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Post Modification
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Reflected Cross-Site Scripting via add_internal_scripts_to_head
Patched Version: 4.2.5.4
Recommended Action: Update to version 4.2.5.4, or a newer patched version
Plugin: Front End PM
Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 11.4.3
Recommended Action: Update to version 11.4.3, or a newer patched version
Plugin: WPB Show Core
Vulnerability: Unauthenticated Local File Inlclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WD WidgetTwitter
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Feed
Vulnerability: Reflected Cross-Site Scripting via pf-gid
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Feed | All social media in one place
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Garden Gnome Package
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: Auto Affiliate Links
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.4.2.5
Recommended Action: Update to version 6.4.2.5, or a newer patched version
Plugin: Social Sharing Plugin – Social Warfare
Vulnerability: Social Warfare <= 4.4.3
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version
Plugin: Donations Made Easy – Smart Donations
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WebToffee WP Backup and Migration
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Vulnerability: Insecure Direct Object Reference
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: OneClick Chat to Order
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: CodeBard's Patron Button and Widgets for Patreon
Vulnerability: Reflected Cross-Site Scripting via cb_p6_tab
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Foyer – Digital Signage for WordPress
Vulnerability: Content Injection via Improper Access Control
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CoCart – Decoupling Made Easy for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 3.12.0
Recommended Action: Update to version 3.12.0, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Category Deletion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: ANAC XML Viewer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Plugin Name: Device Theme Switcher
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: masterslider
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Star CloudPRNT for WooCommerce
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ImageMapper
Vulnerability: Cross-Site Request Forgery to Plugin Settings Change via ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPDBSpringClean
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: masterslider
Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ImageMapper
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forms for Mailchimp by Optin Cat – Grow Your MailChimp List
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version
Plugin: Short URL
Vulnerability: Missing Authorization via multiple AJAX functions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CBX Map for Google Map & OpenStreetMap
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version
Plugin: Membership Plugin – Restrict Content
Vulnerability: Information Exposure via legacy log file
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: Q2W3 Post Order
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Cross-Site Request Forgery via pms-cross-promotion.php
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version
Plugin: SEO by 10Web
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WassUp Real Time Analytics
Vulnerability: Unauthenticated Stored Cross-Site Scripting via IP
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Top 25 Social Icons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ImageMapper
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via imgmap_save_area_title
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 코드엠샵 마이사이트 – MSHOP MY SITE
Vulnerability: Missing Authorization via update_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Integrate Google Drive
Vulnerability: Open Redirect via state
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: QR Code Tag
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UserHeat Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mmm Simple File List
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Countdown and CountUp, WooCommerce Sales Timer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rename Media Files
Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Social Icons
Vulnerability: Missing Authorization via cnss_save_ajax_order
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: Live Gold Price & Silver Price Charts Widgets
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Starter Sites & Templates by Neve
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Job Manager & Career – Manage job board listings, and recruitments
Vulnerability: Sensitive Information Exposure
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: ANAC XML Bandi di Gara
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SendPress Newsletters
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.23.11.6
Recommended Action: Update to version 1.23.11.6, or a newer patched version
Plugin: Email Marketing for WooCommerce by Omnisend
Vulnerability: Sensitive Information Exposure
Patched Version: 1.13.9
Recommended Action: Update to version 1.13.9, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Enable/Disable Dark Mode
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Advance Menu Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: Easy PayPal Shopping Cart
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: WP Travel – Ultimate Travel Booking System, Tour Management Engine
Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: 7.8.1
Recommended Action: Update to version 7.8.1, or a newer patched version
Plugin: Seers | GDPR & CCPA Cookie Consent & Compliance
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 8.1.2
Recommended Action: Update to version 8.1.2, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Duplication
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Digirisk
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.0.0
Recommended Action: Update to version 6.1.0.0, or a newer patched version
Plugin: Auto Tag Creator
Vulnerability: Missing Authorization via tag_save_settings_callback
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Column Widgets
Vulnerability: Reflected Cross-Site Scripting via tab
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Discord Invite
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Decorator – WooCommerce Email Customizer
Vulnerability: WooCommerce Email Customizer <= 1.2.7
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: video carousel slider with lightbox
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: WPB Show Core
Vulnerability: Unauthenticated Server Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-UserOnline
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.88.3
Recommended Action: Update to version 2.88.3, or a newer patched version
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Cross-Site Request Forgery to Google Drive Storage Update
Patched Version: 1.23.11
Recommended Action: Update to version 1.23.11, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Arbitrary Post Duplication
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Droit Dark Mode
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Lava Directory Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Visibility by Country for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CatalogX – Product Catalog Mode For WooCommerce
Vulnerability: Missing Authorization
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version
Plugin: Export Products, Order & Customers for WooCommerce
Vulnerability: Reflected Cross-Site Scripting via date parameters
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: Custom post types, Custom Fields & more
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version
Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Mmm Simple File List
Vulnerability: Authenticated (Subscriber+) Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart
Vulnerability: Missing Authorization on multiple functions
Patched Version: 6.12.4
Recommended Action: Update to version 6.12.4, or a newer patched version
Plugin: Email Templates Customizer and Designer for WordPress and WooCommerce
Vulnerability: Cross-Site Request Forgery via send_test_email
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Visitor Traffic Real Time Statistics
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 7.3
Recommended Action: Update to version 7.3, or a newer patched version
Plugin: Ziteboard Online Whiteboard
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ziteboard Shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.7.2
Recommended Action: Update to version 5.7.2, or a newer patched version
Plugin: ShortCodes UI
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Like Page Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: TWB Woocommerce Reviews
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: ARI Stream Quiz – WordPress Quizzes Builder
Vulnerability: Authenticated(Contributor+) Content Injection
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN
Vulnerability: Missing Authorization via multiple AJAX functions
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version
Plugin: Image Hover Effects – WordPress Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6
Recommended Action: Update to version 5.6, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: 4.9.6
Patched Version: 4.9.7
Recommended Action: Update to version 4.9.7, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
