Watch Out Wednesday – October 2, 2024

Home » Watch Out Wednesday – October 2, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: BerqWP – Automated All-In-One PageSpeed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Newsletters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.9.2
Recommended Action: Update to version 4.9.9.2, or a newer patched version

Plugin: Fluent Support – Helpdesk & Customer Support Ticket System

Vulnerability: Insufficient Authorization on Email Verification
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Plugin: Wechat Social login 微信QQ钉钉登录插件

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mail logging – WP Mail Catcher

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via template_id
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Premium Packages – Sell Digital Products Securely

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.9.2
Recommended Action: Update to version 5.9.2, or a newer patched version

Plugin: WP MyLinks

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: WP MultiTasking – WP Utilities

Vulnerability: WP Utilities <= 0.1.17
Patched Version: 0.1.18
Recommended Action: Update to version 0.1.18, or a newer patched version

Plugin: Visual CSS Style Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.5
Recommended Action: Update to version 7.6.5, or a newer patched version

Plugin: SVG Complete

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Relogo

Plugin: Absolute Reviews

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Criteria Name
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Button Group Module
Patched Version: 2.8.3.7
Recommended Action: Update to version 2.8.3.7, or a newer patched version

Plugin: PDF Image Generator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CartBounty – Save and recover abandoned carts for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.2.1
Recommended Action: Update to version 8.2.1, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.51
Recommended Action: Update to version 11.51, or a newer patched version

Plugin: Wechat Social login 微信QQ钉钉登录插件

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Loops & Logic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: 4.9.16
Patched Version: 4.9.17
Recommended Action: Update to version 4.9.17, or a newer patched version

Plugin: 123.chat – Video Chat

Vulnerability: Video Chat <= 1.3.1
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-DownloadManager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.68.9
Recommended Action: Update to version 1.68.9, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Missing Authorization to Unauthenticated Database Upgrade
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Simple Popup Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 6.7.19
Recommended Action: Update to version 6.7.19, or a newer patched version

Plugin: Classic Editor and Classic Widgets

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: WP Timeline – Vertical and Horizontal timeline plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Search Analytics for WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version

Plugin: Include Fussball.de Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.12
Recommended Action: Update to version 2.5.12, or a newer patched version

Plugin: GTM Server Side

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.20
Recommended Action: Update to version 2.1.20, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.15.28
Recommended Action: Update to version 1.15.28, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Authenticated (Author+) Path Traversal
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Cozy Blocks – Page Builder for Gutenberg & Site Editor with Post Blocks, WooCommerce Blocks, Magazine Blocks & WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version

Plugin: Accordion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.100
Recommended Action: Update to version 2.2.100, or a newer patched version

Plugin: WP-WebAuthn

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: WPZOOM Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via box Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.3.3
Recommended Action: Update to version 5.9.3.3, or a newer patched version

Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Vulnerability: Missing Authorization
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Multi Step for Contact Form 7

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 6.4.6.1
Recommended Action: Update to version 6.4.6.1, or a newer patched version

Plugin: Hello World

Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Nokaut Offers Box

Vulnerability: Cross-Site Request Forgery to Plugin Setting Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 012 Ps Multi Languages

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.9.0
Recommended Action: Update to version 4.9.0, or a newer patched version

Plugin: Elastik Page Builder

Plugin: LiteSpeed Cache

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Meta Slider and Carousel with Lightbox

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Beam me up Scotty – Back to Top Button

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version

Plugin: Graphicsly – The ultimate graphics plugin for WordPress website builder ( Gutenberg, Elementor, Beaver Builder, WPBakery )

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Open Redirect
Patched Version: 4.0.4.6
Recommended Action: Update to version 4.0.4.6, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode
Patched Version: 3.10.0
Recommended Action: Update to version 3.10.0, or a newer patched version

Plugin: WP Datepicker

Vulnerability: Missing Authorization
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Download Monitor

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Shop Enable
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: TS Poll – Survey, Versus Poll, Image Poll, Video Poll

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: OneElements – Best Elementor Addons

Plugin: Payflex Payment Gateway

Vulnerability: Open Redirect
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Prisna GWT – Google Website Translator

Vulnerability: Google Website Translator <= 1.4.11
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version

Plugin: Robokassa payment gateway for Woocommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Broken Link Checker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Iconize

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EU/UK VAT Validation Manager for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.12.14
Recommended Action: Update to version 2.12.14, or a newer patched version

Plugin: Kodex Posts likes

Plugin: WPOptin – AI-Powered Top Bars, PopUps & Lead Generation

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: king_IE

Plugin: Custom Banners

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (GiveWP Manager+) SQL Injection via order Parameter
Patched Version: 3.16.2
Recommended Action: Update to version 3.16.2, or a newer patched version

Plugin: Joy Of Text Lite – SMS messaging for WordPress.

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Woo Labels – Product Labels for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.02
Recommended Action: Update to version 2.02, or a newer patched version

Plugin: Gravity Forms Toolbar

Plugin: BSK Forms Blacklist

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version

Plugin: RumbleTalk Live Group Chat – HTML5

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: SEOPress – On-site SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads

Vulnerability: Missing Authorization
Patched Version: 2.0.85
Recommended Action: Update to version 2.0.85, or a newer patched version

Plugin: MaxSlider

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: WP Compress – Instant Performance & Speed Optimization

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.21.01
Recommended Action: Update to version 6.21.01, or a newer patched version

Plugin: Super Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via alignment Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: R Animated Icon Plugin

Plugin: Loggedin – Limit Active Logins

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 4.6.6
Recommended Action: Update to version 4.6.6, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Advanced File Manager

Vulnerability: Authenticated (Administrator+) Local JavaScript File Inclusion via fma_locale
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version

Plugin: Guten Post Layout – An Advanced Post Grid Collection

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Responsive Touch Slider <= 3.9.10
Patched Version: 3.10.0
Recommended Action: Update to version 3.10.0, or a newer patched version

Plugin: Share This Image

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.02
Recommended Action: Update to version 2.02, or a newer patched version

Plugin: XLTab – Accordions and Tabs for Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud!

Vulnerability: Missing Authorization
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Easy PayPal Events

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: QS Dark Mode Plugin

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Move Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Uncanny Groups for LearnDash

Vulnerability: Authenticated (Group Leader+) Privilege Escalation
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version

Plugin: WPExperts Square For GiveWP

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FAQ / Accordion / Docs / KB – Helpie WordPress FAQ Accordion plugin

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.28
Recommended Action: Update to version 1.28, or a newer patched version

Plugin: Memberpress

Vulnerability: Missing Authorization
Patched Version: 1.11.35
Recommended Action: Update to version 1.11.35, or a newer patched version

Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.13.12
Recommended Action: Update to version 2.13.12, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 10.9.1
Recommended Action: Update to version 10.9.1, or a newer patched version

Plugin: Store Hours for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.22
Recommended Action: Update to version 4.3.22, or a newer patched version

Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.12.9
Recommended Action: Update to version 2.12.9, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Missing Authorization
Patched Version: 1.13.7
Recommended Action: Update to version 1.13.7, or a newer patched version

Plugin: Revolut Gateway for WooCommerce

Vulnerability: Missing Authorization to Unauthenticated Order Status Update
Patched Version: 4.17.4
Recommended Action: Update to version 4.17.4, or a newer patched version

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.9.244
Recommended Action: Update to version 1.9.244, or a newer patched version

Plugin: PWA for WP & AMP

Vulnerability: Missing Authorization
Patched Version: 1.7.73
Recommended Action: Update to version 1.7.73, or a newer patched version

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Themedy Toolbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.7.4
Recommended Action: Update to version 8.7.4, or a newer patched version

Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

Vulnerability: Missing Authorization to Unauthenticated Ticket Reply Exposure
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: WP-WebAuthn

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wwa_login_form Shortcode
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: WPCOM Member

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4.1
Recommended Action: Update to version 1.5.4.1, or a newer patched version

Plugin: The Ultimate WordPress Toolkit – WP Extended

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Vulnerability: Insecure Direct Object Reference to Account Takeover/Privilege Escalation
Patched Version: 6.7.13
Recommended Action: Update to version 6.7.13, or a newer patched version

Plugin: MAS Static Content

Vulnerability: Authenticated (Contributor+) Private Static Content Page Disclosure
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: GEO my WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.0.4
Recommended Action: Update to version 4.5.0.4, or a newer patched version

Plugin: Author Avatars List/Block

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.1.22
Recommended Action: Update to version 2.1.22, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.16.0
Recommended Action: Update to version 3.16.0, or a newer patched version

Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 5.7.35
Recommended Action: Update to version 5.7.35, or a newer patched version

Plugin: ElementsReady Addons for Elementor

Vulnerability: Open Redirect
Patched Version: 6.4.3
Recommended Action: Update to version 6.4.3, or a newer patched version

Plugin: Advanced File Manager

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version

Plugin: OSM – OpenStreetMap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version

Plugin: GF Custom Style

Plugin: Zoho Forms – Drag & Drop Form Builder for Websites – Contact Forms, Payment Forms, Order Forms & More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Daily Prayer Time

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2024.09.14
Recommended Action: Update to version 2024.09.14, or a newer patched version

Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: WP GPX Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sgpx Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TNC PDF viewer

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: ElementsReady Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Plugin: WP Travel Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Geo Mashup

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via geo_mashup_visible_posts_list Shortcode
Patched Version: 1.13.14
Recommended Action: Update to version 1.13.14, or a newer patched version

Plugin: BSK PDF Manager

Vulnerability: Arbitrary JavaScript Execution
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.12.17
Recommended Action: Update to version 1.12.17, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Missing Authorization
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: ARI Fancy Lightbox – Popup for WordPress

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version

Plugin: WP-Lister Lite for eBay

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: Terms descriptions

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Slider Feed

Vulnerability: Missing Authorization
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Copyscape Premium

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.13.11
Recommended Action: Update to version 2.13.11, or a newer patched version

Plugin: LH Copy Media File

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.09
Recommended Action: Update to version 1.09, or a newer patched version

Plugin: Material Design Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mdi-icon Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YITH WooCommerce Ajax Search

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Product Enquiry for WooCommerce, WooCommerce product catalog

Vulnerability: Authenticated (Author+) PHP Object Injection in enquiry_detail.php
Patched Version: 2.2.33.34
Recommended Action: Update to version 2.2.33.34, or a newer patched version

Plugin: TinyPNG – JPEG, PNG & WebP image compression

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: DethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Simple Membership After Login Redirection

Vulnerability: Open Redirect
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: AVIF Uploader

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: LocateAndFilter

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.6.16
Recommended Action: Update to version 1.6.16, or a newer patched version

Plugin: WP Bulk Delete

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Mapplic Lite

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: Authenticated (Contributor+) SQL Injection via key Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Enter Addons – Ultimate Template Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Cities Shipping Zones for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Local File Inclusion
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Chartify – WordPress Chart Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: Auto Featured Image from Title

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Uncanny Groups for LearnDash

Vulnerability: Missing Authorization to Authenticated (Group Leader+) User Group Add
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version

Plugin: YML for Yandex Market

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version

Plugin: Gallery Lightbox

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.0.0.41
Recommended Action: Update to version 1.0.0.41, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.6.4
Recommended Action: Update to version 6.6.4, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.12.1
Recommended Action: Update to version 3.12.1, or a newer patched version

Plugin: Keap Official Opt-in Forms

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.9.7
Recommended Action: Update to version 1.3.9.7, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting via slider callback
Patched Version: 3.9.10
Recommended Action: Update to version 3.9.10, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.8.13
Recommended Action: Update to version 2.8.13, or a newer patched version

Plugin: Soumettre.fr

Vulnerability: Missing Authorization
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: VdoCipher: Secure Video Player and Hosting

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.10.0
Recommended Action: Update to version 3.10.0, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version

Plugin: ElementInvader Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Affiliate Program Suite — SliceWP Affiliates

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via stars_testimonials Shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: MC4WP: Mailchimp Top Bar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.122
Recommended Action: Update to version 1.5.122, or a newer patched version

Plugin: BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Use Any Font | Custom Font Uploader

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.3.09
Recommended Action: Update to version 6.3.09, or a newer patched version

Plugin: Fluent Support – Helpdesk & Customer Support Ticket System

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Web Directory Free

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Easy WordPress Subscribe – Optin Hound

Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page-list

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version

Plugin: RabbitLoader – Website Speed Optimization for improving Core Web Vital metrics with Cache, Image Optimization, and more

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.21.1
Recommended Action: Update to version 2.21.1, or a newer patched version

Plugin: Zoho Flow – Integrate 90+ plugins with 900+ business apps, no-code workflow automation

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Easy Mega Menu Plugin for WordPress – ThemeHunk

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Updates
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: XO Slider

Plugin: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Echo RSS Feed Post Generator

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 5.4.7
Recommended Action: Update to version 5.4.7, or a newer patched version

Plugin: RomethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.16.2
Recommended Action: Update to version 3.16.2, or a newer patched version

Plugin: ClickSold IDX

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.90
Recommended Action: Update to version 2.2.90, or a newer patched version

Plugin: EU/UK VAT Validation Manager for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.12.14
Recommended Action: Update to version 2.12.14, or a newer patched version

Plugin: OSM – OpenStreetMap

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version

Plugin: Simple Job Board

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.12.2
Recommended Action: Update to version 2.12.2, or a newer patched version

Plugin: Simple LDAP Login

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Advanced File Manager

Vulnerability: Authenticated (Subscriber+) Limited File Upload
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version

Plugin: Common Tools for Site

Plugin: ElementsKit Elementor addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Video Widget
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Wheel of Life: Coaching and Assessment Tool for Life Coach

Vulnerability: Missing Authorization
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Bulk NoIndex & NoFollow Toolkit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.16
Recommended Action: Update to version 2.16, or a newer patched version

Plugin: DK PDF – WordPress PDF Generator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Easy Load More

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Automatically Hierarchic Categories in Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Social Auto Poster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.16
Recommended Action: Update to version 5.3.16, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Insecure Direct Object Reference to Unsubscribe
Patched Version: 1.3.6.2
Recommended Action: Update to version 1.3.6.2, or a newer patched version

Plugin: YITH WooCommerce Product Add-Ons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.13.1
Recommended Action: Update to version 4.13.1, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.7.6
Recommended Action: Update to version 5.7.6, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Media Grid Widget
Patched Version: 4.10.53
Recommended Action: Update to version 4.10.53, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Plugin: Zotpress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version

Plugin: Nokaut Offers Box

Plugin: BA Book Everything

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.21
Recommended Action: Update to version 1.6.21, or a newer patched version

Plugin: Search Atlas SEO – Best SEO Plugin for One-Click WP Publishing & Integrated AI Optimization

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Move Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.15
Recommended Action: Update to version 1.3.15, or a newer patched version

Plugin: Logo Carousel – Clients logo carousel for WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Strong Testimonials

Vulnerability: Missing Authorization
Patched Version: 3.1.17
Recommended Action: Update to version 3.1.17, or a newer patched version

Plugin: Spice Starter Sites

Vulnerability: Missing Authorization to Unauthenticated Demo Content Import
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mega Elements – Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: WordPress & WooCommerce Affiliate Program

Vulnerability: Authentication Bypass to Account Takeover and Privilege Escalation
Patched Version: 8.5.0
Recommended Action: Update to version 8.5.0, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Information Exposure
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.7
Recommended Action: Update to version 1.13.7, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Limited Unauthenticated Authentication Bypass to Account Takeover
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version

Plugin: GutenGeek Free Gutenberg Blocks for WordPress

Plugin: Premium Blocks – Gutenberg Blocks for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.34
Recommended Action: Update to version 2.1.34, or a newer patched version

Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version

Plugin: WordPress Simple HTML Sitemap

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.6.4.1
Recommended Action: Update to version 6.6.4.1, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Reflected Self-Based Cross-Site Scripting via Referer
Patched Version: 3.8.16
Recommended Action: Update to version 3.8.16, or a newer patched version

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: Sight – Professional Image Gallery and Portfolio

Vulnerability: Missing Authorization to Sensitive Information Exposure in handler_post_title
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 5.7.35
Recommended Action: Update to version 5.7.35, or a newer patched version

Plugin: WordPress Visitors

Vulnerability: Unauthenticated Stored Cross-Site Scripting via HTTP Header
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Missing Authorization
Patched Version: 1.20.0
Recommended Action: Update to version 1.20.0, or a newer patched version

Plugin: WP Timeline – Vertical and Horizontal timeline plugin

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: WP Timeline – Vertical and Horizontal timeline plugin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Confetti Fall Animation

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.