• You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

Week 22 (May 27 - June 2nd) - vulnerability warning report

Not open for further replies.


Mr. G(rumpy)
Staff member
Null Master
Babiato Lover
Trusted Uploader
Nov 5, 2019

Disclaimer: These vulnerabilities are present in UNTOUCHED versions from developers.​

Plugin Name​




WP-Staging - Backup Duplicator & Migration< 3.5.0Authenticated (Admin+) SSRFupdate to version 3.5.0
Happy Addons for Elementor<= 3.10.9
Authenticated (Contributor+) Stored XSSupdate to version 3.11
Flash & HTML5 Video< 2.5.27Unauthenticated SQL Inclusionupdate to version 2.5.27
Download Manager<= 3.2.90Authenticated (Contributor+) Stored XSSupdate to version 3.2.91
WPCafe<= 2.2.24Authenticated (Contributor+) Stored XSSupdate to version 2.2.26
Premium addons for Elementor<= 4.10.31Missing authorization to information disclosureupdate to version 4.10.32
Atarim<= 3.30Unauthenticated Stored XSSupdate to version 3.31
DethemeKit for Elementor<= 2.1.4Authenticated (Contributor+) Stored XSSupdate to version 2.1.5
Responsive Owl Carousel for Elementor<= 1.2.0Local file inclusionupdate to version 1.2.1
Global notification bar<= 1.0.1Cross-Site Scripting (XSS)no patch available
Smartarget Message Bar<= 1.3Cross-Site Scripting (XSS)no patch available
Random Banner<= 4.2.8Cross-Site Scripting (XSS)no patch available
Preferred Languages<= 2.2.2Cross-Site Scripting (XSS)no patch available
WP Back Button<= 1.1.3Cross-Site Scripting (XSS)no patch available
Site Favicon<= 0.2Cross-Site Scripting (XSS)update to version 0.3
Post SMTP Mailer/Email Log<= 2.9.3Authenticated SQL injectionupdate to version 2.9.4
Just Writing Statistics<= 4.5Cross-Site Scripting (XSS)update to version 4.6
Safety Exit<= 1.7.0Cross-Site Scripting (XSS)update to version 1.7.1
Simple Spoiler<= 1.2Cross-Site Scripting (XSS)no patch available
ActiveDEMAND<= 0.2.43Cross Site Request Forgery (CSRF)no patch available
Church Admin<= 4.3.6Server Side Request Forgery (SSRF)update to version 4.4.0
Uploadcare File Uploader and Adaptive Delivery<= 3.0.11Cross Site Request Forgery (CSRF)no patch available
YITH WooCommerce Wishlist<= 3.32.0Cross-Site Scripting (XSS)update to version 3.33.0
Ninja Tables<= 5.0.9Server Side Request Forgery (SSRF)update to version 5.0.10
Blooksy Companion<= 2.0.42Server Side Request Forgery (SSRF)update to version 2.0.43
Simple Like Page<= 1.5.2Authenticated (Contributor+) Stored XSSupdate to version 1.5.3
Gum Elementor Addon<= 1.3.4Authenticated (Contributor+) Stored XSSupdate to version 1.3.5
Comparison Slider<= 1.0.5Authenticated (Subscriber+) Stored XSSno patch available
Missing Authorizationno patch available
Cross Site Request Forgery (CSRF)no patch available
StopBadBots<= 10.24Missing Authorization to Information Exposureno patch available
Remote Content Shortcode<= 1.5Authenticated (Contributor+) Stored XSSno patch available
Essential Addons for Elementor<= 5.9.21Authenticated (Contributor+) Stored XSSupdate to version 5.9.22
PowerPack Addons for Elementor<= 2.7.19Authenticated (Contributor+) DOM based Stored XSSupdate to version 2.7.20
The Plus Addons for Elementor Pro<= 5.5.4Authenticated (Contributor+) Stored XSSupdate to version 5.5.5
Yumpu ePaper Publishing<= 2.0.24Missing Authorization to Upload, Publishing and API Modifyno patch available
AffiEasy<= 1.1.7Cross Site Request Forgery (CSRF)no patch available
WP To Do<= 1.3.0Authenticated (Admin+) Stored XSSno patch available
Multiple CSRFno patch available
List categories<= 0.4Authenticated (Contributor+) Stored XSSno patch available
Unlimited elements for Elementor<= 1.5.107Authenticated (Contributor+) Stored XSSupdate to version 1.5.108
<= 1.5.89Authenticated (Contributor+) Remote Code Execution (RCE)update to version >= 1.5.91
Testimonial Carousel for Elementor<= 10.2.1Authenticated (Contributor+) Stored XSSno patch available
PostX - Guttenberg Blocks for Post Grid<= 4.1.1Authenticated (Author+) Stored XSSupdate to version 4.1.2
Download Monitor<= 4.9.13Missing Authorizationupdate to version 4.9.14
Playlist for Youtube<= 1.32Authenticated (Editor+) Stored XSSno patch available
Gianism<= 5.1.0Authenticated (Admin+) Stored XSSno patch available
Site Reviews< 7.0.0IP Spoofingupdate to version 7.0.0
HUSKY<= (Contributor+) Stored XSSupdate to version 1.3.6
WP STAGING - Backup Duplicator and Migrator<= 3.4.3Authenticated (Admin+) Arbitrary File Uploadupdate to version 3.5.0
Essential Addons for Elementor Pro<= 5.8.14Authenticated (Contributor+) Stored XSSupdate to version 5.8.15
Fetch JFT<= 1.8.3Authenticated (Admin+) Stored XSSupdate to version 1.8.4
App Presser<= 4.3.2Authentication Bypassupdate to version 4.4.0
WpTravelly<= 1.7.1Missing Authorizationupdate to version 1.7.2
Swiss Toolkit for WP<= 1.0.7Authenticated (Contributor+) Authentication Bypassupdate to version 1.0.8
Login with phone number<= 1.7.26Authentication Bypassupdate to version 1.7.27
Slider Revolution< 6.7.11Cross Site Scripting (XSS)update to version 6.7.11
< 6.7.0Unauthenticated Broken Access Controlupdate to version > 6.7.0
Integration for CF7 and Constant Contact<= 1.1.5Cross Site Request Forgery (CSRF)no patch available
FW Flowplayer Video Player<= Site Scripting (XSS)update to version
WP TripAdvisor Review Slider<= 12.6SQL Injectionupdate to version 12.7
Woocommerce Recent Purchases<= 1.0.1Unauthenticated Remote File Inclusionno patch available
Easy Digital Downloads - Recent Purchases<= 1.0.2Remote File Inclusionno patch available
KKProgressBar2 Free<= Bar Deletion via CSRFno patch available
Stored XSS via CSRFno patch available
Authenticated (Admin+) SQL Injectionno patch available
Business Card<= 1.0.0Multiple CSRFno patch available
Ditty< 3.1.36Authenticated (Author+) Stored XSSupdate to version 3.1.36
Photo Gallery by 10Web<= 1.8.23Broken Access Controlno patch available
OptinMonster<= 2.16.1Authenticated (Contributor+) Stored XSSupdate to version 2.16.2
Web Directory Free< 1.7.0Unauthenticated SQL Injectionupdate to version 1.7.0
Not open for further replies.
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock