Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Cerber Security, Anti-spam & Malware Scan
Vulnerability: IP Protection Bypass
Patched Version: 9.5
Recommended Action: Update to version 9.5, or a newer patched version
Plugin: Front End Users
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.29
Recommended Action: Update to version 3.2.29, or a newer patched version
Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
Vulnerability: Cross-Site Request Forgery in Multiple Functions
Patched Version: 2.11.21
Recommended Action: Update to version 2.11.21, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Sensitive Information Exposure via Imported Subscribers CSV File
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version
Plugin: Tutor LMS – Migration Tool
Vulnerability: Missing Authorization in tutor_import_from_xml
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mollie Payments for WooCommerce
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 7.8.0
Recommended Action: Update to version 7.8.0, or a newer patched version
Plugin: Tutor LMS – Migration Tool
Vulnerability: Missing Authorization in tutor_lp_export_xml
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Web Application Firewall – website security
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Reflected Cross-Site Scripting via selected_option
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Directory Traversal to Authenticated (Subscriber+) Arbitrary File Download
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Justified Image Grid – Premium WordPress Gallery
Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Timeline Event History
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: YITH WooCommerce Ajax Search
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Enhanced Search Box
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LatePoint Plugin
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GEO my WP
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 4.5.0.2
Recommended Action: Update to version 4.5.0.2, or a newer patched version
Plugin: infolinks Ad Wrap
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Spiffy Calendar
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 4.9.13
Recommended Action: Update to version 4.9.13, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Widget
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version
Plugin: Registrations for the Events Calendar – Event Registration Plugin
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2.12.3
Recommended Action: Update to version 2.12.3, or a newer patched version
Plugin: Podlove Podcast Publisher
Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: 4.1.14
Recommended Action: Update to version 4.1.14, or a newer patched version
Plugin: Super Store Finder
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 6.9.8
Recommended Action: Update to version 6.9.8, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 3.16.0
Recommended Action: Update to version 3.16.0, or a newer patched version
Plugin: WPZOOM Portfolio Lite – Filterable Portfolio Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: FunnelKit Funnel Builder Pro
Vulnerability: No subtitle
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.103
Recommended Action: Update to version 3.3.103, or a newer patched version
Plugin: Smart Online Order for Clover
Vulnerability: Missing Authorization
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: The Events Calendar Pro
Vulnerability: Authenticated (Administrator+) PHP Object Injection to Remote Code Execution
Patched Version: 7.0.2.1
Recommended Action: Update to version 7.0.2.1, or a newer patched version
Plugin: Visual Sound (old)
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Authenticated (Administrator+) Arbitrary File Deletion
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version
Plugin: Leaky Paywall
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.21.3
Recommended Action: Update to version 4.21.3, or a newer patched version
Plugin: Custom Query Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 5.7.1
Recommended Action: Update to version 5.7.1, or a newer patched version
Plugin: Premium Portfolio Features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.985
Recommended Action: Update to version 1.3.985, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 9.1.3
Recommended Action: Update to version 9.1.3, or a newer patched version
Plugin: SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.29.4
Recommended Action: Update to version 2.29.4, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Share This Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via alignment Parameter
Patched Version: 2.02
Recommended Action: Update to version 2.02, or a newer patched version
Plugin: Super Store Finder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.9.8
Recommended Action: Update to version 6.9.8, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Media Deletion
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version
Plugin: Payment forms, Buy now buttons, and Invoicing System | GetPaid
Vulnerability: Missing Authorization via column_subscription()
Patched Version: 2.8.12
Recommended Action: Update to version 2.8.12, or a newer patched version
Plugin: Form builder to get in touch with visitors and grow your email list — Happyforms
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.26.1
Recommended Action: Update to version 1.26.1, or a newer patched version
Plugin: Podlove Podcast Publisher
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.14
Recommended Action: Update to version 4.1.14, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.13.7
Recommended Action: Update to version 1.13.7, or a newer patched version
Plugin: Two-factor authentication (formerly IP Vault)
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Status Updates
Patched Version: 3.3.103
Recommended Action: Update to version 3.3.103, or a newer patched version
Plugin: Event Espresso – Event Registration & Ticketing Sales
Vulnerability: No subtitle
Patched Version: 5.0.22.decaf
Recommended Action: Update to version 5.0.22.decaf, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Missing Authorization
Patched Version: 1.3.2.9
Recommended Action: Update to version 1.3.2.9, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version
Plugin: Memberpress
Vulnerability: Reflected Cross-Site Scripting via mepr_screenname and mepr_key Parameters
Patched Version: 1.11.30
Recommended Action: Update to version 1.11.30, or a newer patched version
Plugin: Secure Downloads
Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Like Button Rating ♥ LikeBtn
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.54
Recommended Action: Update to version 2.6.54, or a newer patched version
Plugin: PixelYourSite Pro – Your smart PIXEL (TAG) Manager
Vulnerability: Unauthenticated Information Exposure and Log Deletion
Patched Version: 10.4.3
Recommended Action: Update to version 10.4.3, or a newer patched version
Plugin: Ditty – Responsive News Tickers, Sliders, and Lists
Vulnerability: 3.1.45
Patched Version: 3.1.46
Recommended Action: Update to version 3.1.46, or a newer patched version
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification
Patched Version: 5.1.19
Recommended Action: Update to version 5.1.19, or a newer patched version
Plugin: WP Booking Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 10.5.1
Recommended Action: Update to version 10.5.1, or a newer patched version
Plugin: WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly
Vulnerability: Missing Authorization
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version
Plugin: Smart Online Order for Clover
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Data Update
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: Memberpress
Vulnerability: Reflected Cross-Site Scripting via message and error
Patched Version: 1.11.27
Recommended Action: Update to version 1.11.27, or a newer patched version
Plugin: Login As Users
Vulnerability: Missing Authorization to Privielge Escalation via Account Takeover
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: WP Events Manager
Vulnerability: Authenticated (Subscriber+) Time-Based SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Theme Editor
Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.8.12
Recommended Action: Update to version 3.8.12, or a newer patched version
Plugin: Super Store Finder
Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.9.8
Recommended Action: Update to version 6.9.8, or a newer patched version
Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Vulnerability: Missing Authorization via geodirectory_rated()
Patched Version: 2.3.71
Recommended Action: Update to version 2.3.71, or a newer patched version
Plugin: Review Ratings
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Specifications for Woocommerce
Vulnerability: Reflected Cross-Site Scripting via Arbitrary Query String Parameter
Patched Version: 0.7.0
Recommended Action: Update to version 0.7.0, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Media Upload
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version
Plugin: Smart Online Order for Clover
Vulnerability: Missing Authorization to Plugin Deactivation and Data Deletion
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Missing Authorization to Limited Vendor Privilege Escalation/Account Takeover
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: Tutor LMS Pro
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Missing Authorization to Unauthenticated Sensitive Information Exposure
Patched Version: 2.4.4.1
Recommended Action: Update to version 2.4.4.1, or a newer patched version
Plugin: HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget
Patched Version: 11.1.34
Recommended Action: Update to version 11.1.34, or a newer patched version
Plugin: WBW Product Table Pro
Vulnerability: Unauthenticated Arbitrary SQL Execution
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Insecure Direct Object Reference
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: ARforms
Vulnerability: Premium WordPress Form Builder <= 6.4.0
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version
Plugin: HelloAsso
Vulnerability: Missing Authorization
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: WP To Do
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Task Comments
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Custom Fields (ACF)
Vulnerability: Authenticated (Contributor+) Arbitrary Custom Field Access
Patched Version: 6.3.0
Recommended Action: Update to version 6.3.0, or a newer patched version
Plugin: Clean Login
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.14.6
Recommended Action: Update to version 1.14.6, or a newer patched version
Plugin: Relevanssi Live Ajax Search
Vulnerability: Unauthenticated WP_Query Argument Injection
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: EU/UK VAT Validation Manager for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version
Plugin: Premium SEO Pack – WP SEO Plugin
Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version
Plugin: Vikinghammer Tweet
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom Field Template
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: Media Library Folders
Vulnerability: Authenticated (Subscriber+) Second-Order SQL Injection
Patched Version: 8.2.3
Recommended Action: Update to version 8.2.3, or a newer patched version
Plugin: Carousel Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: WP Accessibility Helper (WAH)
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Settings Update
Patched Version: 0.6.2.9
Recommended Action: Update to version 0.6.2.9, or a newer patched version
Plugin: AI Engine
Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: tagDiv Composer
Vulnerability: Reflected Cross-Site Scripting via envato_code[]
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Carousel Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Vulnerability: Authenticated (Contributor+) Information Disclosure
Patched Version: 7.7.12
Recommended Action: Update to version 7.7.12, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Missing Authorization to Arbitrary Vendor Deletion
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: Front End Users
Vulnerability: Authenticated (Contributor+) Time-Based SQL Injection
Patched Version: 3.2.29
Recommended Action: Update to version 3.2.29, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id and eae_slider_animation Parameters
Patched Version: 1.13.6
Recommended Action: Update to version 1.13.6, or a newer patched version
Plugin: tagDiv Composer
Vulnerability: Reflected Cross-Site Scripting via envato_code[]
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 20.0.6
Recommended Action: Update to version 20.0.6, or a newer patched version
Plugin: Taxi Booking Manager for WooCommerce – WordPress plugin | Ecab
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Missing Authorization to Admin Username Change
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: WP Table Builder – WordPress Table Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Special Feed Items
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter
Patched Version: 2.8.3.6
Recommended Action: Update to version 2.8.3.6, or a newer patched version
Plugin: Media Library Folders
Vulnerability: Missing Authorization on Various Functions
Patched Version: 8.2.4
Recommended Action: Update to version 8.2.4, or a newer patched version
Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.9.9.4.8
Recommended Action: Update to version 2.9.9.4.8, or a newer patched version
Plugin: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
