1. Paid Membership Pro

Plugin: Paid Membership Pro
Vulnerability: Cross-Site Scripting
Patched in Version: 2.5.10
Severity: Medium
The vulnerability is patched, so you should update to version 2.5.10+.
2. Event Calendar WD

Plugin: Event Calendar WD
Vulnerability: Cross-Site Scripting
Patched in Version: 1.1.46
Severity Score: Medium
The vulnerability is patched, so you should update to version 1.1.46+.
3. Yada Wiki

Plugin: Yada Wiki
Vulnerability: Stored Cross-Site Scripting
Patched in Version: 3.4.1
Severity Score: Medium
The vulnerability is patched, so you should update to version 3.4.1+.
4. User Profile Picture

Plugin: User Profile Picture
Vulnerability: Arbitrary User Picture Change/Deletion via IDOR
Patched in Version: 2.6.0
Severity Score: Medium
The vulnerability is patched, so you should update to version 2.6.0+.
5. YouTube Embed, Playlist and Popup

Plugin: YouTube Embed, Playlist and Popup
Vulnerability: Stored XSS
Patched in Version: 2.3.9
Severity Score: Medium
The vulnerability is patched, so you should update to version 2.3.9+.
6. W3 Total Cache

Plugin: W3 Total Cache
Vulnerability: Reflected XSS in Extensions Page
Patched in Version: 2.1.5
Severity Score: High
Plugin: W3 Total Cache
Vulnerability: Reflected XSS in Extensions Page
Patched in Version: 2.1.4
Severity Score: Critical
The vulnerability is patched, so you should update to version 2.1.5+.
7. ProfilePress

Plugin: ProfilePress
Vulnerability: Authenticated Stored XSS
Patched in Version: 3.1.8
Severity Score: Medium
Plugin: ProfilePress
Vulnerability: Unauthenticated Privilege Escalation
Patched in Version: 3.1.4
Severity Score: Critical
Plugin: ProfilePress
Vulnerability: Arbitrary File Upload in Image Uploader Component
Patched in Version: 3.1.4
Severity Score: Critical
The vulnerability is patched, so you should update to version 3.1.8+.
8. Tutor LMS

Plugin: Tutor LMS
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 1.9.2
Severity Score: High
The vulnerability is patched, so you should update to version 1.9.2+.
9. Youzify

Plugin: Youzify
Vulnerability: Stored Cross-Site Scripting via Biography
Patched in Version: 1.0.7
Severity Score: High
The vulnerability is patched, so you should update to version 1.0.7+.
10. Any Hostname
Plugin: Any Hostname
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
11. Event Geek
Plugin: Event Geek
Vulnerability: Stored Cross-site Scripting
Patched in Version: No known fix
Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
12. DrawBlog
Plugin: DrawBlog
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
13. Bookshelf
Plugin: Bookshelf
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
14. Migrate Users
Plugin: Migrate Users
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
15. Steam Group Viewer
Plugin: Steam Group Viewer
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
16. Awesome Weather Widget
Plugin: Awesome Weather Widget
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
17. Post Grid

Plugin: Post Grid
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.1.8
Severity Score: High
The vulnerability is patched, so you should update to version 2.1.8+.
18. Quiz Maker

Plugin: Quiz Maker
Vulnerability: Multiple Authenticated Blind SQL Injections
Patched in Version: 6.2.0.9
Severity Score: High
The vulnerability is patched, so you should update to version 6.2.0.9+.
19. Portfolio Responsive Gallery
Plugin: Portfolio Responsive Gallery
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 1.1.8
Severity Score: High
The vulnerability is patched, so you should update to version 1.1.8+.
Plugin: Portfolio Responsive Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.1.8
Severity Score: High
The vulnerability is patched, so you should update to version 1.1.8+.
20. Popup box

Plugin: Popup box
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 2.3.4
Severity Score: High
The vulnerability is patched, so you should update to version 2.3.4+.
Plugin: Popup box
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.3.4
Severity Score: High
The vulnerability is patched, so you should update to version 2.3.4+.
21. Survey Maker

Plugin: Survey Maker
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 1.5.6
Severity Score: High
The vulnerability is patched, so you should update to version 1.5.6+.
Plugin: Survey Maker
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.5.6
Severity Score: High
The vulnerability is patched, so you should update to version 1.5.6+.
22. Popup Like box – Page Plugin
Plugin: Popup Like box – Page Plugin
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 3.5.3
Severity Score: High
The vulnerability is patched, so you should update to version 3.5.3+.
Plugin: Popup Like box – Page Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.5.3
Severity Score: High
The vulnerability is patched, so you should update to version 3.5.3+.
23. FAQ Builder
Plugin: FAQ Builder
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 1.3.6
Severity Score: High
The vulnerability is patched, so you should update to version 1.3.6+.
24. Photo Gallery by Ays

Plugin: Photo Gallery by Ays
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 4.4.4
Severity Score: High
The vulnerability is patched, so you should update to version 4.4.4+.
Plugin: Photo Gallery by Ays
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.4.4
Severity Score: High
The vulnerability is patched, so you should update to version 4.4.4+.
25. Image Slider by Ays

Plugin: Image Slider by Ays
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 2.5.0
Severity Score: High
Plugin: Image Slider by Ays
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.5.0
Severity Score: High
The vulnerability is patched, so you should update to version 2.5.0+.
26. Poll Maker

Plugin: Poll Maker
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 3.2.1
Severity Score: High
The vulnerability is patched, so you should update to version 3.2.1+.
27. Secure Copy Content Protection and Content Locking

Plugin: Secure Copy Content Protection and Content Locking
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 2.6.7
Severity Score: High
The vulnerability is patched, so you should update to version 2.6.7+.
28. RSVPMaker

Plugin: RSVPMaker
Vulnerability: Authenticated SSRF
Patched in Version: 8.7.3
Severity Score: Medium
The vulnerability is patched, so you should update to version 8.7.3+.
29. WP Offload SES Lite

Plugin: WP Offload SES Lite
Vulnerability: Stored Cross-Site Scripting
Patched in Version: 1.4.5
Severity: High
The vulnerability is patched, so you should update to version 1.4.5+.
30. WP SMS

Plugin: WP SMS
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 5.4.9.1
Severity: High
The vulnerability is patched, so you should update to version 5.4.9.1+.
31. Profile Builder

Plugin: Profile Builder
Vulnerability: Authenticated Stored XSS
Patched in Version: 3.4.8
Severity: Medium
The vulnerability is patched, so you should update to version 3.4.8+.
32. TaxoPress

Plugin: TaxoPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 3.0.7.2
Severity: Medium
The vulnerability is patched, so you should update to version 3.0.7.2+.
33. Strong Testimonials

Plugin: Strong Testimonials
Vulnerability: Unauthorized AJAX Call
Patched in Version: 2.51.3
Severity: Medium
The vulnerability is patched, so you should update to version 2.51.3+.
34. Adapta RGPD
Plugin: Adapta RGPD
Vulnerability: Unauthorized Consent via CSRF
Patched in Version: 1.3.3
Severity: Medium
The vulnerability is patched, so you should update to version 1.3.3+.
35. MailOptin

Plugin: MailOptin
Vulnerability: Unauthorized AJAX Call
Patched in Version: 1.2.35.2
Severity: Medium
The vulnerability is patched, so you should update to version 1.2.35.2+.
36. YITH Request a Quote for WooCommerce

Plugin: YITH Request a Quote for WooCommerce
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 1.6.4
Severity: Medium
The vulnerability is patched, so you should update to version 1.6.4+.
37. ReviewX

Plugin: ReviewX
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 1.2.9
Severity: Medium
The vulnerability is patched, so you should update to version 1.2.9+.
38. Food Store
Plugin: Food Store
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 1.3.7
Severity: Medium
The vulnerability is patched, so you should update to version 1.3.7+.
39. WP Prayer
Plugin: WP Prayer
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 1.5.5
Severity: Medium
The vulnerability is patched, so you should update to version 1.5.5+.
40. KONTXT Content Advisor

Plugin: KONTXT Content Advisor
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 2.3
Severity: Medium
The vulnerability is patched, so you should update to version 2.3+.
41. Fontsampler

Plugin: Fontsampler
Vulnerability: CSRF to Authenticated Reflected Cross-Site Scripting
Patched in Version: 0.4.13
Severity: High
The vulnerability is patched, so you should update to version 0.4.13+.
42. MZ Mindbody API

Plugin: MZ Mindbody API
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 2.8.3
Severity: High
The vulnerability is patched, so you should update to version 2.8.3+.
43. Journey Analytics

Plugin: Journey Analytics
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 1.0.13
Severity: Medium
The vulnerability is patched, so you should update to version 1.0.13+.
44. Alkubot

Plugin: Alkubot
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 3.0.0
Severity: Medium
The vulnerability is patched, so you should update to version 3.0.0+.
45. MZ MBO Access

Plugin: MZ MBO Access
Vulnerability: Unauthorized AJAX call
Patched in Version: 2.0.9
Severity: Medium
The vulnerability is patched, so you should update to version 2.0.9+.
46. BNG Gateway For Woocommerce
Plugin: BNG Gateway For Woocommerce
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
47. BuddyPress Customer.io Analytics Integration
Plugin: BuddyPress Customer.io Analytics Integration
Vulnerability: Arbitrary Plugin Settings Update via CSRF
Patched in Version: No known fix
Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
48. WooCommerce Custom Registration Form
Plugin: WooCommerce Custom Registration Form
Vulnerability: Arbitrary Field Deletion and Form Modification via CSRF
Patched in Version: No known fix
Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
49. Woocommerce Tabs Plugin, Add Custom Product Tabs
Plugin: Woocommerce Tabs Plugin, Add Custom Product Tabs
Vulnerability: Arbitrary Tab Deletion/Edition via CSRF
Patched in Version: No known fix
Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
50. Global Multisite Search
Plugin: Global Multisite Search
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
51. Intimate Payments
Plugin: Intimate Payments
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
52. KONTXT Improves WordPress Search
Plugin: KONTXT Improves WordPress Search
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
53. Instantio

Plugin: Instantio
Vulnerability: CSRF Bypass
Patched in Version: 1.2.6
Severity Score: Medium
The vulnerability is patched, so you should update to version 1.2.6+.
54. Express Shop

Plugin: Express Shop
Vulnerability: CSRF Bypass
Patched in Version: 4.0.3
Severity Score: Medium
The vulnerability is patched, so you should update to version 4.0.3+.
55. SEO Wizard
Plugin: SEO Wizard
Vulnerability: Unauthorized robots.txt & .htaccess Edit via CSRF
Patched in Version: No known fix
Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
56. Title Field Validation
Plugin: Title Field Validation
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: No known fix
Severity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
57. Booking Calendar

Plugin: Booking Calendar
Vulnerability: Authorized AJAX calls
Patched in Version: 2.1.6
Severity: Medium
The vulnerability is patched, so you should update to version 2.1.6+.
58. Community Event

Plugin: Community Event
Vulnerability: Reflected XSS
Patched in Version: 1.4.8
Severity Score: High
The vulnerability is patched, so you should update to version 1.4.8+.
59. WP LMS
Plugin: WP LMS
Vulnerability: Stored Cross-Site Scripting
Patched in Version: No known fix
Severity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
60. Cooked Pro

Plugin: Cooked Pro
Vulnerability: Unauthenticated Reflected Cross-Site Scripting
Patched in Version: 1.7.5.6
Severity: Medium
The vulnerability is patched, so you should update to version 1.7.5.6+.
61. PWA for WP & AMP

Plugin: PWA for WP & AMP
Vulnerability: Authenticated Arbitrary File Upload
Patched in Version: 1.7.33
Severity: Critical
The vulnerability is patched, so you should update to version 1.7.33+.