WordPress Plugin Vulnerability Advisory: XSS, File Upload, Auth Bypass

Vulnerability Overview Patchstack is a leading open-source vulnerability database focused on security issues in WordPress websites. This page displays multiple known vulnerabilities in WordPress plugins, including Cross-Site Scripting (XSS), arbitrary file upload, stored XSS, and more. Impact Scope Rescue Shortcodes (version <= 3.3): Cross-Site Scripting (XSS) vulnerability ACF Galerie 4 (version <= 14.2): Access control vulnerability Taxi Booking Manager for WooCommerce (version <= 2.0.0): Cross-Site Scripting (XSS) vulnerability Social Rocket (version <= 13.4.2): Authentication bypass vulnerability Breeze (version <= 2.4.4): Unauthenticated arbitrary file upload vulnerability ExactMetrics (version <= 9.1.2): Authenticated arbitrary plugin installation/activation vulnerability WP Store Locator (version <= 2.2.26): Authenticated stored XSS vulnerability Gutenberg (version <= 3.5.5): Page builder plugin vulnerability Avada (version <= 7.13.2): Cross-Site Request Forgery (CSRF) vulnerability Order Minimum/Maximum Amount Limits for WooCommerce (version <= 4.6.4): Cross-Site Scripting (XSS) vulnerability Maximum Products per User for WooCommerce (version <= 4.3.6): Cross-Site Scripting (XSS) vulnerability Breaking News WP (version <= 1.3): Local file inclusion vulnerability due to missing authorization Simple Random Posts Shortcode (version <= 0.3): Authenticated stored XSS vulnerability Emailchef (version <= 3.5.1): Arbitrary plugin settings vulnerability due to missing authorization WP Responsive Popup + Optin (version <= 1.4): Cross-Site Request Forgery leading to stored XSS vulnerability Create DB Tables (version <= 1.2.1): Arbitrary database operation vulnerability due to missing authorization Sendinblue for WordPress (version <= 10.2.0): Unauthenticated SMTP hijacking vulnerability Short Comment Filter (version <= 2.2): Authenticated stored XSS vulnerability Private WP suite (version <= 0.4.1): Authenticated stored XSS vulnerability Real Estate Pro (version <= 1.0.9): Authenticated stored XSS vulnerability Remediation Solutions Rescue Shortcodes: Upgrade to version 3.4 or higher ACF Galerie 4: Upgrade to version 14.3 or higher Taxi Booking Manager for WooCommerce: Upgrade to version 2.1.0 or higher Social Rocket: Upgrade to version 13.4.3 or higher Breeze: Upgrade to version 2.4.5 or higher ExactMetrics: Upgrade to version 9.1.3 or higher WP Store Locator: Upgrade to version 2.2.27 or higher Gutenberg: Upgrade to version 3.5.6 or higher Avada: Upgrade to version 7.13.3 or higher Order Minimum/Maximum Amount Limits for WooCommerce: Upgrade to version 4.6.5 or higher Maximum Products per User for WooCommerce: Upgrade to version 4.3.7 or higher Breaking News WP: Upgrade to version 1.4 or higher Simple Random Posts Shortcode: Upgrade to version 0.4 or higher Emailchef: Upgrade to version 3.5.2 or higher WP Responsive Popup + Optin: Upgrade to version 1.5 or higher Create DB Tables: Upgrade to version 1.2.2 or higher Sendinblue for WordPress: Upgrade to version 10.2.1 or higher Short Comment Filter: Upgrade to version 2.3 or higher Private WP suite: Upgrade to version 0.4.2 or higher Real Estate Pro: Upgrade to version 1.0.10 or higher POC Code or Exploit Code No specific POC code or exploit code is provided on the page.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Plugin Vulnerability Advisory: XSS, File Upload, Auth Bypass