Login
Facebook-f Linkedin-in Youtube

Watch Out Wednesday – October 30, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: ID-SK Toolkit

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Code Insert Shortcode

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ElementsKit Elementor addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison Widget
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.18
Recommended Action: Update to version 3.8.18, or a newer patched version

Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: AR for WordPress

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: Export Users Data Distinct

Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Transients Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Multi Purpose Mail Form

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CodePen Embedded Pens Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Missing Authorization to (Subscriber+) Arbitrary Post Deletion
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Auto Login using a secure tokenized url. Role wise login restriction.

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kata Plus – Addons for Elementor – Widgets, Extensions and Templates

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: StreamWeasels Kick Integration

Vulnerability: Blocks and Shortcodes for Embedding Kick Streams <= 1.1.1
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Contact Form 7 – Repeatable Fields

Vulnerability: Repeatable Fields <= 2.0.1
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Simple File List

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.13
Recommended Action: Update to version 6.1.13, or a newer patched version

Plugin: SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version

Plugin: WP Awesome Login

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘tooltip’
Patched Version: 9.7.0
Recommended Action: Update to version 9.7.0, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Open Redirect
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version

Plugin: Extra Product Options Builder for WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.134
Recommended Action: Update to version 1.2.134, or a newer patched version

Plugin: FTP Access

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress

Vulnerability: Authenticated (Student+) Missing Authorization to Privilege Escalation
Patched Version: 1.13.4
Recommended Action: Update to version 1.13.4, or a newer patched version

Plugin: WP Crowdfunding

Vulnerability: Missing Authorization to Authenticated (Subscriber+) to Enable/Disable Addons
Patched Version: 2.1.11
Recommended Action: Update to version 2.1.11, or a newer patched version

Plugin: WordPress eCommerce – ScottCart

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hyperlink Group Block

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.17.6
Recommended Action: Update to version 1.17.6, or a newer patched version

Plugin: Kata Plus – Addons for Elementor – Widgets, Extensions and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Qi Addons For Elementor

Vulnerability: Sensitive Information Exposure
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: App Builder – Create Native Android & iOS Apps On The Flight

Vulnerability: Privilege Escalation and Account Takeover via Weak OTP
Patched Version: 5.3.8
Recommended Action: Update to version 5.3.8, or a newer patched version

Plugin: YITH WooCommerce Product Add-Ons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.14.2
Recommended Action: Update to version 4.14.2, or a newer patched version

Plugin: WPC Smart Messages for WooCommerce

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: Ads.txt & App-ads.txt Manager for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: YaMaps for WordPress Plugin

Vulnerability: Authenticaterd (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.6.26
Recommended Action: Update to version 0.6.26, or a newer patched version

Plugin: Accessibility Suite by Ability, Inc

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.13
Recommended Action: Update to version 4.13, or a newer patched version

Plugin: Wp Social Login and Register Social Counter

Vulnerability: Authenticated (Subscriber+) Information Disclosure
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Textboxes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clio Grow Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Vulnerability: Missing Authorization
Patched Version: 4.23.13
Recommended Action: Update to version 4.23.13, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Missing Authorization
Patched Version: 5.1.4
Recommended Action: Update to version 5.1.4, or a newer patched version

Plugin: Podlove Web Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version

Plugin: QA Analytics – with Heatmaps & Replay, Privacy Friendly

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 4.1.1.2
Recommended Action: Update to version 4.1.1.2, or a newer patched version

Plugin: Call / Contact Button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.10
Recommended Action: Update to version 4.7.10, or a newer patched version

Plugin: File Upload Types by WPForms

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Clio Grow Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Transaction Log
Patched Version: 4.0.4.8
Recommended Action: Update to version 4.0.4.8, or a newer patched version

Plugin: Selection Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version

Plugin: Google Map Locations

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RSVP ME

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP show more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via show_more Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Scrollbar by webxapp – Best vertical/horizontal scrollbars plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SW Contact Form

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Dual Color Header’, ‘Event Calendar’, & ‘Advanced Data Table’
Patched Version: 5.9.20
Recommended Action: Update to version 5.9.20, or a newer patched version

Plugin: Image Map Pro – Drag-and-drop Builder for Interactive Images

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.21
Recommended Action: Update to version 6.0.21, or a newer patched version

Plugin: Namaste! LMS

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.6.4.1
Recommended Action: Update to version 2.6.4.1, or a newer patched version

Plugin: League of Legends Shortcodes

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 6.9.10
Recommended Action: Update to version 6.9.10, or a newer patched version

Plugin: NextGEN Gallery Voting

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: 1-Click Login: Passwordless Authentication

Vulnerability: Authentication Bypass via Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: aDirectory – WordPress Directory Listing Plugin

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Cozy Blocks – Page Builder for Gutenberg & Site Editor with Post Blocks, WooCommerce Blocks, Magazine Blocks & WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.19
Recommended Action: Update to version 2.0.19, or a newer patched version

Plugin: W3SPEEDSTER

Vulnerability: Authenticated (Administrator+) Remote Code Execution
Patched Version: 7.27
Recommended Action: Update to version 7.27, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia Premium

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Interactive World Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: Customer Email Verification for WooCommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: Free WooCommerce Theme 99fy Extension

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Plugin Activation
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Thank You Page Customizer for WooCommerce – Increase Your Sales

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Data Export
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated (Subscriber+) Information Exposure
Patched Version: 2.6.12
Recommended Action: Update to version 2.6.12, or a newer patched version

Plugin: Uix Shortcodes

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Author+) External Entity Injection
Patched Version: 1.3.981
Recommended Action: Update to version 1.3.981, or a newer patched version

Plugin: FERMA.ru.net

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bstone Demo Importer

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.16
Recommended Action: Update to version 2.5.16, or a newer patched version

Plugin: Feeds for YouTube (YouTube video, channel, and gallery plugin)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Woocommerce Product Design

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Tools

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Module Deactivation
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version

Plugin: Signup Page

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GERRYWORKS Post by Mail

Vulnerability: Contributor+ Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Favorites

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Connect Matomo (WP-Matomo, WP-Piwik)

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version

Plugin: Jetpackcrm Ext Woo Connect

Vulnerability: Sensitive Information Exposure
Patched Version: 2.13
Recommended Action: Update to version 2.13, or a newer patched version

Plugin: Jobs for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Awesome Weather Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Crazy Call To Action Box

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.81
Recommended Action: Update to version 2.3.81, or a newer patched version

Plugin: School Management System – WPSchoolPress

Vulnerability: Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version

Plugin: StreamWeasels YouTube Integration

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sw-youtube-embed Shortcode
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Code Explorer

Vulnerability: Authenticated (Admin+) External File Reading
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Namaste! LMS

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: BuddyPress

Vulnerability: Authenticated (Subscriber+) Directory Traversal
Patched Version: 14.2.1
Recommended Action: Update to version 14.2.1, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 5.7.1
Recommended Action: Update to version 5.7.1, or a newer patched version

Plugin: Woocommerce Quote Calculator

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: League of Legends Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woocommerce Product Design

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kodex Posts likes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AR for WooCommerce

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: Wux Blog Editor

Vulnerability: Authentication Bypass to Administrator
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TI WooCommerce Wishlist

Vulnerability: Unauthenticated SQL Injection via ‘lang’
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.2.1
Recommended Action: Update to version 2.7.2.1, or a newer patched version

Plugin: Ajar in5 Embed

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: WPC Smart Messages for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Message Activation/Deactivation
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: Beek Widget Extention

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Namaste! LMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Lightbox slider – Responsive Lightbox Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Namaste! LMS

Vulnerability: Authenticated (Student+) Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: WatchTowerHQ

Vulnerability: Authentication Bypass to Administrator due to Missing Empty Value Check
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version

Plugin: Multi Step Form

Vulnerability: Missing Authorization via fw_delete_files
Patched Version: 1.7.22
Recommended Action: Update to version 1.7.22, or a newer patched version

Plugin: Mailchimp for WooCommerce

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Envo's Elementor Templates & Widgets for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.20
Recommended Action: Update to version 1.4.20, or a newer patched version

Plugin: Bamazoo – Button Generator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via dgs Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Lightbox & Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: Rate Own Post

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Most And Least Read Posts Widget

Vulnerability: Cross-Site Request Forgery via most_and_least_read_posts_options
Patched Version: 2.5.19
Recommended Action: Update to version 2.5.19, or a newer patched version

Plugin: Swift Framework

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress

Vulnerability: Authenticated (Student+) Stored Cross-Site Scripting via Ask a Question Functionality
Patched Version: 1.13.4
Recommended Action: Update to version 1.13.4, or a newer patched version

Plugin: SafetyForms – Create forms with Real-time Email Validation

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Missing Authorization to Forged Vendor Profile Deletion Email Sending
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version

Plugin: Futurio Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version

Plugin: Realty Workstation

Vulnerability: Authentication Bypass to Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Guten Post Layout – An Advanced Post Grid Collection

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: WP-Members Membership Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_loginout Shortcode
Patched Version: 3.4.9.6
Recommended Action: Update to version 3.4.9.6, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.17
Recommended Action: Update to version 5.1.17, or a newer patched version

Plugin: DS.DownloadList

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Advertising System

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: List category posts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.89.4
Recommended Action: Update to version 0.89.4, or a newer patched version

Plugin: ProfilePress Pro

Vulnerability: Pro <= 4.11.1
Patched Version: 4.11.2
Recommended Action: Update to version 4.11.2, or a newer patched version

Plugin: DPD Baltic Shipping

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.84
Recommended Action: Update to version 1.2.84, or a newer patched version

Plugin: App Builder – Create Native Android & iOS Apps On The Flight

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.9
Recommended Action: Update to version 3.8.9, or a newer patched version

Plugin: WordPress Post Grid Layouts with Pagination – Sogrid

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Church Admin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud!

Vulnerability: Missing Authorization
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Comments Like Dislike

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Setting Reset
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)

Vulnerability: Authenticated (Contributor+) Information Disclosure via Shortcode
Patched Version: 1.6.44
Recommended Action: Update to version 1.6.44, or a newer patched version

Plugin: PriPre

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Automatic Translation

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEOPress – On-site SEO

Vulnerability: Missing Authorization
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 4.0.1.7
Recommended Action: Update to version 4.0.1.7, or a newer patched version

Plugin: Cozy Blocks – Page Builder for Gutenberg & Site Editor with Post Blocks, WooCommerce Blocks, Magazine Blocks & WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.16
Recommended Action: Update to version 2.0.16, or a newer patched version

Plugin: Admin Management Xtended

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: TAKETIN To WP Membership

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UPS Shipping for WooCommerce – Live Rates and Access Point

Vulnerability: Missing Authorization to Plugin API key reset
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting via IP Manipulation
Patched Version: 12.6.7
Recommended Action: Update to version 12.6.7, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 1.0.99.2
Recommended Action: Update to version 1.0.99.2, or a newer patched version

Plugin: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.42
Recommended Action: Update to version 2.3.42, or a newer patched version

Plugin: MaanStore API

Vulnerability: Authentication Bypass via Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.94
Recommended Action: Update to version 2.2.94, or a newer patched version

Plugin: WPC Shop as a Customer for WooCommerce

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Qode Essential Addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 1.3.972
Recommended Action: Update to version 1.3.972, or a newer patched version

Plugin: Flo Forms – Easy Drag & Drop Form Builder

Vulnerability: Missing Authorization
Patched Version: 1.0.43
Recommended Action: Update to version 1.0.43, or a newer patched version

Plugin: WordPress Image SEO

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Missing Authorization to Arbitrary Plugin Installation
Patched Version: 7.24
Recommended Action: Update to version 7.24, or a newer patched version

Plugin: Posts and Users Stats

Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: User Shortcodes Plus

Vulnerability: Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via user_meta Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Crowdfunding

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpcf_donate Shortcode
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: Simple News

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via news Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Premium SEO Pack – WP SEO Plugin

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.6.002
Recommended Action: Update to version 1.6.002, or a newer patched version

Plugin: HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Post Publication
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: Crypto Tool

Vulnerability: Authentication Bypass via register
Patched Version: 2.20
Recommended Action: Update to version 2.20, or a newer patched version

Plugin: Image Map Pro – Drag-and-drop Builder for Interactive Images

Vulnerability: Missing Authorization to Authenticated (Contributor+) Map Project Add/Update/Delete
Patched Version: 6.0.21
Recommended Action: Update to version 6.0.21, or a newer patched version

Plugin: Meetup

Vulnerability: Authentication Bypass via Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.15.0
Recommended Action: Update to version 1.15.0, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version

Plugin: Shoutcast Icecast HTML5 Radio Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woocommerce Product Design

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Astra Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.15
Recommended Action: Update to version 1.2.15, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via atkp_product Shortcode
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version

Plugin: Mongoose Page Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: User Toolkit

Vulnerability: Authenticated (Subscriber+) Authentication Bypass
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widget Attributes
Patched Version: 2.4.29
Recommended Action: Update to version 2.4.29, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 0.9.0.3
Recommended Action: Update to version 0.9.0.3, or a newer patched version

Plugin: Awesome buttons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via btn2 Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Acnoo Flutter API

Vulnerability: Authentication Bypass via Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Forms for Mailchimp by Optin Cat – Grow Your MailChimp List

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: WPS Telegram Chat

Vulnerability: Missing Authorization to Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Editorial Assistant by Sovrn

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Attachment Upload and Set Post Featured Image
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Authenticated (Administrator+) SQL Injection via Order_by Parameter
Patched Version: 5.4.7
Recommended Action: Update to version 5.4.7, or a newer patched version

Plugin: amr users

Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud!

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: SEUR Oficial

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Keep Backup Daily

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Posts Like Dislike

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Setting Reset
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: WS Facebook Like Box Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.3.3.5
Recommended Action: Update to version 1.3.3.5, or a newer patched version

Plugin: WP Abstracts

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Parcel Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Author Discussion

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Status Notifier

Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 1.11.7
Recommended Action: Update to version 1.11.7, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version

Plugin: Newsletters

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via newsletters_video Shortcode
Patched Version: 4.9.9.5
Recommended Action: Update to version 4.9.9.5, or a newer patched version

Plugin: Terms descriptions

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.18
Recommended Action: Update to version 3.8.18, or a newer patched version

Plugin: Advanced Sermons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.3.9
Recommended Action: Update to version 2.8.3.9, or a newer patched version

Plugin: Bridge Core

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Demo Import
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.1.16
Recommended Action: Update to version 4.1.16, or a newer patched version

Plugin: Marketing Automation by AZEXO

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SiteBuilder Dynamic Components

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3.5
Recommended Action: Update to version 1.3.3.5, or a newer patched version

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: IMPress for IDX Broker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Poll Settings
Patched Version: 5.4.7
Recommended Action: Update to version 5.4.7, or a newer patched version

Plugin: Editor Custom Color Palette

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: Advanced Online Ordering and Delivery Platform

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shipyaari Shipping Management

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Missing Authorization
Patched Version: 9.8
Recommended Action: Update to version 9.8, or a newer patched version

Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.11.3
Recommended Action: Update to version 1.11.3, or a newer patched version

Plugin: Wp Social Login and Register Social Counter

Vulnerability: Authentication Bypass
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: ReCaptcha Integration for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 4.0.27
Recommended Action: Update to version 4.0.27, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 4.10.23
Recommended Action: Update to version 4.10.23, or a newer patched version

Plugin: WP Booking System – Booking Calendar

Vulnerability: Missing Authorization via wpbs_refresh_calendar_editor
Patched Version: 2.0.19.11
Recommended Action: Update to version 2.0.19.11, or a newer patched version

Plugin: Event Registration

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.03.01
Recommended Action: Update to version 6.03.01, or a newer patched version

Plugin: WP Query Console

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Plugin Propagator

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JQuery Accordion Menu Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Survey Maker

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Authentication Bypass
Patched Version: 7.6.25
Recommended Action: Update to version 7.6.25, or a newer patched version

Plugin: Meks Flexible Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Mapster WP Maps

Vulnerability: Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Blocksy Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.32
Recommended Action: Update to version 2.0.32, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Cross-Site Request Forgery to Vendor Updates
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version

Plugin: Charity Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: SermonAudio Widgets

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Compact WP Audio Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sc_embed_player Shortcode
Patched Version: 1.9.14
Recommended Action: Update to version 1.9.14, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.0.4.8
Recommended Action: Update to version 4.0.4.8, or a newer patched version

Plugin: 10Web Social Post Feed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Missing Authorization to Authenticated (Contributor+) Form Update and Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version

Plugin: EU/UK VAT Validation Manager for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: WP Mail Log

Vulnerability: Incorrect Authorization to Authenticated (Contributor+) Data Viewing and Deletion
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scritping
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version

Plugin: Order Notification for Telegram

Vulnerability: Missing Authorization to Unauthenticated Send Telegram Test Message
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wux Blog Editor

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Monkee-Boy Essentials

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Video Box Widget
Patched Version: 4.10.61
Recommended Action: Update to version 4.10.61, or a newer patched version

Plugin: WPS Telegram Chat

Vulnerability: Authenticated (Subscriber+) Unauthorized Access to Telegram Bot API
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SMS Alert Order Notifications – WooCommerce

Vulnerability: WooCommerce <= 3.7.5
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version

Plugin: Marketing Automation by AZEXO

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Extensions by HocWP Team

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Booking Plugin for Your WordPress Appointments – Time Slot

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button
Patched Version: 4.10.28
Recommended Action: Update to version 4.10.28, or a newer patched version

Plugin: Google Maps Plugin by Intergeo

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium SEO Pack – WP SEO Plugin

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Order Proposal

Vulnerability: Authenticated (Shop Manager+) Privilege Escalation via Order Proposal
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Duplicate Title Validate

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Crypto Tool

Vulnerability: Cross-Site Request Forgery to Authentication Bypass
Patched Version: 2.16
Recommended Action: Update to version 2.16, or a newer patched version

Plugin: Raptor Editor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Carousel, Product Slider, Product Grid Gallery, and Product Table for WooCommerce – WooProduct Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: WP Easy Post Types

Vulnerability: Authenticated (Subscriber+) Missing Authorization via Multiple Functions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Attendee List Retrieval
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: CM Table Of Contents – WordPress TOC Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Trip Plan

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: i2 Pros & Cons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Horizontal scrolling announcement

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Amilia Store

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Accept Stripe Donation and Payments – AidWP

Vulnerability: Missing Authorization
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Themes4WP YouTube External Subtitles

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All-in-One WP Migration and Backup

Vulnerability: Authenticated (Administrator+) Arbitrary PHP Code Injection
Patched Version: 7.87
Recommended Action: Update to version 7.87, or a newer patched version

Plugin: Sudan Payment Gateway for WooCommerce

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Animator – Scroll Triggered Animations

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘Text Separator’ and ‘Image Compare’ Widget
Patched Version: 1.13.3
Recommended Action: Update to version 1.13.3, or a newer patched version

Plugin: Exit Notifier

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10.6
Recommended Action: Update to version 1.10.6, or a newer patched version

Plugin: PDF Generator Addon for Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Download Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Metadata and Comment Download
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Conditional Fields for Contact Form 7

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Clever Addons for Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Crypto Tool

Vulnerability: Authentication Bypass via log_in
Patched Version: 2.19
Recommended Action: Update to version 2.19, or a newer patched version

Plugin: FormFacade – WordPress plugin for Google Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: MailPoet – Newsletters, Email Marketing, and Automation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: Firelight Lightbox

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Bulk Change Role

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Classified Listing – Classified ads & Business Directory Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion
Patched Version: 3.0.11
Recommended Action: Update to version 3.0.11, or a newer patched version

Plugin: Breeze – WordPress Cache Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: Move Addons for Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Exam Matrix

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Import and export users and customers

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.27.6
Recommended Action: Update to version 1.27.6, or a newer patched version

Plugin: SEOPress – On-site SEO

Vulnerability: Missing Authorization
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: ParityPress – Parity Pricing with Discount Rules

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Miniorange OTP Verification with Firebase

Vulnerability: Privilege Escalation via Registration due to Administrator Default User Role Value
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Download Monitor

Vulnerability: Missing Authorization to API Key Manipulation
Patched Version: 5.0.13
Recommended Action: Update to version 5.0.13, or a newer patched version

Plugin: Contact Form 7 + Telegram

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Subscription Approve/Pause/Refuse
Patched Version: 0.8.6
Recommended Action: Update to version 0.8.6, or a newer patched version

Plugin: Breeze – WordPress Cache Plugin

Vulnerability: Missing Authorization
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 6.9.12
Recommended Action: Update to version 6.9.12, or a newer patched version

Plugin: MyTweetLinks

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PegaPoll

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.13
Recommended Action: Update to version 4.1.13, or a newer patched version

Plugin: Terms descriptions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: GRÜN spendino Spendenformular – Mehr Spenden! Weniger Arbeit!

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Link Groups

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cost Calculator Builder PRO

Vulnerability: Unauthenticated Price Manipulation
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder

Vulnerability: Authentication Bypass via Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEOPress – On-site SEO

Vulnerability: Missing Authorization
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: WP donimedia carousel

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DarkMySite – Advanced Dark Mode Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Picture of Odell Duppins Jr

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.

Recent Posts

WordPress

Login