Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: ABC APP CREATOR
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bradmax Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.28
Recommended Action: Update to version 1.1.28, or a newer patched version
Plugin: Kodex Posts likes
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: IgnitionDeck Crowdfunding Platform
Vulnerability: Missing Authorization
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version
Plugin: Backup Database
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via template_id
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: Instant Chat Floating Button for WordPress Websites
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Vulnerability: Insecure Direct Object Reference to Account Takeover and Privilege Escalation
Patched Version: 1.8.1.15
Recommended Action: Update to version 1.8.1.15, or a newer patched version
Plugin: Themesflat Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: UsersControl – Users Profile, Free or Paid Subscriptions, User Access Restriction & Members Directory
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form 7 Campaign Monitor Extension
Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tag Groups is the Advanced Way to Display Your Taxonomy Terms
Vulnerability: Missing Authorization to Information Exposure
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: 4.9.16
Patched Version: 4.9.17
Recommended Action: Update to version 4.9.17, or a newer patched version
Plugin: Spiffy Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.14
Recommended Action: Update to version 4.9.14, or a newer patched version
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Missing Authorization to Unauthenticated Database Upgrade
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: Appointment Booking and Scheduling Calendar Plugin – Webba Booking
Vulnerability: Missing Authorization to Authenticated (Subscriber+) CSS Settings Update
Patched Version: 5.0.50
Recommended Action: Update to version 5.0.50, or a newer patched version
Plugin: WPSPX
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AnWP Football Leagues
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 0.16.8
Recommended Action: Update to version 0.16.8, or a newer patched version
Plugin: Garden Gnome Package
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: W3 Total Cache
Vulnerability: Sensitive Credentials Stored in Plaintext
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: Restaurant & Cafe Addon for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: Beam me up Scotty – Back to Top Button
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version
Plugin: Gum Elementor Addon
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.13.11
Recommended Action: Update to version 2.13.11, or a newer patched version
Plugin: Roles & Capabilities
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version
Plugin: Simple Nav Archives
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Podiant
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooEvents – Calendar and Event Booking
Vulnerability: Unauthenticated Arbitrary File Overwrite
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version
Plugin: MH Board
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Prisna GWT – Google Website Translator
Vulnerability: Google Website Translator <= 1.4.11
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version
Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute
Patched Version: 2.0.79
Recommended Action: Update to version 2.0.79, or a newer patched version
Plugin: TI WooCommerce Wishlist
Vulnerability: Unauthenticated SQL Injection via ‘lang’
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version
Plugin: WP Abstracts
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version
Plugin: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.70.4
Recommended Action: Update to version 1.2.70.4, or a newer patched version
Plugin: BA Book Everything
Vulnerability: Unauthenticated Arbitrary User Password Reset
Patched Version: 1.6.21
Recommended Action: Update to version 1.6.21, or a newer patched version
Plugin: Crowdsignal Dashboard – Polls, Surveys & more
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ShiftController Employee Shift Scheduling
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.9.65
Recommended Action: Update to version 4.9.65, or a newer patched version
Plugin: VR Calendar
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: WP Free SSL – Free SSL Certificate for WordPress and force HTTPS
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Spiffy Calendar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.9.14
Recommended Action: Update to version 4.9.14, or a newer patched version
Plugin: WP Datepicker
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Confetti Fall Animation
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via confetti-fall-animation Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LatePoint Plugin
Vulnerability: Unauthenticated Arbitrary User Password Change via SQL Injection
Patched Version: 5.0.12
Recommended Action: Update to version 5.0.12, or a newer patched version
Plugin: Cron Jobs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.11.2
Recommended Action: Update to version 2.11.2, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Missing Authorization
Patched Version: 3.2.10
Recommended Action: Update to version 3.2.10, or a newer patched version
Plugin: Easy PayPal Events
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: Uncanny Groups for LearnDash
Vulnerability: Authenticated (Group Leader+) Privilege Escalation
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version
Plugin: Gallery Plugin for WordPress – Envira Photo Gallery
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.8.15
Recommended Action: Update to version 1.8.15, or a newer patched version
Plugin: WP Testimonial Widget
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.28
Recommended Action: Update to version 1.8.28, or a newer patched version
Plugin: Checkout Mestres do WP for WooCommerce
Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 8.6.1
Recommended Action: Update to version 8.6.1, or a newer patched version
Plugin: Polls CP
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.75
Recommended Action: Update to version 1.0.75, or a newer patched version
Plugin: WP Newsletter Subscription
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Revolut Gateway for WooCommerce
Vulnerability: Missing Authorization to Unauthenticated Order Status Update
Patched Version: 4.17.4
Recommended Action: Update to version 4.17.4, or a newer patched version
Plugin: Review & testimonial widgets
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version
Plugin: Themesflat Addons For Elementor
Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: MAS Static Content
Vulnerability: Authenticated (Contributor+) Private Static Content Page Disclosure
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: WP Hardening (discontinued)
Vulnerability: Unauthenticated Security Feature Bypass to Username Enumeration
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Category Dropdown by GCS Design
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.99
Recommended Action: Update to version 3.2.99, or a newer patched version
Plugin: Daily Prayer Time
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2024.09.14
Recommended Action: Update to version 2024.09.14, or a newer patched version
Plugin: WooCommerce Multilingual & Multicurrency with WPML
Vulnerability: Missing Authorization
Patched Version: 5.3.7
Recommended Action: Update to version 5.3.7, or a newer patched version
Plugin: Product Slider for WooCommerce by PickPlugins
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.13.51
Recommended Action: Update to version 1.13.51, or a newer patched version
Plugin: Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MDTF – Meta Data and Taxonomies Filter
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.3.3.4
Recommended Action: Update to version 1.3.3.4, or a newer patched version
Plugin: Primary Addon for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: Medical Addon for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: IdeaPush
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.69
Recommended Action: Update to version 8.69, or a newer patched version
Plugin: NiceJob
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: WP Meta SEO
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.14
Recommended Action: Update to version 4.5.14, or a newer patched version
Plugin: WP Meta SEO
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.14
Recommended Action: Update to version 4.5.14, or a newer patched version
Plugin: Gum Elementor Addon
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 3.12.3
Recommended Action: Update to version 3.12.3, or a newer patched version
Plugin: XT Ajax Add To Cart for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Webflow Pages
Vulnerability: Missing Authorization
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Truepush – Most Affordable Web Push Notifications
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gianism
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.9.17
Recommended Action: Update to version 4.9.17, or a newer patched version
Plugin: CubeWP Forms – All-in-One Form Builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Bold Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: Limit Login Attempts Plus – WordPress Limit Login Attempts By Felix
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Travel – Ultimate Travel Booking System, Tour Management Engine
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.4.0
Recommended Action: Update to version 9.4.0, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version
Plugin: BA Book Everything
Vulnerability: Cross-Site Request Forgery to Email Address Update/Account Takeover
Patched Version: 1.6.21
Recommended Action: Update to version 1.6.21, or a newer patched version
Plugin: MDTF – Meta Data and Taxonomies Filter
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.3.3.4
Recommended Action: Update to version 1.3.3.4, or a newer patched version
Plugin: LatePoint Plugin
Vulnerability: Authentication Bypass
Patched Version: 5.0.13
Recommended Action: Update to version 5.0.13, or a newer patched version
Plugin: Charity Addon for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Easy Mega Menu Plugin for WordPress – ThemeHunk
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Updates
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Flipping Cards
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version
Plugin: Webo-facto
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.41
Recommended Action: Update to version 1.41, or a newer patched version
Plugin: CSS JS Files
Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: ClickSold IDX
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Easy Gallery – WordPress Gallery Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Gallery Manipulation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LWS Affiliation
Vulnerability: Missing Authorization
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Sensitive Information Exposure
Patched Version: 0.9.106
Recommended Action: Update to version 0.9.106, or a newer patched version
Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more
Vulnerability: Missing Authorization
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version
Plugin: NiceJob
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: Maintenance Redirect
Vulnerability: IP Spoofing to Maintenance Mode Bypass
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: WP Ticket Ultra Help Desk & Support Plugin
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Easy Gallery – WordPress Gallery Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Insecure Direct Object Reference to Unsubscribe
Patched Version: 1.3.6.2
Recommended Action: Update to version 1.3.6.2, or a newer patched version
Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 6.18.4
Recommended Action: Update to version 6.18.4, or a newer patched version
Plugin: Koko Analytics
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version
Plugin: Vmax Project Manager
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Multipurpose Ticket Booking Manager (Bus/Train/Ferry/Boat/Shuttle) | WpTicketly
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version
Plugin: PeoplePond
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Custom Fields Search
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpcfs-preset Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.19.1
Recommended Action: Update to version 1.19.1, or a newer patched version
Plugin: WP Edit Username
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: The Events Calendar
Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.6.4.1
Recommended Action: Update to version 6.6.4.1, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Reflected Self-Based Cross-Site Scripting via Referer
Patched Version: 3.8.16
Recommended Action: Update to version 3.8.16, or a newer patched version
Plugin: Jupiter X Core
Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 4.6.9
Recommended Action: Update to version 4.6.9, or a newer patched version
Plugin: Seriously Simple Stats
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Pixel Cat – Conversion Pixel Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version
Plugin: Themify – WooCommerce Product Filter
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
