Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Simple Code Insert Shortcode
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: G Meta Keywords
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: File Manager Pro
Vulnerability: Unauthenticated Limited JavaScript File Upload
Patched Version: 8.3.10
Recommended Action: Update to version 8.3.10, or a newer patched version
Plugin: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Vulnerability: Missing Authorization
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version
Plugin: WordPress Mega Menu – QuadMenu
Vulnerability: Arbitrary File Creation
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Authentication Bypass
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Relevanssi – A Better Search
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.23.1
Recommended Action: Update to version 4.23.1, or a newer patched version
Plugin: Simple Baseball Scoreboard
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Featured Posts with Multiple Custom Groups (FPMCG)
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘pt_cancel_subscription’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Linked Variation for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP REST API FNS Plugin
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom Icons for Elementor
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 0.3.4
Recommended Action: Update to version 0.3.4, or a newer patched version
Plugin: TeploBot – Telegram Bot for WP
Vulnerability: Telegram Bot for WP <= 1.3
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cooked Pro
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: WP Popup Builder – Popup Forms and Marketing Lead Generation
Vulnerability: Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Nextend Social Login Pro
Vulnerability: Authentication Bypass
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version
Plugin: 3D Work In Progress
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smart Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: myCred Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: My Favorites
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: ACF Images Search And Insert
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom Add to Cart Button Label and Link
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: leenk.me
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Limb Gallery | Create Beautiful Image & Video Galleries
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All in One Slider
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cookie Scanner – automated cookie list
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Plexx Elementor Extension
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Themesflat Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: Simple User Registration
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SEO Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Customizer Light
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: IdeaPush
Vulnerability: Cross-Site Request Forgery
Patched Version: 8.71
Recommended Action: Update to version 8.71, or a newer patched version
Plugin: WP-Spreadplugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall
Vulnerability: Authenticated PHAR Deserialization
Patched Version: 4.3.4
Recommended Action: Update to version 4.3.4, or a newer patched version
Plugin: Google Map Locations
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Easy Post Types
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Suki Sites Import
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CM Tooltip Glossary
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.11
Recommended Action: Update to version 4.3.11, or a newer patched version
Plugin: EventON Pro
Vulnerability: WordPress Virtual Event Calendar Plugin <= 4.6.8
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Missing Authorization
Patched Version: 3.12.4
Recommended Action: Update to version 3.12.4, or a newer patched version
Plugin: Mega Elements – Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Contact Form by Supsystic
Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.7.29
Recommended Action: Update to version 1.7.29, or a newer patched version
Plugin: SW Contact Form
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cab fare calculator
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: External featured image from bing
Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: IP Loc8
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Time Clock Pro
Vulnerability: Unauthenticated (Limited) Remote Code Execution
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Contact Form 7 – PayPal & Stripe Add-on
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Recently – Viewed, Most Viewed and Sold Products for WooCommerce
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ZoomSounds – WordPress Wave Audio Player with Playlist
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 6.05
Recommended Action: Update to version 6.05, or a newer patched version
Plugin: AI Image Generator for Your Content & Featured Images – AI Postpix
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ajax Rating with Custom Login
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Missing Authorization
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version
Plugin: Google Docs RSVP, WordPress Plugin
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: N-Media Post Front-end Form
Vulnerability: Arbitrary File Upload
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: BuddyPress Greeting Message
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP REST API FNS Plugin
Vulnerability: Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Members Membership Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.9.6
Recommended Action: Update to version 3.4.9.6, or a newer patched version
Plugin: Category and Taxonomy Meta Fields
Vulnerability: Cross-Site Request Forgery to Taxonomy Meta Add/Delete
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Pricing Table Builder – wpPricing Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘update_profile_preference’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Social Share With Floating Bar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ahmeti Wp Timeline
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
Vulnerability: Missing Authorization
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version
Plugin: CubeWP – All-in-One Dynamic Content Framework
Vulnerability: Missing Authorization
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version
Plugin: Product Filter by WBW
Vulnerability: Missing Authorization
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: FERMA.ru.net
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Property Lot Management System
Vulnerability: Authenticated (Salesman+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 6.4.6.2
Recommended Action: Update to version 6.4.6.2, or a newer patched version
Plugin: Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons
Vulnerability: Missing Authorization
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: jLayer Parallax Slider
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Risk Warning Bar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Edit WooCommerce Templates
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version
Plugin: Easy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fonto – Custom Web Fonts Manager
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Portfolleo
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smart Online Order for Clover
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version
Plugin: Facebook Chat Plugin – Live Chat Plugin for WordPress
Vulnerability: Missing Capabilities Check
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Edit WooCommerce Templates
Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Missing Authorization
Patched Version: 4.3.18
Recommended Action: Update to version 4.3.18, or a newer patched version
Plugin: GERRYWORKS Post by Mail
Vulnerability: Contributor+ Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YASR – Yet Another Star Rating Plugin for WordPress
Vulnerability: Missing Authorization Checks
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: WP Photo Album Plus
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.8.07.004
Recommended Action: Update to version 8.8.07.004, or a newer patched version
Plugin: Backup and Staging by WP Time Capsule
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 1.22.22
Recommended Action: Update to version 1.22.22, or a newer patched version
Plugin: EKC Tournament Manager
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: Kaswara Modern VC Addons
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Job Board Manager for WordPress
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LuckyWP Scripts Control
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Category and Taxonomy Meta Fields
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate AI
Vulnerability: Limited User Password Change due to Improper Empty and Missing Default Value Check
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP ULike – All-in-One Engagement Toolkit
Vulnerability: Cross-Site Request Forgery to Statistic Deletion
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version
Plugin: Payflex Payment Gateway
Vulnerability: Open Redirect
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: VKontakte Wall Post
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cooked Pro
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Infinite-Scroll
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bet WC 2018 Russia
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event
Vulnerability: Authenticated(Contributor+) PHP Object Injection via Custom Meta
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Web Bricks Addons for Elementor: Elite-Designed Elementor & eCommerce Widgets
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: Community Lite Video Chat
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LaTeX2HTML
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version
Plugin: AppPresser – Mobile App Framework
Vulnerability: Privilege Escalation and Account Takeover via Weak OTP
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version
Plugin: RS-Members
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elemenda
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Nice Backgrounds
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MAS Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: LuckyWP Scripts Control
Vulnerability: Missing Authorization
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: GetResponse Forms by Optin Cat
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: My Reading Library
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: chatplusjp
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YASR – Yet Another Star Rating Plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting via fs_request_get
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Kento Post View Counter
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FREE DOWNLOAD MANAGER
Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AffiliateX – Amazon Affiliate Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9.1
Recommended Action: Update to version 1.2.9.1, or a newer patched version
Plugin: Rate Own Post
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: VR Calendar
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
Vulnerability: Unauthenticated Arbitrary File Read
Patched Version: 5.9.9
Recommended Action: Update to version 5.9.9, or a newer patched version
Plugin: Most And Least Read Posts Widget
Vulnerability: Cross-Site Request Forgery via most_and_least_read_posts_options
Patched Version: 2.5.19
Recommended Action: Update to version 2.5.19, or a newer patched version
Plugin: Plugin Name: Sovratec Case Management
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Category and Taxonomy Image
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Parallax Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via dd-parallax Shortcode
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Unlimited Addon For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ad Inserter – Ad Manager & AdSense Ads
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.38
Recommended Action: Update to version 2.7.38, or a newer patched version
Plugin: SafetyForms – Create forms with Real-time Email Validation
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ACF Quick Edit Fields
Vulnerability: Authenticated (Contributor+) Insecure Direct Object Reference
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Todo Custom Field
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mapplic Lite
Vulnerability: Server Side Request Forgery to Cross-Site Scirpting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Ajax Custom CSS/JS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Creates 3D Flipbook, PDF Flipbook in WordPress
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking.com Banner Creator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Multiline files upload for contact form 7
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version
Plugin: Rover IDX
Vulnerability: Authenticated (Subscriber+) Authentication Bypass to Administrator
Patched Version: 3.0.0.2906
Recommended Action: Update to version 3.0.0.2906, or a newer patched version
Plugin: WP Helper Premium
Vulnerability: Missing Authorization in whp_smtp_send_mail_test
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version
Plugin: BigBlueButton
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Advanced Advertising System
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ProfilePress Pro
Vulnerability: Pro <= 4.11.1
Patched Version: 4.11.2
Recommended Action: Update to version 4.11.2, or a newer patched version
Plugin: DPD Baltic Shipping
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.84
Recommended Action: Update to version 1.2.84, or a newer patched version
Plugin: DocumentPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.13.3
Recommended Action: Update to version 1.13.3, or a newer patched version
Plugin: Speed Optimizer – The All-In-One Performance-Boosting Plugin
Vulnerability: Missing Authorization
Patched Version: 5.0.13
Recommended Action: Update to version 5.0.13, or a newer patched version
Plugin: WordPress Video
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ARI Adminer – WordPress Database Manager
Vulnerability: Missing Authorization and No Direct File Access Restrictions
Patched Version: 1.1.15
Recommended Action: Update to version 1.1.15, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.28
Recommended Action: Update to version 1.8.28, or a newer patched version
Plugin: Agile Video Player Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: photokit
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: My Wp Brand – Hide menu & Hide Plugin
Vulnerability: Missing Authorization
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Affiliator
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Akismet htaccess writer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Sessions Time Monitoring Full Automatic
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Back Link Tracker
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Filter by WBW
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: BuddyPress Better Registration
Vulnerability: Authentication Bypass to Administrator
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CJ Change Howdy
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SendPulse Free Web Push
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: SVG Captcha
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin
Vulnerability: Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version
Plugin: WordPress Image SEO
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Review & testimonial widgets
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version
Plugin: Themesflat Addons For Elementor
Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin
Vulnerability: Missing Authorization to Unauthenticated Ticket Reply Exposure
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Tainacan
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 0.21.9
Recommended Action: Update to version 0.21.9, or a newer patched version
Plugin: My Favorites
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Locatoraid Store Locator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.48
Recommended Action: Update to version 3.9.48, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version
Plugin: Feed Comments Number
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Auto Poster
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.16
Recommended Action: Update to version 5.3.16, or a newer patched version
Plugin: ADIF Log Search Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Free Stock Photos Foter
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: bVerse Convert
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version
Plugin: ACL Floating Cart for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Category Dropdown by GCS Design
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Client Power Tools Portal
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: cSlider
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Kama SpamBlock
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Ahime Image Printer
Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tito
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cooked Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery to Draft Custom Form Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version
Plugin: SEUR Oficial
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.99
Recommended Action: Update to version 3.2.99, or a newer patched version
Plugin: Themesflat Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: Better Author Bio
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 3D Work In Progress
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Sharing Plugin – Sassy Social Share
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: video carousel slider with lightbox
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Wsify widget
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Branding
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Verbalize WP
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: File Manager Pro
Vulnerability: Unauthenticated Backup File Download and Upload
Patched Version: 8.3.10
Recommended Action: Update to version 8.3.10, or a newer patched version
Plugin: SKT Blocks – Gutenberg based Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: ThemeGrill Demo Importer
Vulnerability: 1.6.1
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Banner Slider
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Anchor Episodes Index (Spotify for Podcasters)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via anchor_episodes Shortcode
Patched Version: 2.1.11
Recommended Action: Update to version 2.1.11, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery to Draft Quiz Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version
Plugin: Parcel Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version
Plugin: Dynamic Elementor Addons
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Author Discussion
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.05.03
Recommended Action: Update to version 2.05.03, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Sensitive Information Disclosure
Patched Version: 0.9.36
Recommended Action: Update to version 0.9.36, or a newer patched version
Plugin: Primary Addon for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: WooCommerce Maintenance Mode (Free)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Backup and Staging by WP Time Capsule
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.22.22
Recommended Action: Update to version 1.22.22, or a newer patched version
Plugin: ajax-extend
Vulnerability: Unauthenticated Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Website Showcase
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Accordion Slider
Vulnerability: Authenticted (Contributor+) Stored Cross-Site Scripting via HTML Attribute
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version
Plugin: Talkback
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Curator.io
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via feed_id Attribute
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version
Plugin: Code Generate
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Calendar
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Calendar Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Whitelist
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Analyse Uploads
Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woocommerce Custom Profile Picture
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SiteBuilder Dynamic Components
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Timetable and Event Schedule by MotoPress
Vulnerability: Missing Authorization
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: Payment Forms for Paystack
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: ElementInvader Addons for Elementor
Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Maan Addons For Elementor
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Unauthenticated Arbitrary User Password Change
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: WooCommerce Advanced Bulk Edit Products, Orders, Coupons, Any WordPress Post Type – Smart Manager
Vulnerability: Missing Authorization
Patched Version: 8.46.0
Recommended Action: Update to version 8.46.0, or a newer patched version
Plugin: Leyka
Vulnerability: Missing Authorization
Patched Version: 3.31.7
Recommended Action: Update to version 3.31.7, or a newer patched version
Plugin: Category and Taxonomy Meta Fields
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event
Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
Vulnerability: Missing Authorization
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version
Plugin: Awesome Contact Form7 for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Bulk images optimizer: Resize, optimize, convert to webp, rename …
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shipyaari Shipping Management
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Debrandify · Remove or Replace WordPress Branding
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Product Vendors
Vulnerability: Reflected Cross Site Scripting
Patched Version: 2.0.36
Recommended Action: Update to version 2.0.36, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: Contributor+ SQL Injection
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version
Plugin: Indeed Membership Pro
Vulnerability: 8.6
Patched Version: 8.6.1
Recommended Action: Update to version 8.6.1, or a newer patched version
Plugin: File Manager
Vulnerability: Unauthenticated Arbitrary File Upload/Download
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Htaccess File Editor – Easily Edit, Backup, Restore .htaccess file
Vulnerability: Missing Authorization
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version
Plugin: Extra Privacy for Elementor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Education – Education WordPress Plugin for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via text_html_tag
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Download Monitor
Vulnerability: Missing Authorization to Unauthenticated Data Export
Patched Version: 4.7.52
Recommended Action: Update to version 4.7.52, or a newer patched version
Plugin: Giveaway Boost
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘paytium_sw_save_api_keys’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: MainWP Dashboard: WordPress Management without the SaaS
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: Plugin Name: iBryl Switch User
Vulnerability: Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Translate WordPress – Google Language Translator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version
Plugin: Flexmls® IDX Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.14.23
Recommended Action: Update to version 3.14.23, or a newer patched version
Plugin: Indeed Membership Pro
Vulnerability: 8.6
Patched Version: 8.6.1
Recommended Action: Update to version 8.6.1, or a newer patched version
Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Sina Modal Box Widget Elementor Template
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version
Plugin: Great Restaurant Menu WP
Vulnerability: Missing Authorization
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: SSV MailChimp
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: Digital Lottery
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Local Business Addons For Elementor (Formally Waze Map)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘check_for_verified_profiles’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Photo Gallery Builder
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Custom Fields (ACF)
Vulnerability: Authenticated (Admin+) Limited Arbitrary Function Call
Patched Version: 6.3.6.3
Recommended Action: Update to version 6.3.6.3, or a newer patched version
Plugin: Mighty Builder – Drag & Drop WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Social Share Buttons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.20
Recommended Action: Update to version 1.20, or a newer patched version
Plugin: Linkz.ai – Automatic link previews on hover
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via AJAX
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Advanced Custom Fields (ACF)
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 6.3.6.3
Recommended Action: Update to version 6.3.6.3, or a newer patched version
Plugin: WordPress Portfolio Builder – Portfolio Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wp-ImageZoom
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Load More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Linkz.ai – Automatic link previews on hover
Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Update
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Simple Membership
Vulnerability: Unauthenticated Open Redirect
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Click to Chat – WP Support All-in-One Floating Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpsaio_snapchat Shortcode
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Core: WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function
Patched Version: 3.7.39
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.39, 3.8.39, 3.9.37, 4.0.36, 4.1.36, 4.2.33, 4.3.29, 4.4.28, 4.5.27, 4.6.24, 4.7.24, 4.8.20, 4.9.21, 5.0.17, 5.1.14, 5.2.16, 5.3.13, 5.4.11, 5.5.10, 5.6.9, 5.7.7, 5.8.5, 5.9.4, 6.0.2
Plugin: Events Addon for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Affiliate Platform
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RSS Feed Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via rfw-youtube-videos Shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Custom Admin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SSV Events
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Unauthenticated PHP Object Injection to Remote Code Execution
Patched Version: 3.16.4
Recommended Action: Update to version 3.16.4, or a newer patched version
Plugin: Simple Testimonials Showcase
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PDF-Rechnungsverwaltung
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP SendFox
Vulnerability: Unauthenticated Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smooth Gallery Replacement
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ElementInvader Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: SermonAudio Widgets
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SendGrid for WordPress
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ReDi Restaurant Reservation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 24.1015
Recommended Action: Update to version 24.1015, or a newer patched version
Plugin: Featured Posts with Multiple Custom Groups (FPMCG)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Dropbox Dropins
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version
Plugin: ElementsReady Addons for Elementor
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 6.4.4
Recommended Action: Update to version 6.4.4, or a newer patched version
Plugin: HD Quiz – Save Results Light
Vulnerability: Missing Authorization
Patched Version: 0.6
Recommended Action: Update to version 0.6, or a newer patched version
Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Vulnerability: Authenticated (Editor+) Remote Code Execution
Patched Version: 1.5.122
Recommended Action: Update to version 1.5.122, or a newer patched version
Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version
Plugin: Limb Gallery | Create Beautiful Image & Video Galleries
Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post From Frontend
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate AI
Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woostagram Connect
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form by Supsystic
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.29
Recommended Action: Update to version 1.7.29, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Subscriber+) Private Post Disclosure
Patched Version: 1.3.987
Recommended Action: Update to version 1.3.987, or a newer patched version
Plugin: All-in-One WP Migration and Backup
Vulnerability: Unauthenticated Information Disclosure via Error Logs
Patched Version: 7.87
Recommended Action: Update to version 7.87, or a newer patched version
Plugin: Add Categories Post Footer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Vulnerability: Unauthenticated Information Disclosure
Patched Version: 2.05.03
Recommended Action: Update to version 2.05.03, or a newer patched version
Plugin: Mitm Bug Tracker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Widget – Contact Query, Contact Page, Form Maker, Query Table
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Da Reactions
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: RSS Feed Widget
Vulnerability: Reflected Cross-Site Scripting via $_SERVER[‘REQUEST_URI’]
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Zita Elementor Site Library
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: WP Flow Plus
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version
Plugin: pretix widget
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: CSV Product Import Export for WooCommerce
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Qi Blocks
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: WPKoi Templates for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: Rover IDX
Vulnerability: Authenticated (Subscriber+) Missing Authorization via Multiple Functions
Patched Version: 3.0.0.2905
Recommended Action: Update to version 3.0.0.2905, or a newer patched version
Plugin: Duplicate Title Validate
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Disc Golf Manager
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Subscriber+) Limited Arbitrary Option Update
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: WP Easy Post Types
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ShopWP
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
Vulnerability: Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version
Plugin: Monitor.chat – Monitor WordPress with Instant Messages
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Telecash Ricaricaweb
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Easy Post Types
Vulnerability: Authenticated (Subscriber+) Missing Authorization via Multiple Functions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BP Member Type Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: StreamWeasels Twitch Integration
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sw-twitch-embed Shortcode
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version
Plugin: Coub
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.2.22
Recommended Action: Update to version 3.2.22, or a newer patched version
Plugin: PeproDev Ultimate Invoice
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘create_mollie_account’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Gantry 4 Framework
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcode For Elementor Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: wp-Monalisa
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version
Plugin: SB Random Posts Widget
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: VOD Infomaniak
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: uCAT – Next Story
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RSS Feed Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Video Grid
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.22
Recommended Action: Update to version 1.22, or a newer patched version
Plugin: Rich Reviews by Starfish
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: File Manager Pro
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 8.3.10
Recommended Action: Update to version 8.3.10, or a newer patched version
Plugin: Tida URL Screenshot
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MAS Companies For WP Job Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: Simple Custom Post Order
Vulnerability: Missing Authorization
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: AB Categories Search Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.9.3.1
Recommended Action: Update to version 5.9.3.1, or a newer patched version
Plugin: WordPress Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 0.9.36
Recommended Action: Update to version 0.9.36, or a newer patched version
Plugin: WordPress WP-Advanced-Search
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.3.9.2
Recommended Action: Update to version 3.3.9.2, or a newer patched version
Plugin: Add Widget After Content
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Download Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Metadata and Comment Download
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Restaurant Reservations Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Vulnerability: Missing Authorization to Arbitrary (Subscriber+) Attachment Deletion
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Calculated Fields Form
Vulnerability: HTML Injection
Patched Version: 5.2.46
Recommended Action: Update to version 5.2.46, or a newer patched version
Plugin: Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages
Vulnerability: Missing Authorization
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: CWD 3D Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PayU CommercePro Plugin
Vulnerability: Reflected Cross-Site Scripting via type
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Widgets for WooCommerce Products on Elementor
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: افزونه پیامک ووکامرس Persian WooCommerce SMS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.3
Recommended Action: Update to version 7.0.3, or a newer patched version
Plugin: JiangQie Free Mini Program
Vulnerability: Unauthenticated Arbitrary File Uplaod
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Missing Authorization
Patched Version: 3.2.10
Recommended Action: Update to version 3.2.10, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘paytium_notice_dismiss’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Flat UI Button
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via flatbtn Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Adding drop down roles in registration
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Campus Explorer Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Smart Coupons
Vulnerability: Unauthenticated Coupon Creation
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version
Plugin: Arconix Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version
Plugin: WP Booking Calendar
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 10.6.3
Recommended Action: Update to version 10.6.3, or a newer patched version
Plugin: Point Maker
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 0.1.5
Recommended Action: Update to version 0.1.5, or a newer patched version
Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Privilege Escalation via Registration due to Administrator Default User Role Value
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Registrations for the Events Calendar – Event Registration Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.12.4
Recommended Action: Update to version 2.12.4, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘check_mollie_account_details’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Country Flags for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Category and Custom Taxonomy Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ad_tax_image Shortcode
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Azz Anonim Posting
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Endless Posts Navigation
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version
Plugin: Safe SVG
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: Schema & Structured Data for WP & AMP
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.36
Recommended Action: Update to version 1.36, or a newer patched version
Plugin: Easy Menu Manager | WPZest
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MyTweetLinks
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Encyclopedia / Glossary / Wiki
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.61
Recommended Action: Update to version 1.7.61, or a newer patched version
Plugin: APA Register Newsletter Form
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TWB Woocommerce Reviews
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: GoogleDrive folder list
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Content Copy Protection & No Right Click
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Apa Banner Slider
Vulnerability: Cross-Site Request Forgery to SLQ Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Link Groups
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘create_mollie_profile’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: INK Official
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: News Kit Elementor Addons
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Canvas Menu Elementor Template
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
