Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: PWA — easy way to Progressive Web App
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: Super Testimonials
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: BerqWP – Automated All-In-One PageSpeed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Newsletters
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.9.2
Recommended Action: Update to version 4.9.9.2, or a newer patched version
Plugin: Fluent Support – Helpdesk & Customer Support Ticket System
Vulnerability: Insufficient Authorization on Email Verification
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: SKT Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: ABC APP CREATOR
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mail logging – WP Mail Catcher
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version
Plugin: Kodex Posts likes
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading and Icon Picker Widgets
Patched Version: 2.16.4
Recommended Action: Update to version 2.16.4, or a newer patched version
Plugin: Ibtana – WordPress Website Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute
Patched Version: 1.2.4.5
Recommended Action: Update to version 1.2.4.5, or a newer patched version
Plugin: Instant Chat Floating Button for WordPress Websites
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clio Grow Form
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Product Delivery Date for WooCommerce – Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: WP Booking Calendar
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 10.6.1
Recommended Action: Update to version 10.6.1, or a newer patched version
Plugin: YITH WooCommerce Ajax Search
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Contact Form by Supsystic
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.28
Recommended Action: Update to version 1.7.28, or a newer patched version
Plugin: UsersControl – Users Profile, Free or Paid Subscriptions, User Access Restriction & Members Directory
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form 7 Campaign Monitor Extension
Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bridge Core
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version
Plugin: Loops & Logic
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: WP-DownloadManager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.68.9
Recommended Action: Update to version 1.68.9, or a newer patched version
Plugin: Chatbot with ChatGPT WordPress
Vulnerability: Missing Authorization to Unauthenticated OpenAI API Key Exposure
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: Simple Popup Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version
Plugin: CM Pop-Up Banners for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: WPSPX
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Spiffy Calendar
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 4.9.13
Recommended Action: Update to version 4.9.13, or a newer patched version
Plugin: Classic Editor and Classic Widgets
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: WP Timeline – Vertical and Horizontal timeline plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version
Plugin: adstxt Plugin
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form 7 – PayPal & Stripe Add-on
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Search Analytics for WP
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version
Plugin: Easy Demo Importer – A Modern One-Click Demo Import Solution
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: WP Cleanup and Basic Functions
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.12
Recommended Action: Update to version 2.5.12, or a newer patched version
Plugin: Accordion
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.100
Recommended Action: Update to version 2.2.100, or a newer patched version
Plugin: Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Pagination Color
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Multi Step for Contact Form 7
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version
Plugin: Hello World
Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Vulnerability: Authenticated (Subscriber+) Limited JavaScript File Upload
Patched Version: 6.5.8
Recommended Action: Update to version 6.5.8, or a newer patched version
Plugin: Meta Slider and Carousel with Lightbox
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Restaurant & Cafe Addon for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: Gum Elementor Addon
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Carousel Slider
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.2.14
Recommended Action: Update to version 2.2.14, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.13.11
Recommended Action: Update to version 2.13.11, or a newer patched version
Plugin: Products Stock Manager with Excel for WooCommerce Inventory
Vulnerability: XXE Injection
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Contact Form to Any API
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Contact Form
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Image Optimizer, Resizer and CDN – Sirv
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version
Plugin: Podiant
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LiteSpeed Cache
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version
Plugin: MH Board
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CMSMasters Content Composer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version
Plugin: Demo Importer Plus
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 9.1.3
Recommended Action: Update to version 9.1.3, or a newer patched version
Plugin: Visual Sound
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Multilingual & Multicurrency with WPML
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.8
Recommended Action: Update to version 5.3.8, or a newer patched version
Plugin: Joy Of Text Lite – SMS messaging for WordPress.
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Abstracts
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version
Plugin: RumbleTalk Live Group Chat – HTML5
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version
Plugin: SEOPress – On-site SEO
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Authenticated (Form Manager+) Stored Cross-Site Scripting
Patched Version: 5.1.20
Recommended Action: Update to version 5.1.20, or a newer patched version
Plugin: Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads
Vulnerability: Missing Authorization
Patched Version: 2.0.85
Recommended Action: Update to version 2.0.85, or a newer patched version
Plugin: Popularis Extra
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Crowdsignal Dashboard – Polls, Surveys & more
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ShiftController Employee Shift Scheduling
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.9.65
Recommended Action: Update to version 4.9.65, or a newer patched version
Plugin: Slider by Supsystic
Vulnerability: Missing Authorization
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version
Plugin: WP Free SSL – Free SSL Certificate for WordPress and force HTTPS
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Limit Login Attempts (Spam Protection)
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 5.4
Recommended Action: Update to version 5.4, or a newer patched version
Plugin: AliExpress Dropshipping Plugin for WooCommerce – AliNext
Vulnerability: Cross-Site Request Forgery to PHP Object Injection
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version
Plugin: Loggedin – Limit Active Logins
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: WP Datepicker
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Widget
Patched Version: 1.3.987
Recommended Action: Update to version 1.3.987, or a newer patched version
Plugin: LuckyWP Table of Contents
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Survey Maker
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version
Plugin: Share This Image
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.02
Recommended Action: Update to version 2.02, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.11.2
Recommended Action: Update to version 2.11.2, or a newer patched version
Plugin: Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud!
Vulnerability: Missing Authorization
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Missing Authorization
Patched Version: 3.2.10
Recommended Action: Update to version 3.2.10, or a newer patched version
Plugin: Move Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Private Gallery Title Disclosure
Patched Version: 3.2.22
Recommended Action: Update to version 3.2.22, or a newer patched version
Plugin: Accordion Image Menu
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPExperts Square For GiveWP
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Checkout Mestres do WP for WooCommerce
Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 8.6.1
Recommended Action: Update to version 8.6.1, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.13.12
Recommended Action: Update to version 2.13.12, or a newer patched version
Plugin: Polls CP
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.75
Recommended Action: Update to version 1.0.75, or a newer patched version
Plugin: Salon Booking System
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 10.9.1
Recommended Action: Update to version 10.9.1, or a newer patched version
Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.12.9
Recommended Action: Update to version 2.12.9, or a newer patched version
Plugin: WP Newsletter Subscription
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.9.244
Recommended Action: Update to version 1.9.244, or a newer patched version
Plugin: PWA for WP & AMP
Vulnerability: Missing Authorization
Patched Version: 1.7.73
Recommended Action: Update to version 1.7.73, or a newer patched version
Plugin: WP-WebAuthn
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wwa_login_form Shortcode
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: WP Hotel Booking
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Ultimate Blocks – WordPress Blocks Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Social Web Suite – Social Media Auto Post, Social Media Auto Publish
Vulnerability: Directory Traversal to Arbitrary File Download
Patched Version: 4.1.12
Recommended Action: Update to version 4.1.12, or a newer patched version
Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.12
Recommended Action: Update to version 3.6.12, or a newer patched version
Plugin: GEO my WP
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.0.4
Recommended Action: Update to version 4.5.0.4, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.16.0
Recommended Action: Update to version 3.16.0, or a newer patched version
Plugin: WP Blocks Hub
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 5.7.35
Recommended Action: Update to version 5.7.35, or a newer patched version
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Missing Authorization to Unauthenticated User and Term Metadata Insert, Update, and Delete
Patched Version: 1.0.229
Recommended Action: Update to version 1.0.229, or a newer patched version
Plugin: Auto Amazon Links – Amazon Associates Affiliate Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.3
Recommended Action: Update to version 5.4.3, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Cross-Site Request Forgery to Membership Status Change
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Secure Copy Content Protection and Content Locking
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version
Plugin: Checkout Field Editor (Checkout Manager) for WooCommerce
Vulnerability: Reflected Cross-Site Scripting via render_review_request_notice
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Aggregator Advanced Settings
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Import Spreadsheets from Microsoft Excel
Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: 10.1.5
Recommended Action: Update to version 10.1.5, or a newer patched version
Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Content Blocks (Custom Post Widget)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version
Plugin: ElementsReady Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version
Plugin: LuckyWP Table of Contents
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: Login Logout Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Missing Authorization
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version
Plugin: Primary Addon for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: ARI Fancy Lightbox – Popup for WordPress
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version
Plugin: Backup and Staging by WP Time Capsule
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.22.22
Recommended Action: Update to version 1.22.22, or a newer patched version
Plugin: Smart Custom 404 Error Page
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.4.8
Recommended Action: Update to version 11.4.8, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.13.11
Recommended Action: Update to version 2.13.11, or a newer patched version
Plugin: WP ULike – All-in-One Engagement Toolkit
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version
Plugin: LH Copy Media File
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.09
Recommended Action: Update to version 1.09, or a newer patched version
Plugin: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: IdeaPush
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.69
Recommended Action: Update to version 8.69, or a newer patched version
Plugin: NiceJob
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: Gum Elementor Addon
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Truepush – Most Affordable Web Push Notifications
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: Cities Shipping Zones for WooCommerce
Vulnerability: Authenticated (Shop Manager+) Local File Inclusion
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Chartify – WordPress Chart Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version
Plugin: YML for Yandex Market
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version
Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 7.5.0
Recommended Action: Update to version 7.5.0, or a newer patched version
Plugin: Re:WP
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: VR Calendar
Vulnerability: Authenticated (Administrator+) Local File Inclusion
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: Themify Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version
Plugin: CubeWP Forms – All-in-One Form Builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Code Embed
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Bold Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: Soumettre.fr
Vulnerability: Missing Authorization
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 1.0.229
Recommended Action: Update to version 1.0.229, or a newer patched version
Plugin: WP Travel – Ultimate Travel Booking System, Tour Management Engine
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.4.0
Recommended Action: Update to version 9.4.0, or a newer patched version
Plugin: Advanced Custom Fields (ACF)
Vulnerability: Authenticated (Admin+) Limited Arbitrary Function Call
Patched Version: 6.3.6.3
Recommended Action: Update to version 6.3.6.3, or a newer patched version
Plugin: Slider by 10Web – Responsive Image Slider
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.59
Recommended Action: Update to version 1.2.59, or a newer patched version
Plugin: BuddyPress Docs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MC4WP: Mailchimp Top Bar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: ForumWP – Forum & Discussion Board
Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Use Any Font | Custom Font Uploader
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.3.09
Recommended Action: Update to version 6.3.09, or a newer patched version
Plugin: Fluent Support – Helpdesk & Customer Support Ticket System
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: RabbitLoader – Website Speed Optimization for improving Core Web Vital metrics with Cache, Image Optimization, and more
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.21.1
Recommended Action: Update to version 2.21.1, or a newer patched version
Plugin: WordPress Captcha Plugin by Captcha Bank
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smooth Gallery Replacement
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.6.7.43
Recommended Action: Update to version 1.6.7.43, or a newer patched version
Plugin: Zoho Flow – Integrate 90+ plugins with 900+ business apps, no-code workflow automation
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: Display Medium Posts
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via display_medium_posts Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CSS JS Files
Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: AI Engine
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.90
Recommended Action: Update to version 2.2.90, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Ajax Load More <= 7.1.2
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version
Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more
Vulnerability: Missing Authorization
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version
Plugin: NiceJob
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: Hash Form – Drag & Drop Form Builder
Vulnerability: Drag & Drop Form Builder <= 1.1.9
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Houzez Login Register
Vulnerability: Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: Fish and Ships – Most flexible table rate shipping for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Custom Field Template
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: Wheel of Life: Coaching and Assessment Tool for Life Coach
Vulnerability: Missing Authorization
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via piechart_settings Parameter
Patched Version: 8.5.1
Recommended Action: Update to version 8.5.1, or a newer patched version
Plugin: WP Ticket Ultra Help Desk & Support Plugin
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Happy Addons for Elementor Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: Shortcode For Elementor Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DK PDF – WordPress PDF Generator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: AI ChatBot with ChatGPT and Content Generator by AYS
Vulnerability: Missing Authorization
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Posts reminder
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 6.18.4
Recommended Action: Update to version 6.18.4, or a newer patched version
Plugin: ShiftController Employee Shift Scheduling
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.67
Recommended Action: Update to version 4.9.67, or a newer patched version
Plugin: Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer
Vulnerability: Missing Authorization
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Vmax Project Manager
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.15
Recommended Action: Update to version 1.3.15, or a newer patched version
Plugin: Quantity Dynamic Pricing & Bulk Discounts for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version
Plugin: Memberful – Membership Plugin
Vulnerability: Authenticated (contributor+) Stored Cross-Site Scripting
Patched Version: 1.73.8
Recommended Action: Update to version 1.73.8, or a newer patched version
Plugin: AI ChatBot with ChatGPT and Content Generator by AYS
Vulnerability: Unauthenticated OpenAI Key Exposure
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Mega Elements – Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Unauthenticated Information Exposure
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Easy Property Listings
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version
Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version
Plugin: Adicon Server
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.29
Recommended Action: Update to version 1.8.29, or a newer patched version
Plugin: Easy Mega Menu Plugin for WordPress – ThemeHunk
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: WP Timeline – Vertical and Horizontal timeline plugin
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version
Plugin: Themify – WooCommerce Product Filter
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: WP Timeline – Vertical and Horizontal timeline plugin
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version
Plugin: Confetti Fall Animation
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Geo Mashup
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.13
Recommended Action: Update to version 1.13.13, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
