Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Ivory Search – WordPress Search Plugin
Vulnerability: Information Exposure via AJAX Search Form
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version
Plugin: Remember Me Controls
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Reflected Cross-Site Scripting via selected_option
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Directory Traversal to Authenticated (Subscriber+) Arbitrary File Download
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Justified Image Grid – Premium WordPress Gallery
Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown
Patched Version: 3.2.39
Recommended Action: Update to version 3.2.39, or a newer patched version
Plugin: Slider comparison image before and after
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HelloAsso
Vulnerability: Missing Authorization to Authenticated (Contributor+) Limited Options Update
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: Redux Framework
Vulnerability: 4.4.17
Patched Version: 4.4.18
Recommended Action: Update to version 4.4.18, or a newer patched version
Plugin: Smart Online Order for Clover
Vulnerability: Missing Authorization
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: ThemeREX Addons
Vulnerability: Missing Authorization
Patched Version: 1.6.49.10
Recommended Action: Update to one of the following versions, or a newer patched version: 1.6.49.10, 1.6.49.6, 1.6.49.6.3, 1.6.49.7, 1.6.50.2, 1.6.51.4, 1.6.52.3, 1.6.53.4, 1.6.54.1, 1.6.55.8, 1.6.56.1, 1.6.57.4, 1.6.58.3, 1.6.59.1.2, 1.6.59.4, 1.6.60.1, 1.6.61.1.1, 1.6.61.2.1, 1.6.62.4, 1.6.65.1, 1.6.66.1, 1.6.67.1, 1.70.3.1
Plugin: Big File Uploads – Increase Maximum File Upload Size
Vulnerability: Authenticated (Author+) Full Path Disclosure
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: LatePoint Plugin
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Optimizer, Resizer and CDN – Sirv
Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version
Plugin: Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Chatbot with ChatGPT WordPress
Vulnerability: Missing Authorization to Unauthenticated OpenAI API Key Exposure
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: WP User Manager – User Profile Builder & Membership
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.11
Recommended Action: Update to version 2.9.11, or a newer patched version
Plugin: Cab fare calculator
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: WP Armour Extended
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version
Plugin: adstxt Plugin
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Newsletters
Vulnerability: Authenticated Privilege Escalation
Patched Version: 4.9.9.3
Recommended Action: Update to version 4.9.9.3, or a newer patched version
Plugin: Geo Controller
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Menu Creation/Deletion
Patched Version: 8.7.4
Recommended Action: Update to version 8.7.4, or a newer patched version
Plugin: Podlove Podcast Publisher
Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: 4.1.14
Recommended Action: Update to version 4.1.14, or a newer patched version
Plugin: Super Store Finder
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 6.9.8
Recommended Action: Update to version 6.9.8, or a newer patched version
Plugin: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.16.8
Recommended Action: Update to version 1.16.8, or a newer patched version
Plugin: Booking for Appointments and Events Calendar – Amelia Premium
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Revision Manager TMC
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending
Patched Version: 2.8.20
Recommended Action: Update to version 2.8.20, or a newer patched version
Plugin: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
Vulnerability: Open Redirect
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: Nova Blocks by Pixelgrade
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: Web and WooCommerce Addons for WPBakery Builder
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LiteSpeed Cache
Vulnerability: Unauthenticated Sensitive Information Exposure via Log Files
Patched Version: 6.5.0.1
Recommended Action: Update to version 6.5.0.1, or a newer patched version
Plugin: Brickscore
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version
Plugin: WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 7.7.6
Recommended Action: Update to version 7.7.6, or a newer patched version
Plugin: WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
Vulnerability: Improper Path Validation to Authenticated (Subscriber+) Arbitrary File Move and Read
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Propovoice Pro
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gallery Plugin for WordPress – Envira Photo Gallery
Vulnerability: Missing Authorization
Patched Version: 1.8.15
Recommended Action: Update to version 1.8.15, or a newer patched version
Plugin: Custom Query Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Sermons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Generate Images (AI) – Magic Post Thumbnail
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.10
Recommended Action: Update to version 5.2.10, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.985
Recommended Action: Update to version 1.3.985, or a newer patched version
Plugin: Generate PDF using Contact Form 7
Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version
Plugin: Ninja Forms – File Uploads
Vulnerability: Unauthenticated Stored Cross-Site Scripting via File Upload
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version
Plugin: Geo Controller
Vulnerability: Missing Authorization to Unauthenticated Shortcode Execution
Patched Version: 8.7.0
Recommended Action: Update to version 8.7.0, or a newer patched version
Plugin: SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.29.4
Recommended Action: Update to version 2.29.4, or a newer patched version
Plugin: IDonate – Blood Donation, Request And Donor Management System
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Advanced Custom Fields
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.3.6
Recommended Action: Update to version 6.3.6, or a newer patched version
Plugin: Generate PDF using Contact Form 7
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version
Plugin: WPMobile.App — Android and iOS Mobile Application
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.49
Recommended Action: Update to version 11.49, or a newer patched version
Plugin: Call / Contact Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin
Vulnerability: No subtitle
Patched Version: 2.9.9.5.1
Recommended Action: Update to version 2.9.9.5.1, or a newer patched version
Plugin: Super Store Finder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.9.8
Recommended Action: Update to version 6.9.8, or a newer patched version
Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Vulnerability: 6.5.5
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version
Plugin: Payment forms, Buy now buttons, and Invoicing System | GetPaid
Vulnerability: Missing Authorization via column_subscription()
Patched Version: 2.8.12
Recommended Action: Update to version 2.8.12, or a newer patched version
Plugin: Form builder to get in touch with visitors and grow your email list — Happyforms
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.26.1
Recommended Action: Update to version 1.26.1, or a newer patched version
Plugin: Podlove Podcast Publisher
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.14
Recommended Action: Update to version 4.1.14, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.34.1
Recommended Action: Update to version 1.34.1, or a newer patched version
Plugin: WP Armour Extended
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version
Plugin: Dynamic Featured Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via dfiFeatured Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Visual CSS Style Editor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version
Plugin: WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin
Vulnerability: Authorization Bypass
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.3.4
Recommended Action: Update to version 2.8.3.4, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version
Plugin: MBE eShip
Vulnerability: Information Exposure
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Customizer Export/Import
Vulnerability: Authenticated (Admin+) Arbitrary File Upload via Customization Settings Import
Patched Version: 0.9.7.1
Recommended Action: Update to version 0.9.7.1, or a newer patched version
Plugin: Send Emails with Mandrill
Vulnerability: Missing Authorization
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Missing Authorization
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version
Plugin: Ultimate Blocks – WordPress Blocks Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Frontend Dashboard
Vulnerability: Authenticated (Subscriber+) Arbitrary Function Call
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Affiliate Super Assistent
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: PixelYourSite Pro – Your smart PIXEL (TAG) Manager
Vulnerability: Unauthenticated Information Exposure and Log Deletion
Patched Version: 10.4.3
Recommended Action: Update to version 10.4.3, or a newer patched version
Plugin: Zynith SEO
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Option Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Starbox – the Author Box for Humans
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter URL Field
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version
Plugin: Droip
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Preloader Plus – WordPress Loading Screen Plugin
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: video carousel slider with lightbox
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Content Blocks (Custom Post Widget)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version
Plugin: Login As Users
Vulnerability: Missing Authorization to Privielge Escalation via Account Takeover
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: Online Payment for Bank Mellat
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via data-jltma-wrapper-link Element
Patched Version: 2.0.6.5
Recommended Action: Update to version 2.0.6.5, or a newer patched version
Plugin: Collapsing Archives
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version
Plugin: Create by Mediavine
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.8.12
Recommended Action: Update to version 3.8.12, or a newer patched version
Plugin: Greenshift Query and Meta Addon
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version
Plugin: Super Store Finder
Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.9.8
Recommended Action: Update to version 6.9.8, or a newer patched version
Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Vulnerability: Missing Authorization via geodirectory_rated()
Patched Version: 2.3.71
Recommended Action: Update to version 2.3.71, or a newer patched version
Plugin: WP-Recall – Registration, Profile, Commerce & More
Vulnerability: Insecure Direct Object Reference to Unauthenticated Arbitrary Password Update
Patched Version: 16.26.9
Recommended Action: Update to version 16.26.9, or a newer patched version
Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block
Vulnerability: Missing Authorization in multiple functions via h5vp_ajax_handler
Patched Version: 2.5.33
Recommended Action: Update to version 2.5.33, or a newer patched version
Plugin: Fusion Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Missing Authorization to Unauthenticated Private or Password-Protected Events Disclosure
Patched Version: 4.0.4.4
Recommended Action: Update to version 4.0.4.4, or a newer patched version
Plugin: Smartarget Message Bar
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP ULike – All-in-One Engagement Toolkit
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Cross-Site Request Forgery via ‘addon_enable_disable’
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version
Plugin: Zynith SEO
Vulnerability: Missing Authorization to Unauthenticated Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Attributes for Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via attributesForBlocks Parameter
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version
Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 7.5.0
Recommended Action: Update to version 7.5.0, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Missing Authorization to Limited Vendor Privilege Escalation/Account Takeover
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: VK All in One Expansion Unit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.99.2.0
Recommended Action: Update to version 9.99.2.0, or a newer patched version
Plugin: RD Station
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.4.0
Recommended Action: Update to version 5.4.0, or a newer patched version
Plugin: Form Vibes – Database Manager for Forms
Vulnerability: Missing Authorization in Multiple Functions
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version
Plugin: WP AdCenter – Ad Manager & Adsense Ads
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ad_alignment Attribute
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version
Plugin: Slider by 10Web – Responsive Image Slider
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.59
Recommended Action: Update to version 1.2.59, or a newer patched version
Plugin: Animated Number Counters
Vulnerability: Authenticated (Editor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Insecure Direct Object Reference
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: HelloAsso
Vulnerability: Missing Authorization
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: GHActivity
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ForumWP – Forum & Discussion Board
Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Missing Authorization
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version
Plugin: azurecurve Toggle Show/Hide
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LatePoint Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: Maintenance & Coming Soon Redirect Animation
Vulnerability: IP Spoofing to Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ElementsKit Pro
Vulnerability: Authenticated (Contributor+) Local File Inclusion via Price Menu, Hotspot, and Advanced Toggle Widgets
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website
Vulnerability: Missing Authorization to Unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Security, Antivirus, Firewall – S.A.F
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version
Plugin: Share This Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via STI Buttons Shortcode
Patched Version: 2.03
Recommended Action: Update to version 2.03, or a newer patched version
Plugin: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: AI ChatBot with ChatGPT and Content Generator by AYS
Vulnerability: Missing Authorization
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: ClickCease Click Fraud Protection
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: DS CF7 Math Captcha
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: MBE eShip
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.4.6.0
Recommended Action: Update to version 6.4.6.0, or a newer patched version
Plugin: Name Directory
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.29.1
Recommended Action: Update to version 1.29.1, or a newer patched version
Plugin: AI ChatBot with ChatGPT and Content Generator by AYS
Vulnerability: Unauthenticated OpenAI Key Exposure
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: WPCOM Member
Vulnerability: Unauthenticated Privilege Escalation via User Meta
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Titan Anti-spam & Security
Vulnerability: Missing Authorization
Patched Version: 7.3.8
Recommended Action: Update to version 7.3.8, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via content Parameter
Patched Version: 6.4.6.0
Recommended Action: Update to version 6.4.6.0, or a newer patched version
Plugin: Woocommerce Addon Greenshift
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version
Plugin: Email Address Encoder
Vulnerability: Cross-Site Request Forgery via eae_clear_caches()
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version
Plugin: Cost Calculator Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.29
Recommended Action: Update to version 3.2.29, or a newer patched version
Plugin: Taxi Booking Manager for WooCommerce – WordPress plugin | Ecab
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Missing Authorization to Admin Username Change
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version
Plugin: Enter Addons – Ultimate Template Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Events Card Widget
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Missing Authorization
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version
Plugin: Cost Calculator Builder PRO
Vulnerability: Unauthenticated Price Manipulation
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: SendGrid for WordPress
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
