Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024)

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024) 🎉 Did you know we’re running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000,  for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 95 vulnerabilities disclosed in 65 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-675 – data redacted while we work with the vendor on a patch. WAF-RULE-676 – data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status
Number of Vulnerabilities
Unpatched 13 Patched 82 Total Vulnerabilities by CVSS Severity Last Week Severity Rating
Number of Vulnerabilities
Low Severity 2 Medium Severity 82 High Severity 7 Critical Severity 4 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 30 Cross-Site Request Forgery (CSRF) 21 Missing Authorization 18 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 5 Information Exposure 3 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 3 Deserialization of Untrusted Data 2 Authorization Bypass Through User-Controlled Key 2 Improper Access Control 2 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 2 Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 1 Uncontrolled Resource Consumption (‘Resource Exhaustion’) 1 Server-Side Request Forgery (SSRF) 1 Insecure Storage of Sensitive Information 1 Incorrect Authorization 1 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) 1 Improper Authorization 1 Researchers That Contributed to WordPress Security Last Week Researcher Name
Number of Vulnerabilities
Francesco Carlucci 24 Lucio Sá 10 Dhabaleshwar Das 7 Webbernaut 6 Dimas Maulana 3 Ngô Thiên An (ancorn_) 3 Krzysztof Zając 3 beluga 2 Sh 2 Rhynorater 2 kodaichodai 2 Kyle Sanchez 2 Felipe Restrepo Rodriguez (pfelilpe) 2 István Márton (Wordfence Vulnerability Researcher)
2 Rafie Muhammad 2 Sean Murphy 2 stealthcopter 2 hir0ot 1 Dave Jong 1 Le Ngoc Anh 1 villu164 1 Colin Xu 1 Christian Angel 1 LVT-tholv2k 1 wesley (wcraft) 1 Dmitrii Ignatyev 1 Abu Hurayra (HurayraIIT) 1 Muhammad Hassham Nagori 1 Abdi Pranata 1 Skalucy 1 Pham Ho Anh Dung 1 Savphill 1 Scott Kingsley Clark 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name
Software Slug
3D Tag Cloud cardoza-3d-tag-cloud AMP for WP – Accelerated Mobile Pages accelerated-mobile-pages Admin Menu Editor admin-menu-editor Advanced Forms for ACF advanced-forms All 404 Pages Redirect to Homepage all-404-pages-redirect-to-homepage All-In-One Security (AIOS) – Security and Firewall all-in-one-wp-security-and-firewall Apollo13 Framework Extensions apollo13-framework-extensions Awesome Support – WordPress HelpDesk & Support Plugin awesome-support Backuply – Backup, Restore, Migrate and Clone backuply Basic Log Viewer wpsimpletools-log-viewer Before After Image Slider WP before-after-image-slider Buttons Shortcode and Widget buttons-shortcode-and-widget Contact Form 7 Connector ari-cf7-connector Content Cards content-cards Coupon Referral Program coupon-referral-program Custom Twitter Feeds – A Tweets Widget or X Feed Widget custom-twitter-feeds Customer Reviews for WooCommerce customer-reviews-woocommerce Elementor Addon Elements addon-elements-for-elementor-page-builder Elementor Addons by Livemesh addons-for-elementor Elementor Website Builder – More than Just a Page Builder elementor Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin wp-event-solution Honeypot for WP Comment honeypot-for-wp-comment ImageRecycle pdf & image compression imagerecycle-pdf-image-compression InfiniteWP Client iwp-client Insert PHP Code Snippet insert-php-code-snippet Internal Link Juicer: SEO Auto Linker for WordPress internal-links Link Library link-library Login Lockdown – Protect Login Form login-lockdown Matomo Analytics – Ethical Stats. Powerful Insights. matomo Meta Box – WordPress Custom Fields Framework meta-box Minimal Coming Soon – Coming Soon Page minimal-coming-soon-maintenance-mode My Calendar my-calendar NextMove Lite – Thank You Page for WooCommerce woo-thank-you-page-nextmove-lite PPWP – Password Protect Pages password-protect-page Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions paid-memberships-pro Passster – Password Protect Pages and Content content-protector Payment Forms for Paystack payment-forms-for-paystack Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress contest-gallery Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress Podlove Subscribe button podlove-subscribe-button Polls CP cp-polls Portugal CTT Tracking for WooCommerce portugal-ctt-tracking-woocommerce PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) powerpack-lite-for-elementor Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider) bdthemes-prime-slider-lite Product Labels For Woocommerce (Sale Badges) aco-product-labels-for-woocommerce Quiz Maker quiz-maker RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator feedzy-rss-feeds RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging wp-rss-aggregator Royal Elementor Addons and Templates royal-elementor-addons Shariff Wrapper shariff Shield Security – Smart Bot Blocking & Intrusion Prevention Security wp-simple-firewall Simple Page Access Restriction simple-page-access-restriction Starbox – the Author Box for Humans starbox Themify Builder themify-builder Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) timeline-widget-addon-for-elementor VK Poster Group vk-poster-group WP 404 Auto Redirect to Similar Post wp-404-auto-redirect-to-similar-post WP Booking Calendar booking WP Club Manager – WordPress Sports Club Plugin wp-club-manager WP Contact Form wp-contact-form WP Recipe Maker wp-recipe-maker WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc wp-sms WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate Wonder Slider Lite wonderplugin-slider-lite Woocommerce Vietnam Checkout woo-vietnam-checkout WordPress Themes with Reported Vulnerabilities Last Week Software Name
Software Slug
Blocksy blocksy Royal Elementor Kit royal-elementor-kit brooklyn brooklyn Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 – Unauthenticated Local File Inclusion Affected Software : Shield Security – Smart Bot Blocking & Intrusion Prevention Security CVE ID : CVE-2023-6989 CVSS Score : 9.8 (Critical) Researcher/s : hir0ot Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/063826cc-7ff3-4869-9831-f6a4a4bbe74c Coupon Referral Program <= 1.7.2 – Unauthenticated PHP Object Injection Affected Software : Coupon Referral Program CVE ID : CVE-2024-25100 CVSS Score : 9.8 (Critical) Researcher/s : Dave Jong Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e556ca2-1b83-4589-bff8-64323eb594e7 Booking Calendar <= 9.9 – Unauthenticated SQL Injection Affected Software : WP Booking Calendar CVE ID : CVE-2024-1207 CVSS Score : 9.8 (Critical) Researcher/s : Muhammad Hassham Nagori Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7802ed1f-138c-4a3d-916c-80fb4f7699b2 Honeypot for WP Comment <= 2.2.3 – Directory Traversal to Unauthenticated Arbitrary File Deletion Affected Software : Honeypot for WP Comment CVE ID : CVE-2024-1350 CVSS Score : 9.1 (Critical) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6b0bb48-eb61-4236-a03f-19d5d2084a75 Elementor <= 3.19.0 – Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization Affected Software : Elementor Website Builder – More than Just a Page Builder CVE ID : CVE-2024-24934 CVSS Score : 8.8 (High) Researcher/s : Rhynorater Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4915b769-9499-40ac-835e-279e3a910558 Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Authenticated (Subscriber+) SQL Injection Affected Software : Awesome Support – WordPress HelpDesk & Support Plugin CVE ID : CVE-2024-0594 CVSS Score : 8.8 (High) Researcher/s : Krzysztof Zając Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8494a0f6-7079-4fba-9901-76932b002c5a WP Recipe Maker <= 9.1.2 – Missing Authorization to Authenticated (Subscriber+) SQL Injecton Affected Software : WP Recipe Maker CVE ID : CVE-2024-1206 CVSS Score : 8.8 (High) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b10d8f8a-517f-4286-b501-0ca040529362 RSS Aggregator by Feedzy <= 4.4.2 – Authenticated(Contributor+) SQL Injection Affected Software : RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE ID : CVE-2024-1317 CVSS Score : 8.8 (High) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf57aeaa-e37e-4b22-aeaa-f0a9f4877484 Podlove Subscribe button <= 1.3.10 – Authenticated (Contributor+) SQL Injection Affected Software : Podlove Subscribe button CVE ID : CVE-2024-1118 CVSS Score : 8.8 (High) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f234f05f-e377-4e89-81e1-f47ff44eebc5 Backuply – Backup, Restore, Migrate and Clone <= 1.2.5 – Denial of Service Affected Software : Backuply – Backup, Restore, Migrate and Clone CVE ID : CVE-2024-0842 CVSS Score : 7.5 (High) Researcher/s : villu164 Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f955d88-ab4c-4cf4-a23b-91119d412716 Brooklyn <= 4.9.7.6 – PHP Object Injection Affected Software : brooklyn CVE ID : CVE-2024-24926 CVSS Score : 7.5 (High) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5dd962a5-ec0e-415f-8efa-91e78bb80d16 NextMove Lite <= 2.17.0 – Missing Authorization to Authenticated(Subscriber+) Plugin Activation Affected Software : NextMove Lite – Thank You Page for WooCommerce CVE ID : CVE-2024-25092 CVSS Score : 6.5 (Medium) Researcher/s : beluga Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b04ab77-880b-423a-bba6-59822f0463bc RSS Aggregator by Feedzy <= 4.4.2 – Missing Authorization to Arbitrary Page Creation and Publication Affected Software : RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE ID : CVE-2024-1318 CVSS Score : 6.5 (Medium) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/181edcec-a57d-4516-935d-6777d2de77ae AMP for WP <= 1.0.93.1 – Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data Affected Software : AMP for WP – Accelerated Mobile Pages CVE ID : CVE-2024-1043 CVSS Score : 6.5 (Medium) Researcher/s : Sean Murphy Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ffb70e82-355b-48f3-92d0-19659ed2550e WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : WP Shortcodes Plugin — Shortcodes Ultimate CVE ID : CVE-2024-0792 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d8c043c-e347-4dc8-8a72-943a7e6c4394 Starbox <= 3.4.8 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings Affected Software : Starbox – the Author Box for Humans CVE ID : CVE-2023-6806 CVSS Score : 6.4 (Medium) Researcher/s : Sh Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f413fc2-8543-4478-987d-d983581027bf Royal Elementor Addons and Templates <= 1.3.87 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Royal Elementor Addons and Templates CVE ID : CVE-2024-0442 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/256b4818-290b-4660-8e83-c18b068a8959 Meta Box – WordPress Custom Fields Framework <= 5.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Meta Box – WordPress Custom Fields Framework CVE ID : CVE-2023-6526 CVSS Score : 6.4 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a6bfc87-6135-4d49-baa2-e8e6291148dc Apollo13 Framework Extensions <= 1.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Apollo13 Framework Extensions CVE ID : CVE-2024-24880 CVSS Score : 6.4 (Medium) Researcher/s : LVT-tholv2k Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33386b7b-fae3-42a4-96d3-df3cdc342317 Content Cards <= 0.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : Content Cards CVE ID : CVE-2024-24928 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e7d10ab-2525-407b-b814-ef7d884d5287 Elementor Website Builder – More than Just a Page Builder <= 3.18.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt Affected Software : Elementor Website Builder – More than Just a Page Builder CVE ID : CVE-2024-0506 CVSS Score : 6.4 (Medium) Researcher/s : wesley (wcraft) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4473d3f6-e324-40f5-b92b-167f76b17332 Elementor Addon Elements <= 1.12.11 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Elementor Addon Elements CVE ID : CVE-2024-0834 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ebb5654-ba3e-4f18-8720-a6595a771964 Elementor Addons by Livemesh <= 8.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Elementor Addons by Livemesh CVE ID : CVE-2024-1235 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70bda4b7-e442-4956-b3cb-8df96043bcde Payment Forms for Paystack <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : Payment Forms for Paystack CVE ID : CVE-2023-5665 CVSS Score : 6.4 (Medium) Researcher/s : István Márton Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98f80608-f24f-4019-a757-de71cba9902f Before After Image Slider WP <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : Before After Image Slider WP CVE ID : CVE-2024-24931 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af76e32b-ba7d-4eaa-97c8-ed6a25e8f387 My Calendar <= 3.4.23 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : My Calendar CVE ID : CVE Unknown CVSS Score : 6.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d039ba8f-0452-4c14-a655-7f6880c1f1b4 Buttons Shortcode and Widget <= 1.16 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : Buttons Shortcode and Widget CVE ID : CVE-2024-24930 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea6e0856-ba3d-4fa1-ac90-45a51ff994ef VK Poster Group <= 2.0.3 – Reflected Cross-Site Scripting via vkp_repost Affected Software : VK Poster Group CVE ID : CVE-2024-24932 CVSS Score : 6.1 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14f030bd-8d8d-4152-817d-d72c9b7a0152 Matomo <= 4.15.3 – Reflected Cross-Site Scripting via idsite Affected Software : Matomo Analytics – Ethical Stats. Powerful Insights. CVE ID : CVE-2023-6923 CVSS Score : 6.1 (Medium) Researcher/s : Felipe Restrepo Rodriguez (pfelilpe) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e2d54eb-c176-49c4-a4fc-833e17189cad WP SMS <= 6.5.2 – Reflected Cross-Site Scripting via ‘page’ Affected Software : WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc CVE ID : CVE-2024-24881 CVSS Score : 6.1 (Medium) Researcher/s : Dimas Maulana Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31f7dc1e-2008-4672-85ba-56fa35f4f0e1 WP 404 Auto Redirect to Similar Post <= 1.0.3 – Reflected Cross-Site Scripting via request Affected Software : WP 404 Auto Redirect to Similar Post CVE ID : CVE-2024-0509 CVSS Score : 6.1 (Medium) Researcher/s : kodaichodai Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6eef5549-3f89-4d6f-8c4e-6e4ee6082042 Wonder Slider Lite <= 13.9 – Reflected Cross-Site Scripting via ‘page’ Affected Software : Wonder Slider Lite CVE ID : CVE-2024-24877 CVSS Score : 6.1 (Medium) Researcher/s : Dimas Maulana Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/712d2d8b-2103-4262-807e-bb26cabb771c Brooklyn <= 4.9.7.6 – Reflected Cross-Site Scripting Affected Software : brooklyn CVE ID : CVE-2024-24927 CVSS Score : 6.1 (Medium) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/724d8382-cef3-4584-a255-c2ecc7c986b3 Link Library <= 7.5.13 – Reflected Cross-Site Scripting via ‘link_price’ and ‘link_tags’ Affected Software : Link Library CVE ID : CVE-2024-24879 CVSS Score : 6.1 (Medium) Researcher/s : beluga Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d5f9d2e-6719-4ce7-bbdd-afaf437bd080 Portugal CTT Tracking for WooCommerce <= 2.1 – Reflected Cross-Site Scripting Affected Software : Portugal CTT Tracking for WooCommerce CVE ID : CVE-2024-24878 CVSS Score : 6.1 (Medium) Researcher/s : stealthcopter Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a69e6ca8-efd6-4b89-ae63-b320f9936842 All-In-One Security (AIOS) – Security and Firewall <= 5.2.5 – Reflected Cross-Site Scripting Affected Software : All-In-One Security (AIOS) – Security and Firewall CVE ID : CVE-2024-1037 CVSS Score : 6.1 (Medium) Researcher/s : stealthcopter Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b50772e5-5142-4f50-b5c0-6116a8821cba Honeypot for WP Comment <= 2.2.3 – Reflected Cross-Site Scripting via page Affected Software : Honeypot for WP Comment CVE ID : CVE-2024-24933 CVSS Score : 6.1 (Medium) Researcher/s : Dimas Maulana Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1441e68-5c41-4c90-ba99-1656af87a29d All 404 Pages Redirect to Homepage <= 1.9 – Unauthenticated Stored Cross-Site Scripting Affected Software : All 404 Pages Redirect to Homepage CVE ID : CVE-2024-24889 CVSS Score : 6.1 (Medium) Researcher/s : Pham Ho Anh Dung Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de5d5ffc-e76a-4ea9-be68-9ca5f847a363 InfiniteWP Client <= 1.12.3 – Unauthenticated Sensitive Information Exposure Affected Software : InfiniteWP Client CVE ID : CVE-2023-6565 CVSS Score : 5.9 (Medium) Researcher/s : Christian Angel Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.14 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) CVE ID : CVE-2024-1055 CVSS Score : 5.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/036cf299-80c2-48a8-befc-02899ab96e3c Basic Log Viewer <= 1.0.4 – Cross-Site Request Forgery via wpst_lw_viewer Affected Software : Basic Log Viewer CVE ID : CVE-2024-24935 CVSS Score : 5.4 (Medium) Researcher/s : Dhabaleshwar Das Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18acd104-a5a5-4811-9aea-abc227a1712c Login Lockdown – Protect Login Form <= 2.08 – Missing Authorization Affected Software : Login Lockdown – Protect Login Form CVE ID : CVE-2024-1340 CVSS Score : 5.4 (Medium) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34021007-b5d3-479b-a0d4-50e301f22c9c 3D Tag Cloud <= 3.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting Affected Software : 3D Tag Cloud CVE ID : CVE-2022-41990 CVSS Score : 5.4 (Medium) Researcher/s : István Márton Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dfa825c-b0f7-4588-9bf8-cd186a5fc0ff Prime Slider – Addons For Elementor <= 3.11.10 – Incorrect Authorization via bdt_duplicate_as_draft Affected Software : Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider) CVE ID : CVE-2024-24883 CVSS Score : 5.4 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/691b7428-73e5-4800-85a1-19daa85aff4e Passster – Password Protect Pages and Content <= 4.2.6.2 – Missing Authorization to Sensitive Information Exposure Affected Software : Passster – Password Protect Pages and Content CVE ID : CVE-2024-0616 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/00b81467-8d00-4816-895a-89d67c541c17 Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin <= 3.3.50 – Missing Authorization to Unauthenticated Events Export Affected Software : Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin CVE ID : CVE-2024-1122 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cbdf679-1657-4249-a433-8fe0cddd94be CP Polls <= 1.0.71 – Unauthenticated Poll Limit Bypass Affected Software : Polls CP CVE ID : CVE-2024-24873 CVSS Score : 5.3 (Medium) Researcher/s : Kyle Sanchez Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c80de83-3996-4048-8aa3-3611b002fc01 Podlove Podcast Publisher <= 4.0.11 – Missing Authorization to Settings Import Affected Software : Podlove Podcast Publisher CVE ID : CVE-2024-1110 CVSS Score : 5.3 (Medium) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c9cf461-572c-4be8-96e6-659acf3208f3 PPWP – Password Protect Pages <= 1.8.9 – Protection Mechanism Bypass Affected Software : PPWP – Password Protect Pages CVE ID : CVE-2024-0620 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41299927-2ed9-4cbe-b2b0-f306dc0e4a58 Customer Reviews for WooCommerce <= 5.38.12 – Improper Authorization via submit_review Affected Software : Customer Reviews for WooCommerce CVE ID : CVE-2024-1044 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4420c334-1ea4-4549-b391-150702abc2f8 Quiz Maker <= 6.5.2.4 – Missing Authorization to Unauthenticated Quiz Data Retrieval Affected Software : Quiz Maker CVE ID : CVE-2024-1079 CVSS Score : 5.3 (Medium) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/602df370-cd5b-46dc-a653-6522aef0c62f WP Club Manager – WordPress Sports Club Plugin <= 2.2.10 – Missing Authorization to Unauthenticated Event Permalink Update Affected Software : WP Club Manager – WordPress Sports Club Plugin CVE ID : CVE-2024-1177 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64c2c8c2-58f5-4b7d-b226-39ba39e887d5 Advanced Forms for ACF <= 1.9.3.2 – Missing Authorization to Unauthenticated Form Settings Export Affected Software : Advanced Forms for ACF CVE ID : CVE-2024-1121 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b33f2ee-3f20-4494-bdae-3f8cc3c6dc73 Podlove Podcast Publisher <= 4.0.11 – Missing Authorization to Unauthenticated Data Export Affected Software : Podlove Podcast Publisher CVE ID : CVE-2024-1109 CVSS Score : 5.3 (Medium) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7b25b66-e9d1-448d-8367-cce4c0dec635 Royal Elementor Addons and Templates <= 1.3.87 – Missing Authorization via wpr_update_form_action_meta Affected Software : Royal Elementor Addons and Templates CVE ID : CVE-2024-0516 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3457b87-c860-4cf2-ac3d-2c6521b629ea Simple Page Access Restriction <= 1.0.21 – Improper Access Control to Sensitive Information Exposure via REST API Affected Software : Simple Page Access Restriction CVE ID : CVE-2024-0965 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d99dc270-1b28-4e76-9346-38b2b96be01c Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Missing Authorization via editor_html() Affected Software : Awesome Support – WordPress HelpDesk & Support Plugin CVE ID : CVE-2024-0596 CVSS Score : 5.3 (Medium) Researcher/s : Krzysztof Zając Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4358e2a-b7f6-44b6-a38a-5b27cb15e1cd CP Polls <= 1.0.71 – Unauthenticated Content Injection Affected Software : Polls CP CVE ID : CVE-2024-24874 CVSS Score : 5.3 (Medium) Researcher/s : Kyle Sanchez Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f28d7659-9244-4da8-97e9-4539d7d874f7 Paid Memberships Pro <= 2.12.8 – Authenticated (Contributor+) User Meta Disclosure Affected Software : Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Scott Kingsley Clark Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6c5e3f8-ebbd-4cc3-b9b1-3f1704e3c07a Woocommerce Vietnam Checkout <= 2.0.7 – Authenticated (Shop manager+) Stored Cross-Site Scripting Affected Software : Woocommerce Vietnam Checkout CVE ID : CVE-2024-24885 CVSS Score : 4.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02402620-89db-448d-9028-379856735a2a Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) <= 1.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) CVE ID : CVE-2024-0977 CVSS Score : 4.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03073726-58d0-45b3-b7a6-7d12dbede919 Product Labels For Woocommerce <= 1.5.3 – Authenticated (Shop manager+) Stored Cross-Site Scripting Affected Software : Product Labels For Woocommerce (Sale Badges) CVE ID : CVE-2024-24886 CVSS Score : 4.4 (Medium) Researcher/s : Dhabaleshwar Das Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24226595-6ae7-44c2-a159-5b69808273fa Internal Link Juicer <= 2.23.4 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Internal Link Juicer: SEO Auto Linker for WordPress CVE ID : CVE-2024-0657 CVSS Score : 4.4 (Medium) Researcher/s : Sh Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41d39fe4-b114-4612-92f6-75d6597610f7 Shariff Wrapper <= 4.6.9 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Shariff Wrapper CVE ID : CVE-2024-1106 CVSS Score : 4.4 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ab9c383-14da-479d-9709-1ae154dae398 My Calendar <= 3.4.23 – Authenticated (Admin+) Stored Cross-Site Scripting via Events Affected Software : My Calendar CVE ID : CVE Unknown CVSS Score : 4.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad98db62-4253-4fd5-90b3-c28a563c7697 Insert PHP Code Snippet <= 1.3.4 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Insert PHP Code Snippet CVE ID : CVE-2024-0658 CVSS Score : 4.4 (Medium) Researcher/s : Felipe Restrepo Rodriguez (pfelilpe) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4a6b786-d0ef-41f6-b2bf-83307ec02b91 Blocksy <= 2.0.19 – Authenticated (Editor+) Stored Cross-Site Scripting Affected Software : Blocksy CVE ID : CVE-2024-24871 CVSS Score : 4.4 (Medium) Researcher/s : Savphill Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e781e1aa-7fa2-4cea-913b-4aa582ec6a4f ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in enableOptimization Affected Software : ImageRecycle pdf & image compression CVE ID : CVE-2024-1334 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0318ec4a-185a-405d-90f8-008ba373114b All In One WP Security <= 5.2.6 – Cross-Site Request Forgery to IP Blocking Affected Software : All-In-One Security (AIOS) – Security and Firewall CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05991bf2-ee61-4bf7-89df-c2f66db7caec ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in enableOptimization Affected Software : ImageRecycle pdf & image compression CVE ID : CVE-2024-0983 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/175dd04d-ce06-45a0-8cfe-14498e2f9198 Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.1 – Cross-Site Request Forgery to Plugin Options Update Affected Software : Custom Twitter Feeds – A Tweets Widget or X Feed Widget CVE ID : CVE-2024-0379 CVSS Score : 4.3 (Medium) Researcher/s : Rhynorater, kodaichodai Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/29e2ff11-053b-45cc-adf1-d276f1ee576e ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Plugin Data Removal in reinitialize Affected Software : ImageRecycle pdf & image compression CVE ID : CVE-2024-1339 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d08e462-8297-477e-89da-47f26bd6beae ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Plugin Data Removal in reinitialize Affected Software : ImageRecycle pdf & image compression CVE ID : CVE-2024-1091 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cb8b08c-a028-48bd-acad-c00313fe06b8 Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via remove_from_wishlist Affected Software : Royal Elementor Addons and Templates CVE ID : CVE-2024-0513 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d3516e7-cce4-4def-be38-d16be3110d59 Admin Menu Editor <= 1.12 – Cross-Site Request Forgery via ajax_hide_hint() Affected Software : Admin Menu Editor CVE ID : CVE-2024-24876 CVSS Score : 4.3 (Medium) Researcher/s : Dhabaleshwar Das Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53fa9be4-a2b3-458c-af6e-d3ada639a622 ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in stopOptimizeAll Affected Software : ImageRecycle pdf & image compression CVE ID : CVE-2024-1338 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e3dd131-dbd8-431c-96f4-4ab2c3be4dbd Royal Elementor Kit <= 1.0.116 – Missing Authorization to Arbitrary Transient Update Affected Software : Royal Elementor Kit CVE ID : CVE-2024-0835 CVSS Score : 4.3 (Medium) Researcher/s : Sean Murphy Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/603b6c52-48eb-4e8c-a2c1-77b12a2b1a2c Themify Builder <= 7.0.5 – Cross-Site Request Forgery Affected Software : Themify Builder CVE ID : CVE-2024-24872 CVSS Score : 4.3 (Medium) Researcher/s : Dhabaleshwar Das Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6840c91f-a5d9-4940-8a08-d62acc5d43eb Quiz Maker <= 6.5.2.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification Affected Software : Quiz Maker CVE ID : CVE-2024-1078 CVSS Score : 4.3 (Medium) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67 ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in optimizeAllOn Affected Software : ImageRecycle pdf & image compression CVE ID : CVE-2024-1089 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ff16906-2516-4b3c-8217-e3fb24924e27 Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via remove_from_compare Affected Software : Royal Elementor Addons and Templates CVE ID : CVE-2024-0515 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4178271-c09e-4094-a616-5a00d28f39a3 Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via add_to_compare Affected Software : Royal Elementor Addons and Templates CVE ID : CVE-2024-0514 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0955689-43a0-442c-974b-5db5e4171f6a Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via add_to_wishlist Affected Software : Royal Elementor Addons and Templates CVE ID : CVE-2024-0512 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2ff2954-f494-4cd7-9f29-ee0e8551e339 ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in disableOptimization Affected Software : ImageRecycle pdf & image compression CVE ID : CVE-2024-1335 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3900e4f-4ae4-4026-89df-b63bd869a763 Contact Form 7 Connector <= 1.2.2 – Cross-Site Request Forgery Affected Software : Contact Form 7 Connector CVE ID : CVE-2024-24884 CVSS Score : 4.3 (Medium) Researcher/s : Dhabaleshwar Das Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b74a5a4c-250a-46bc-bf08-2dd720de41ae Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Missing Authorization via wpas_get_users() Affected Software : Awesome Support – WordPress HelpDesk & Support Plugin CVE ID : CVE-2024-0595 CVSS Score : 4.3 (Medium) Researcher/s : Krzysztof Zając Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfb77432-e58d-466e-a366-8b8d7f1b6982 WP Contact Form <= 1.6 – Cross-Site Request Forgery via wpcf_adminpage Affected Software : WP Contact Form CVE ID : CVE-2024-24929 CVSS Score : 4.3 (Medium) Researcher/s : Skalucy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5decbb3-05a0-403f-918a-9b516df85778 ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in optimizeAllOn Affected Software : ImageRecycle pdf & image compression CVE ID : CVE-2024-1336 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca4cf299-9dee-4ebf-83f3-4c3471bd9fb0 ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in disableOptimization Affected Software : ImageRecycle pdf & image compression CVE ID : CVE-2024-0984 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc9dd55d-3c37-4f24-81a1-fdc8ca284566 Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via wpr_update_form_action_meta Affected Software : Royal Elementor Addons and Templates CVE ID : CVE-2024-0511 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc8bef03-51e0-4448-bddd-85300104e875 Contest Gallery <= 21.2.8.4 – Cross-Site Request Forgery Affected Software : Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress CVE ID : CVE-2024-24887 CVSS Score : 4.3 (Medium) Researcher/s : Dhabaleshwar Das Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4ed8c6e-5f80-4360-9478-fff49b1fee94 ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in stopOptimizeAll Affected Software : ImageRecycle pdf & image compression CVE ID : CVE-2024-1090 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3fae909-5564-4e0a-9114-edd0e45865e5 Link Library <= 7.5.13 – Cross-Site Request Forgery via action_admin_init Affected Software : Link Library CVE ID : CVE-2024-24875 CVSS Score : 4.3 (Medium) Researcher/s : Dhabaleshwar Das Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fefe4499-8b03-4c07-b248-ae0ae5153b4f WP RSS Aggregator <= 4.23.5 – Authenticated (Admin+) Server-Side Request Forgery via RSS Feed Source Affected Software : RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging CVE ID : CVE-2024-0628 CVSS Score : 3.8 (Low) Researcher/s : Colin Xu Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2154383e-eabb-4964-8991-423dd68d5efb Minimal Coming Soon – Coming Soon Page <= 2.37 – Unauthenticated Maintenance Mode Bypass Affected Software : Minimal Coming Soon – Coming Soon Page CVE ID : CVE-2024-1075 CVSS Score : 3.7 (Low) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07 As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

This content was originally published here.