Watch Out Wednesday – October 16, 2024

Home » Watch Out Wednesday – October 16, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: G Meta Keywords

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: File Manager Pro

Vulnerability: Unauthenticated Limited JavaScript File Upload
Patched Version: 8.3.10
Recommended Action: Update to version 8.3.10, or a newer patched version

Plugin: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF

Vulnerability: Missing Authorization
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version

Plugin: WP Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Baseball Scoreboard

Plugin: Featured Posts with Multiple Custom Groups (FPMCG)

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Linked Variation for WooCommerce

Plugin: Arkhe Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.27.0
Recommended Action: Update to version 2.27.0, or a newer patched version

Plugin: Cooked Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: WP MyLinks

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: WP Popup Builder – Popup Forms and Marketing Lead Generation

Vulnerability: Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: GDPR-Extensions-com – Consent Manager

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Hyperlink Group Block

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.17.6
Recommended Action: Update to version 1.17.6, or a newer patched version

Plugin: Order Attachments for WooCommerce

Vulnerability: 2.4.1
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Notification Settings
Patched Version: 1.6.7.55
Recommended Action: Update to version 1.6.7.55, or a newer patched version

Plugin: Nextend Social Login Pro

Vulnerability: Authentication Bypass
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version

Plugin: Visual CSS Style Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.5
Recommended Action: Update to version 7.6.5, or a newer patched version

Plugin: Smart Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: My Favorites

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: ACF Images Search And Insert

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Add to Cart Button Label and Link

Plugin: User registration & user profile – UserPlus

Vulnerability: Authenticated (Editor+) Registration Form Update to Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Limb Gallery | Create Beautiful Image & Video Galleries

Plugin: WP 2FA with Telegram

Vulnerability: Authenticated (Subscriber+) Authentication Bypass
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Appointment Settings
Patched Version: 1.6.7.55
Recommended Action: Update to version 1.6.7.55, or a newer patched version

Plugin: Maximum Products per User for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.9
Recommended Action: Update to version 4.2.9, or a newer patched version

Plugin: Cookie Scanner – automated cookie list

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Plexx Elementor Extension

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Zoho CRM Lead Magnet

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.7.9.8
Recommended Action: Update to version 1.7.9.8, or a newer patched version

Plugin: QA Analytics – with Heatmaps & Replay, Privacy Friendly

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 4.1.1.2
Recommended Action: Update to version 4.1.1.2, or a newer patched version

Plugin: CartBounty – Save and recover abandoned carts for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.2.1
Recommended Action: Update to version 8.2.1, or a newer patched version

Plugin: SEO Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clio Grow Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: IdeaPush

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.71
Recommended Action: Update to version 8.71, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via youzify_media Shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: WP-Spreadplugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Auto iFrame

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via tag Parameter
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.51
Recommended Action: Update to version 11.51, or a newer patched version

Plugin: Increase upload file size & Maximum Execution Time limit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: CM Tooltip Glossary

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.11
Recommended Action: Update to version 4.3.11, or a newer patched version

Plugin: El mejor Cluster

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Plugin: Category Icon

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Missing Authorization
Patched Version: 3.12.4
Recommended Action: Update to version 3.12.4, or a newer patched version

Plugin: Stackable – Page Builder Gutenberg Blocks

Vulnerability: Unauthenticated CSS Injection
Patched Version: 3.13.7
Recommended Action: Update to version 3.13.7, or a newer patched version

Plugin: ImagePress – Image Gallery

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Contact Form by Supsystic

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.7.29
Recommended Action: Update to version 1.7.29, or a newer patched version

Plugin: External featured image from bing

Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.7.1
Recommended Action: Update to version 3.2.7.1, or a newer patched version

Plugin: IP Loc8

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User registration & user profile – UserPlus

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Recently – Viewed, Most Viewed and Sold Products for WooCommerce

Plugin: Include Fussball.de Widgets

Plugin: Ajax Rating with Custom Login

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Edwiser Bridge – WordPress Moodle LMS Integration

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Authenticated (Author+) Path Traversal
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Cozy Blocks – Page Builder for Gutenberg & Site Editor with Post Blocks, WooCommerce Blocks, Magazine Blocks & WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version

Plugin: WP-WebAuthn

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Vulnerability: Missing Authorization
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Customer Email Verification for WooCommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: Responsive Pricing Table Builder – wpPricing Builder

Plugin: Ahmeti Wp Timeline

Plugin: CubeWP – All-in-One Dynamic Content Framework

Vulnerability: Missing Authorization
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Plugin: WordPress Comments Import & Export

Vulnerability: Authenticated (Author+) Arbitrary File Read via Directory Traversal
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.9.0
Recommended Action: Update to version 4.9.0, or a newer patched version

Plugin: Team Showcase

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.22.26
Recommended Action: Update to version 1.22.26, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 6.4.6.2
Recommended Action: Update to version 6.4.6.2, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Open Redirect
Patched Version: 4.0.4.6
Recommended Action: Update to version 4.0.4.6, or a newer patched version

Plugin: Smart Online Order for Clover

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version

Plugin: ImagePress – Image Gallery

Vulnerability: Image Gallery <= 1.2.2
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Crazy Call To Action Box

Plugin: Job Board Manager for WordPress

Plugin: Ultimate AI

Vulnerability: Limited User Password Change due to Improper Empty and Missing Default Value Check
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Cross-Site Request Forgery to Statistic Deletion
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version

Plugin: VKontakte Wall Post

Plugin: Cooked Pro

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure
Patched Version: 10.0.2
Recommended Action: Update to one of the following versions, or a newer patched version: 10.0.2, 10.1.2, 10.2.3, 10.3.2, 10.4.2, 10.5.3, 10.6.2, 10.7.2, 10.8.2, 10.9.3, 11.0.2, 11.1.4, 11.2.2, 11.3.4, 11.4.2, 11.5.3, 11.6.2, 11.7.3, 11.8.6, 11.9.3, 12.0.2, 12.1.2, 12.2.2, 12.3.1, 12.4.1, 12.5.1, 12.6.3, 12.7.2, 12.8.2, 12.9.4, 13.0.1, 13.1.4, 13.2.3, 13.3.2, 13.4.4, 13.5.1, 13.6.1, 13.7.1, 13.8.2, 13.9.1, 3.9.10, 4.0.7, 4.1.4, 4.2.5, 4.3.5, 4.4.5, 4.5.3, 4.6.3, 4.7.4, 4.8.5, 4.9.3, 5.0.3, 5.1.4, 5.2.5, 5.3.4, 5.4.4, 5.5.5, 5.6.5, 5.7.5, 5.8.4, 5.9.4, 6.0.4, 6.1.5, 6.2.5, 6.3.7, 6.4.6, 6.5.4, 6.6.5, 6.7.4, 6.8.5, 6.9.4, 7.0.5, 7.1.5, 7.2.5, 7.3.5, 7.4.5, 7.5.7, 7.6.4, 7.7.6, 7.8.4, 7.9.4, 8.0.3, 8.1.4, 8.2.6, 8.3.3, 8.4.5, 8.5.3, 8.6.4, 8.7.4, 8.8.5, 8.9.4, 9.0.5, 9.1.3, 9.2.4, 9.3.5, 9.4.4, 9.5.5, 9.6.4, 9.7.3, 9.8.3, 9.9.3

Plugin: Robokassa payment gateway for Woocommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: CMSMasters Content Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Iconize

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AppPresser – Mobile App Framework

Vulnerability: Privilege Escalation and Account Takeover via Weak OTP
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via content_template
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version

Plugin: WPOptin – AI-Powered Top Bars, PopUps & Lead Generation

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Surfer – WordPress Plugin

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.6.0.523
Recommended Action: Update to version 1.6.0.523, or a newer patched version

Plugin: Embed videos and respect privacy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: RS-Members

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Users Masquerade

Vulnerability: Authenticated (Subscriber+) Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Woo Labels – Product Labels for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.02
Recommended Action: Update to version 2.02, or a newer patched version

Plugin: BSK Forms Blacklist

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version

Plugin: MAS Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Read more By Adam

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Read More Button Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Lightbox slider – Responsive Lightbox Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MaxSlider

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: WP Compress – Instant Performance & Speed Optimization

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.21.01
Recommended Action: Update to version 6.21.01, or a newer patched version

Plugin: Marketing and SEO Booster

Plugin: My Reading Library

Plugin: FREE DOWNLOAD MANAGER

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Forms for Mailchimp by Optin Cat – Grow Your MailChimp List

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Form Color Parameters
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: Responsive Lightbox & Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Unauthenticated Path Traversal to Arbitrary File Read and Deletion in wfu_file_downloader.php
Patched Version: 4.24.12
Recommended Action: Update to version 4.24.12, or a newer patched version

Plugin: Unlimited Addon For Elementor

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.38
Recommended Action: Update to version 2.7.38, or a newer patched version

Plugin: BlockMeister – Block Pattern Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version

Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Elementor Inline SVG

Plugin: Ajax Custom CSS/JS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Creates 3D Flipbook, PDF Flipbook in WordPress

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Booking.com Banner Creator

Plugin: Multiline files upload for contact form 7

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version

Plugin: WP Helper Premium

Vulnerability: Missing Authorization in whp_smtp_send_mail_test
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version

Plugin: XLTab – Accordions and Tabs for Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: Social Sharing (by Danny)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: ImagePress – Image Gallery

Vulnerability: Image Gallery <= 1.2.2
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Edwiser Bridge – WordPress Moodle LMS Integration

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: FAQ / Accordion / Docs / KB – Helpie WordPress FAQ Accordion plugin

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.28
Recommended Action: Update to version 1.28, or a newer patched version

Plugin: WordPress Video

Plugin: Export Products, Order & Customers for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Admin Management Xtended

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: TAKETIN To WP Membership

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Edwiser Bridge – WordPress Moodle LMS Integration

Vulnerability: Authentication Bypass due to Missing Empty Value Check
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Pedalo Connector

Vulnerability: Authentication Bypass to Administrator
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via skipto Shortcode
Patched Version: 11.9.19
Recommended Action: Update to version 11.9.19, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via WL: FAQ Widget Elementor Template
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.6.4
Recommended Action: Update to version 6.6.4, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Missing Authorization
Patched Version: 1.13.7
Recommended Action: Update to version 1.13.7, or a newer patched version

Plugin: Akismet htaccess writer

Plugin: Easy PayPal Gift Certificate

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via wpppgc_plugin_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via table_saved_sections
Patched Version: 1.13.9
Recommended Action: Update to version 1.13.9, or a newer patched version

Plugin: BuddyPress Better Registration

Plugin: Mynx Page Builder

Plugin: CJ Change Howdy

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.7.4
Recommended Action: Update to version 8.7.4, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: WPCOM Member

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4.1
Recommended Action: Update to version 1.5.4.1, or a newer patched version

Plugin: Tainacan

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 0.21.9
Recommended Action: Update to version 0.21.9, or a newer patched version

Plugin: The Ultimate WordPress Toolkit – WP Extended

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Locatoraid Store Locator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.48
Recommended Action: Update to version 3.9.48, or a newer patched version

Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Feed Comments Number

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Auto Poster

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.16
Recommended Action: Update to version 5.3.16, or a newer patched version

Plugin: ADIF Log Search Widget

Plugin: Free Stock Photos Foter

Plugin: bVerse Convert

Plugin: Author Avatars List/Block

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.1.22
Recommended Action: Update to version 2.1.22, or a newer patched version

Plugin: ElementsReady Addons for Elementor

Vulnerability: Open Redirect
Patched Version: 6.4.3
Recommended Action: Update to version 6.4.3, or a newer patched version

Plugin: Shortcodes AnyWhere

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: cSlider

Plugin: Kama SpamBlock

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Table of Contents Plus

Plugin: Ahime Image Printer

Plugin: Tito

Plugin: Cooked Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: SEUR Oficial

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Better Author Bio

Plugin: Tainacan

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.21.11
Recommended Action: Update to version 0.21.11, or a newer patched version

Plugin: Zoho Forms – Drag & Drop Form Builder for Websites – Contact Forms, Payment Forms, Order Forms & More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Wsify widget

Plugin: TNC PDF viewer

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: WP Travel Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: File Manager Pro

Vulnerability: Unauthenticated Backup File Download and Upload
Patched Version: 8.3.10
Recommended Action: Update to version 8.3.10, or a newer patched version

Plugin: Keep Backup Daily

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: WP Post Page Clone

Vulnerability: Missing Authorization to Post Disclosure
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Dynamic Elementor Addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Primary Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: WP-Lister Lite for eBay

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: ajax-extend

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Accordion Slider

Vulnerability: Authenticted (Contributor+) Stored Cross-Site Scripting via HTML Attribute
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version

Plugin: Talkback

Plugin: Rescue Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version

Plugin: Curator.io

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via feed_id Attribute
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: Bridge Core

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Demo Import
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Event Calendar

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Calendar Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Basic Information Exposure via get_image_alt Function
Patched Version: 3.24.6
Recommended Action: Update to version 3.24.6, or a newer patched version

Plugin: Analyse Uploads

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Plugin: PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.15
Recommended Action: Update to version 3.5.15, or a newer patched version

Plugin: YITH WooCommerce Ajax Search

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Maan Addons For Elementor

Plugin: Hunk Companion

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: Leyka

Vulnerability: Missing Authorization
Patched Version: 3.31.7
Recommended Action: Update to version 3.31.7, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version

Plugin: 2D Tag Cloud

Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Table of Contents Plus

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TinyPNG – JPEG, PNG & WebP image compression

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Vulnerability: Missing Authorization
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: DethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Simple Membership After Login Redirection

Vulnerability: Open Redirect
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Awesome Contact Form7 for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: WP Bulk Delete

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Enter Addons – Ultimate Template Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Contact Forms, Live Support, CRM, Video Messages

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 1.11.1
Recommended Action: Update to version 1.11.1, or a newer patched version

Plugin: Gallery Lightbox

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.0.0.41
Recommended Action: Update to version 1.0.0.41, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.12.1
Recommended Action: Update to version 3.12.1, or a newer patched version

Plugin: Bot for Telegram on WooCommerce

Vulnerability: Authenticated (Subscriber+) Telegram Bot Token Disclosure to Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Keap Official Opt-in Forms

Plugin: Htaccess File Editor – Easily Edit, Backup, Restore .htaccess file

Vulnerability: Missing Authorization
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.9.7
Recommended Action: Update to version 1.3.9.7, or a newer patched version

Plugin: CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 8.x

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

Vulnerability: Authenticated (Administrator+) Improper Input Validation via iconUpload Function to Arbitrary File Read
Patched Version: 2.15.3
Recommended Action: Update to version 2.15.3, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Sina Modal Box Widget Elementor Template
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Notification for Telegram

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Send Telegram Test Message
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.8.13
Recommended Action: Update to version 2.8.13, or a newer patched version

Plugin: SSV MailChimp

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Digital Lottery

Plugin: Mighty Builder – Drag & Drop WordPress Page Builder

Plugin: Linkz.ai – Automatic link previews on hover

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via AJAX
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: ElementInvader Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Affiliate Program Suite — SliceWP Affiliates

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 6.3.6.3
Recommended Action: Update to version 6.3.6.3, or a newer patched version

Plugin: WordPress Portfolio Builder – Portfolio Gallery

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.122
Recommended Action: Update to version 1.5.122, or a newer patched version

Plugin: Linkz.ai – Automatic link previews on hover

Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Update
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Events Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WooCommerce

Vulnerability: Unauthenticated HTML Injection
Patched Version: 9.1.0
Recommended Action: Update to version 9.1.0, or a newer patched version

Plugin: Easy Social Share Buttons

Plugin: Embed PDF Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via height and width Parameters
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Web Directory Free

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)

Plugin: SSV Events

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Unauthenticated PHP Object Injection to Remote Code Execution
Patched Version: 3.16.4
Recommended Action: Update to version 3.16.4, or a newer patched version

Plugin: Simple Testimonials Showcase

Plugin: Page-list

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version

Plugin: PDF-Rechnungsverwaltung

Plugin: WP SendFox

Vulnerability: Unauthenticated Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ElementInvader Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Featured Posts with Multiple Custom Groups (FPMCG)

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Editor+) Remote Code Execution
Patched Version: 1.5.122
Recommended Action: Update to version 1.5.122, or a newer patched version

Plugin: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Limb Gallery | Create Beautiful Image & Video Galleries

Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post From Frontend

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RomethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Ultimate AI

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form by Supsystic

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.29
Recommended Action: Update to version 1.7.29, or a newer patched version

Plugin: Download Plugins and Themes in ZIP from Dashboard

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: Add Categories Post Footer

Plugin: Mitm Bug Tracker

Plugin: Contact Form Widget – Contact Query, Contact Page, Form Maker, Query Table

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Da Reactions

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: WP 2FA with Telegram

Vulnerability: Two-Factor Authentication Bypass
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: pretix widget

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: CSV Product Import Export for WooCommerce

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Template Customizer for WooCommerce

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 1.2.9.2
Recommended Action: Update to version 1.2.9.2, or a newer patched version

Plugin: Omnipress

Plugin: Disc Golf Manager

Plugin: Telecash Ricaricaweb

Plugin: TS Poll – Survey, Versus Poll, Image Poll, Video Poll

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby Parameter
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: PeproDev Ultimate Invoice

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: wp-Monalisa

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Plugin: SB Random Posts Widget

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Hustle – Email Marketing, Lead Generation, Optins, Popups

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.8.5
Recommended Action: Update to version 7.8.5, or a newer patched version

Plugin: VOD Infomaniak

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Automatically Hierarchic Categories in Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Social Auto Poster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.16
Recommended Action: Update to version 5.3.16, or a newer patched version

Plugin: File Manager Pro

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 8.3.10
Recommended Action: Update to version 8.3.10, or a newer patched version

Plugin: Simple Custom Post Order

Vulnerability: Missing Authorization
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: Animator – Scroll Triggered Animations

Plugin: AB Categories Search Widget

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.9.3.1
Recommended Action: Update to version 5.9.3.1, or a newer patched version

Plugin: YITH WooCommerce Product Add-Ons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.13.1
Recommended Action: Update to version 4.13.1, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.7.6
Recommended Action: Update to version 5.7.6, or a newer patched version

Plugin: Zotpress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.00
Recommended Action: Update to version 3.3.00, or a newer patched version

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.88
Recommended Action: Update to version 3.1.88, or a newer patched version

Plugin: Restaurant Reservations Widget

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Missing Authorization to Arbitrary (Subscriber+) Attachment Deletion
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: BA Book Everything

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.21
Recommended Action: Update to version 1.6.21, or a newer patched version

Plugin: Search Atlas SEO – Best SEO Plugin for One-Click WP Publishing & Integrated AI Optimization

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Ajax Search Lite – Live Search & Filter

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.12.2
Recommended Action: Update to version 4.12.2, or a newer patched version

Plugin: Movie Database

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Move Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: User registration & user profile – UserPlus

Vulnerability: Missing Authorization via Multiple Functions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Logo Carousel – Clients logo carousel for WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Smart Online Order for Clover

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via moo_receipt_link Shortcode
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: WPIDE – File Manager & Code Editor

Vulnerability: Unauthenticated Full Path Dislcosure
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: JiangQie Free Mini Program

Vulnerability: Unauthenticated Arbitrary File Uplaod
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Strong Testimonials

Vulnerability: Missing Authorization
Patched Version: 3.1.17
Recommended Action: Update to version 3.1.17, or a newer patched version

Plugin: Adding drop down roles in registration

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.7
Recommended Action: Update to version 1.13.7, or a newer patched version

Plugin: Point Maker

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 0.1.5
Recommended Action: Update to version 0.1.5, or a newer patched version

Plugin: Language Switcher

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: Premium Blocks – Gutenberg Blocks for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.34
Recommended Action: Update to version 2.1.34, or a newer patched version

Plugin: WP Ultimate Post Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpupg-grid-with-filters Shortcode
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Country Flags for Elementor

Plugin: Advanced Blocks Pro

Plugin: Azz Anonim Posting

Plugin: FULL – Cliente

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.23
Recommended Action: Update to version 3.1.23, or a newer patched version

Plugin: Encyclopedia / Glossary / Wiki

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.61
Recommended Action: Update to version 1.7.61, or a newer patched version

Plugin: WP Content Copy Protection & No Right Click

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Missing Authorization
Patched Version: 1.20.0
Recommended Action: Update to version 1.20.0, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version

Plugin: AADMY – Add Auto Date Month Year Into Posts

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: TablePress – Tables in WordPress made easy

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.