Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Gutenberg Blocks – Unlimited blocks For Gutenberg
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Relevanssi – A Better Search
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.23.1
Recommended Action: Update to version 4.23.1, or a newer patched version
Plugin: GDPR Cookie Consent
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: YITH Custom Login
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: WPCargo Track & Trace
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BabelZ – Google Translate Widget
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chatbot with ChatGPT WordPress
Vulnerability: Missing Authorization
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: Property Hive
Vulnerability: Cross-Site Request Forgery via save_account_details
Patched Version: 2.0.20
Recommended Action: Update to version 2.0.20, or a newer patched version
Plugin: WP Booking System – Booking Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.19.9
Recommended Action: Update to version 2.0.19.9, or a newer patched version
Plugin: Tag Groups is the Advanced Way to Display Your Taxonomy Terms
Vulnerability: Missing Authorization to Information Exposure
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Sensei LMS – Online Courses, Quizzes, & Learning
Vulnerability: Unauthenticated Email Template Disclosure
Patched Version: 4.24.2
Recommended Action: Update to version 4.24.2, or a newer patched version
Plugin: Share This Image
Vulnerability: Open Redirect via link Parameter
Patched Version: 2.04
Recommended Action: Update to version 2.04, or a newer patched version
Plugin: Spiffy Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.14
Recommended Action: Update to version 4.9.14, or a newer patched version
Plugin: Starbox – the Author Box for Humans
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version
Plugin: Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version
Plugin: Secure Copy Content Protection and Content Locking
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version
Plugin: EventON
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.17
Recommended Action: Update to version 2.2.17, or a newer patched version
Plugin: Login Screen Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Team Showcase
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.22.26
Recommended Action: Update to version 1.22.26, or a newer patched version
Plugin: Greenshift – animation and page builder blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.4
Recommended Action: Update to version 9.4, or a newer patched version
Plugin: Roles & Capabilities
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version
Plugin: WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
Vulnerability: Improper Path Validation to Authenticated (Subscriber+) Arbitrary File Move and Read
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 2.8.12
Recommended Action: Update to version 2.8.12, or a newer patched version
Plugin: Affiliate Program Suite — SliceWP Affiliates
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.21
Recommended Action: Update to version 1.1.21, or a newer patched version
Plugin: Classified Listing – Classified ads & Business Directory Plugin
Vulnerability: Missing Authorization
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version
Plugin: WP Child Theme Generator
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Advanced Custom Fields
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.3.6
Recommended Action: Update to version 6.3.6, or a newer patched version
Plugin: Spiffy Calendar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.9.14
Recommended Action: Update to version 4.9.14, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Unauthorized User Registration
Patched Version: 4.15.4
Recommended Action: Update to version 4.15.4, or a newer patched version
Plugin: GDPR Cookie Consent
Vulnerability: Cross-Site Request Forgery to Bulk Delete
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: amCharts: Charts and Maps
Vulnerability: Reflected Cross-Site Scripting via Cross-Site Request Forgery
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Cron Jobs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.11
Recommended Action: Update to version 3.8.11, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.34.1
Recommended Action: Update to version 1.34.1, or a newer patched version
Plugin: Backuply – Backup, Restore, Migrate and Clone
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Patched Version: 2.5.35
Recommended Action: Update to version 2.5.35, or a newer patched version
Plugin: Responsive Lightbox & Gallery
Vulnerability: Missing Authorization
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version
Plugin: Simple Spoiler
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: WP Test Email
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: Secure Downloads
Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery Widget
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version
Plugin: Email Obfuscate Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced WordPress Backgrounds
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via imageTag Parameter
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version
Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.12
Recommended Action: Update to version 3.6.12, or a newer patched version
Plugin: WP Hardening (discontinued)
Vulnerability: Unauthenticated Security Feature Bypass to Username Enumeration
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Custom Author Base
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Avada (Fusion) Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fusion_button Shortcode
Patched Version: 3.11.10
Recommended Action: Update to version 3.11.10, or a newer patched version
Plugin: WP ULike – All-in-One Engagement Toolkit
Vulnerability: 4.7.2
Patched Version: 4.7.2.1
Recommended Action: Update to version 4.7.2.1, or a newer patched version
Plugin: Simple Job Board
Vulnerability: Unauthenticated Resumes Download
Patched Version: 2.12.16
Recommended Action: Update to version 2.12.16, or a newer patched version
Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version
Plugin: WooCommerce Multilingual & Multicurrency with WPML
Vulnerability: Missing Authorization
Patched Version: 5.3.7
Recommended Action: Update to version 5.3.7, or a newer patched version
Plugin: Product Slider for WooCommerce by PickPlugins
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.13.51
Recommended Action: Update to version 1.13.51, or a newer patched version
Plugin: Link To Bible
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version
Plugin: Ntz Antispam
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Salon Booking System
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 10.9.4
Recommended Action: Update to version 10.9.4, or a newer patched version
Plugin: Simple Spoiler
Vulnerability: 1.3
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block
Vulnerability: Missing Authorization in multiple functions via h5vp_ajax_handler
Patched Version: 2.5.33
Recommended Action: Update to version 2.5.33, or a newer patched version
Plugin: WP Meta SEO
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.14
Recommended Action: Update to version 4.5.14, or a newer patched version
Plugin: Custom Post Limits
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Stream
Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: WP Meta SEO
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.14
Recommended Action: Update to version 4.5.14, or a newer patched version
Plugin: IMPress for IDX Broker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Spice Starter Sites
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Photo Reviews Premium
Vulnerability: Authentication Bypass to Account Takeover and Privilege Escalation
Patched Version: 1.3.14
Recommended Action: Update to version 1.3.14, or a newer patched version
Plugin: Droip
Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Secure Copy Content Protection and Content Locking
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting in the URL Parameter in Multiple Widgets
Patched Version: 3.24.0
Recommended Action: Update to version 3.24.0, or a newer patched version
Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: PDF Thumbnail Generator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: MyBookTable Bookstore by Stormhill Media
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: Sign-up Sheets
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.13
Recommended Action: Update to version 2.2.13, or a newer patched version
Plugin: Flipping Cards
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version
Plugin: Webo-facto
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.41
Recommended Action: Update to version 1.41, or a newer patched version
Plugin: Waitlist Woocommerce ( Back in stock notifier )
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated SQL Injection via ‘c_fields’
Patched Version: 4.2.7.1
Recommended Action: Update to version 4.2.7.1, or a newer patched version
Plugin: Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor
Vulnerability: Gutenberg Blocks
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text Widget
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version
Plugin: Floating Contact Button
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Sensitive Information Exposure
Patched Version: 0.9.106
Recommended Action: Update to version 0.9.106, or a newer patched version
Plugin: WP Simple Booking Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: WPFactory Helper
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Houzez Login Register
Vulnerability: Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: WooCommerce Multiple Free Gift
Vulnerability: Insufficient Server-Side Validation to Arbitrary Gift Adding
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Lucas String Replace
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Maintenance Redirect
Vulnerability: IP Spoofing to Maintenance Mode Bypass
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: SKT Templates – 100% free Elementor & Gutenberg templates
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.15
Recommended Action: Update to version 6.15, or a newer patched version
Plugin: Carousel Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Web Directory Free
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: Carousel Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Exit Notifier
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10.6
Recommended Action: Update to version 1.10.6, or a newer patched version
Plugin: WordPress WP-Advanced-Search
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.3.9.2
Recommended Action: Update to version 3.3.9.2, or a newer patched version
Plugin: Login with phone number
Vulnerability: Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation
Patched Version: 1.7.50
Recommended Action: Update to version 1.7.50, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.4.2.2
Recommended Action: Update to version 1.4.2.2, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated SQL Injection via ‘c_only_fields’
Patched Version: 4.2.7.1
Recommended Action: Update to version 4.2.7.1, or a newer patched version
Plugin: Autochat Automatic Conversation
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Builder Gutenberg Blocks – CoBlocks
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.1.13
Recommended Action: Update to version 3.1.13, or a newer patched version
Plugin: WP Editor
Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 1.2.9.1
Recommended Action: Update to version 1.2.9.1, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: 2.2.90
Patched Version: 2.2.91
Recommended Action: Update to version 2.2.91, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Authenticated (Subscriber+) Limited Arbitrary File Upload
Patched Version: 4.15.4
Recommended Action: Update to version 4.15.4, or a newer patched version
Plugin: Geo Mashup
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.13
Recommended Action: Update to version 1.13.13, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
