Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024)

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024) πŸŽ‰ Did you know we’re running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000,Β  for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 122 vulnerabilities disclosed in 110 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 52 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: SlimStat Analytics <= 5.1.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting WAF-RULE-670 – data redacted while we work with the developer on a patch. WAF-RULE-671 – data redacted while we work with the developer on a patch. WAF-RULE-672 – data redacted while we work with the developer on a patch. WAF-RULE-674 – data redacted while we work with the developer on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Unpatched 32 Patched 90 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 1 Medium Severity 104 High Severity 12 Critical Severity 5 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation (β€˜Cross-site Scripting’) 34 Missing Authorization 29 Cross-Site Request Forgery (CSRF) 24 Information Exposure 9 Deserialization of Untrusted Data 5 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 4 Improper Neutralization of Special Elements used in an SQL Command (β€˜SQL Injection’) 3 Improper Authorization 3 Improper Access Control 3 Unrestricted Upload of File with Dangerous Type 2 Authentication Bypass by Spoofing 1 Improper Input Validation 1 Improper Limitation of a Pathname to a Restricted Directory (β€˜Path Traversal’) 1 Server-Side Request Forgery (SSRF) 1 URL Redirection to Untrusted Site (β€˜Open Redirect’) 1 Client-Side Enforcement of Server-Side Security 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Francesco Carlucci 12 Yudistira Arya 8 NgΓ΄ ThiΓͺn An (ancorn_) 7 Nguyen Xuan Chien 7 Abdi Pranata 6 Dmitrii Ignatyev 5 Mika 5 Lucio SΓ‘ 4 Abu Hurayra (HurayraIIT) 4 emad 3 Webbernaut 3 Karl Emil Nikka 3 Dhabaleshwar Das 3 Huynh Tien Si 2 resecured.io 2 Krzysztof ZajΔ…c 2 Dave Jong 2 Muhammad Daffa 2 Akbar Kustirama 2 Revan Arifio 1 Joshua Martinelle 1 Dimas Maulana 1 IstvΓ‘n MΓ‘rton (Wordfence Vulnerability Researcher) 1 Yuhang Liu 1 Sean Murphy 1 Le Ngoc Anh 1 Skalucy 1 Bob Matyas 1 Steven Julian 1 wpdabh 1 Vulzap 1 stealthcopter 1 Nathaniel Oh (0x4n3) 1 Jeongwoo-Lee(Roronoa) 1 0x9567b 1 Elliot 1 Friday 1 isacaya 1 LVT-tholv2k 1 thiennv 1 Joshua Chan 1 Faizal Abroni 1 Marc-Alexandre Montpas 1 Savphill 1 Sh 1 Richard Telleng (stueotue) 1 Debangshu Kundu 1 Arpeet Rathi 1 kauenavarro 1 Daniel Ruf 1 Rob Stevens 1 Rafie Muhammad 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug A no-code page builder for beautiful performance-based content setka-editor ACF Photo Gallery Field navz-photo-gallery ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup armember-membership Accessibility accessibility Active Products Tables for WooCommerce. Professional products tables for WooCommerce store profit-products-tables-for-woocommerce Add Customer for WooCommerce add-customer-for-woocommerce Advanced iFrame advanced-iframe Affiliates Manager affiliates-manager Anonymous Restricted Content anonymous-restricted-content Auto Listings – Car Listings & Car Dealership Plugin for WordPress auto-listings BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net woo-bulk-editor Beds24 Online Booking beds24-online-booking Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo biteship BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More. print-google-cloud-print-gcp-woocommerce Booking Calendar | Appointment Booking | BookIt bookit CC BMI Calculator cc-bmi-calculator CP Media Player – Audio Player and Video Player audio-and-video-player Calculated Fields Form calculated-fields-form CalculatorPro Calculators calculatorpro-calculators Chartify – WordPress Chart Plugin chart-builder Cincopa video and media plug-in video-playlist-and-gallery-plugin Click To Tweet click-to-tweet Cookie Information | Free GDPR Consent Solution wp-gdpr-compliance Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce Custom Order Status for WooCommerce custom-order-statuses-woocommerce Database for Contact Form 7, WPforms, Elementor forms contact-form-entries Debug debug Don’t Muck My Markup dont-muck-my-markup ERE Recently Viewed – Essential Real Estate Add-On ere-recently-viewed Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) easy-digital-downloads Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) bdthemes-element-pack-lite Email Before Download email-before-download Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders essential-addons-for-elementor-lite Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin mage-eventpress EventON Pro eventon EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management FG Drupal to WordPress fg-drupal-to-wp FG Joomla to WordPress fg-joomla-to-wordpress FG PrestaShop to WooCommerce fg-prestashop-to-woocommerce Fatal Error Notify fatal-error-notify Feed Them Social – Page, Post, Video, and Photo Galleries feed-them-social Five Star Restaurant Reviews good-reviews-wp Form builder to get in touch with visitors, grow your email list and collect payments β€” Happyforms happyforms GDPR Data Request Form gdpr-data-request-form Happy Addons for Elementor happy-elementor-addons Heateor Social Login WordPress heateor-social-login Html5 Video Player UNKNOWN-CVE-2023-6485-1 Icons Font Loader icons-font-loader Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels instant-images JTRT Responsive Tables jtrt-responsive-tables JetBackup – WP Backup, Migrate & Restore backup Kikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce map-location-picker-at-checkout-for-woocommerce Knowledge Base for Documentation, FAQs with AI Assistance echo-knowledge-base LearnDash LMS sfwd-lms Load More Anything ajax-load-more-anything MW WP Form mw-wp-form MapPress Maps for WordPress mappress-google-maps-for-wordpress Mighty Addons for Elementor mighty-addons MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution dc-woocommerce-multi-vendor NEX-Forms – Ultimate Form Builder – Contact forms and much more nex-forms-express-wp-form-builder Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress ninja-forms OWL Carousel – WordPress Owl Carousel Slider lgx-owl-carousel Orbit Fox by ThemeIsle themeisle-companion Order Delivery Date for WP e-Commerce order-delivery-date PDF Flipbook, 3D Flipbook – DearFlip 3d-flipbook-dflip-lite PT Sign Ups – Beautiful volunteer sign ups and management made easy ptoffice-sign-ups Page Builder: Pagelayer – Drag and Drop website builder pagelayer Page Restrict pagerestrict Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress wp-user-avatar Persian Fonts persian-fonts PilotPress pilotpress Popup More Popups, Lightboxes, and more popup modules popup-more PopupAlly popupally Post Thumbnail Editor post-thumbnail-editor PowerPack Pro for Elementor powerpack-elements Premium Addons for Elementor premium-addons-for-elementor ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks product-blocks Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic shareaholic PropertyHive propertyhive Quicksand Post Filter jQuery Plugin quicksand-jquery-post-filter RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator feedzy-rss-feeds Relevanssi – A Better Search (Pro) relevanssi-premium Restrict Usernames Emails Characters restrict-usernames-emails-characters SEO Plugin by Squirrly SEO squirrly-seo SP Project & Document Manager sp-client-document-manager Scheduling Plugin – Online Booking for WordPress calendar-booking Scroll Triggered Box dreamgrow-scroll-triggered-box SiteOrigin Widgets Bundle so-widgets-bundle SlimStat Analytics wp-slimstat Starbox – the Author Box for Humans starbox Structured Content (JSON-LD) #wpsc structured-content TablePress – Tables in WordPress made easy tablepress The Plus Addons for Elementor the-plus-addons-for-elementor-page-builder Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid boldgrid-backup Ultra Companion – Companion plugin for WPoperation Themes ultra-companion User Activity Tracking and Log user-activity-tracking-and-log UserPro – Community and User Profile WordPress Plugin userpro W3SPEEDSTER w3speedster-wp WOLF – WordPress Posts Bulk Editor and Manager Professional bulk-editor WP Dummy Content Generator wp-dummy-content-generator WP Hotel Booking wp-hotel-booking WP STAGING WordPress Backup Plugin – Migration Backup Restore wp-staging WP Visitor Statistics (Real Time Traffic) wp-stats-manager WP-CFM wp-cfm Website Builder by SeedProd β€” Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode coming-soon WooCommerce Box Office woocommerce-box-office WooCommerce Conversion Tracking woocommerce-conversion-tracking Woostify Sites Library woostify-sites-library WordPress Review & Structure Data Schema Plugin – Review Schema review-schema WordPress Toolbar wordpress-toolbar Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Knowledge Base for Documentation, FAQs with AI Assistance <= 11.30.2 – Unauthenticated PHP Object Injection in is_article_recently_viewed Affected Software : Knowledge Base for Documentation, FAQs with AI Assistance CVE ID : CVE-2024-24842 CVSS Score : 9.8 (Critical) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41cfe1d7-2fab-413c-80e5-40d77133d229 ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks <= 3.1.4 – PHP Object Injection via wopb_wishlist and wopb_compare Affected Software : ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks CVE ID : CVE-2024-23512 CVSS Score : 9.8 (Critical) Researcher/s : Yudistira Arya Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/470285d6-b309-409c-b2c3-8766a0cf9e98 ERE Recently Viewed <= 1.3 – Unauthenticated PHP Object Injection Affected Software : ERE Recently Viewed – Essential Real Estate Add-On CVE ID : CVE-2024-24797 CVSS Score : 9.8 (Critical) Researcher/s : Yudistira Arya Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7332fe2e-9bef-42b7-946e-4a2ee812ca26 JetBackup <= 2.0.9.7 – Sensitive Information Exposure via Directory Listing Affected Software : JetBackup – WP Backup, Migrate & Restore CVE ID : CVE-2023-7165 CVSS Score : 9.8 (Critical) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd978ac0-42f2-4746-9430-37458375b588 Quicksand Post Filter jQuery Plugin <= 3.1.1 – Missing Authorization via quicksand_admin_ajax Affected Software : Quicksand Post Filter jQuery Plugin CVE ID : CVE-2024-24850 CVSS Score : 9.1 (Critical) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c6f3b765-396f-422f-864d-a48bee8c69cb Instant Images <= 6.1.0 – Authenticated (Author+) Arbitrary Options Update Affected Software : Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels CVE ID : CVE-2024-0869 CVSS Score : 8.8 (High) Researcher/s : Sean Murphy Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17941fbb-c5da-4f5c-a617-3792eb4ef395 Cookie Information | Free GDPR Consent Solution <= 2.0.22 – Authenticated (Subscriber+) Arbitrary Options Update Affected Software : Cookie Information | Free GDPR Consent Solution CVE ID : CVE-2023-6700 CVSS Score : 8.8 (High) Researcher/s : Lucio SΓ‘ Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/42a4ef37-c842-4925-b06a-3e6423337567 Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently <= 4.1.1 – Authenticated (Contributor+) PHP Object Injection in mep_event_meta_save Affected Software : Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin CVE ID : CVE-2024-24796 CVSS Score : 8.8 (High) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50812a8b-7d49-41fa-ba50-47d07a4b6caa SP Project & Document Manager <= 4.69 – Authenticated (Contributor+) SQL Injection via Shortcode Affected Software : SP Project & Document Manager CVE ID : CVE-2024-24868 CVSS Score : 8.8 (High) Researcher/s : Yudistira Arya Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fcdeba37-ba65-400d-9c07-36503a03e857 MultiVendorX Marketplace <= 4.1.2 – Missing Authorization Affected Software : MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution CVE ID : CVE-2024-24703 CVSS Score : 8.6 (High) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26e07115-efee-4db5-ba24-25a063286e90 TablePress <= 2.2.4 – Authenticated(Author+) Server Side Request Forgery(SSRF) via _get_import_files Affected Software : TablePress – Tables in WordPress made easy CVE ID : CVE-2024-23825 CVSS Score : 8.5 (High) Researcher/s : isacaya Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8de52b68-c273-4561-98b0-e51afd6cd47b Website Builder by SeedProd β€” Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.15.21 – Missing Authorization via seedprod_lite_new_lpage Affected Software : Website Builder by SeedProd β€” Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode CVE ID : CVE-2024-1072 CVSS Score : 8.2 (High) Researcher/s : Lucio SΓ‘ Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78d7920b-3e20-43c7-a522-72bac824c2cb Woostify Sites Library Affected Software : Woostify Sites Library CVE ID : CVE-2023-6279 CVSS Score : 8.1 (High) Researcher/s : Krzysztof ZajΔ…c Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/977ab23a-06b2-4f54-a2c2-3be2316eaceb PropertyHive <= 2.0.5 – Unauthenticated PHP Object Injection via propertyhive_currency Affected Software : PropertyHive CVE ID : CVE-2024-23513 CVSS Score : 8.1 (High) Researcher/s : Yudistira Arya Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d8ee82cf-916c-41e9-82d2-f25cc7a632ae Total Upkeep <= 1.15.8 – Improper Authorization to Unauthenticated Arbitrary File Download Affected Software : Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid CVE ID : CVE-2024-24869 CVSS Score : 7.5 (High) Researcher/s : Yudistira Arya Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/159e14fc-0512-421a-8bbe-d16c0b04ddf9 PowerPack Pro for Elementor <= 2.10.6 – Missing Authorization to Settings Reset Affected Software : PowerPack Pro for Elementor CVE ID : CVE-2024-24844 CVSS Score : 7.5 (High) Researcher/s : Dave Jong Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/883e1f3c-7e47-4522-ae8c-a9a6b4160be2 Contact Form Entries <= 1.3.2 – Authenticated (Administrator+) Arbitrary File Upload Affected Software : Database for Contact Form 7, WPforms, Elementor forms CVE ID : CVE-2024-1069 CVSS Score : 7.2 (High) Researcher/s : IstvΓ‘n MΓ‘rton Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/120313be-9f98-4448-9f5d-a77186a6ff08 Icons Font Loader <= 1.1.4 – Authenticated(Administrator+) Arbitrary File Upload Affected Software : Icons Font Loader CVE ID : CVE-2024-24714 CVSS Score : 6.6 (Medium) Researcher/s : Vulzap Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37426991-7778-4dc4-8cae-2725584fb8b8 HTML5 Video Player <= 2.5.24 – Unauthenticated SQL Injection via id Affected Software : Html5 Video Player CVE ID : CVE-2024-1061 CVSS Score : 6.5 (Medium) Researcher/s : Joshua Martinelle Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0abd2533-5cb3-4568-8ad2-f2852ab3a8db Quicksand Post Filter jQuery Plugin <= 3.1.1 – Cross-Site Request Forgery via renderAdmin Affected Software : Quicksand Post Filter jQuery Plugin CVE ID : CVE-2024-24849 CVSS Score : 6.5 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dd63ea6-7821-42b8-9b52-e721a8b2382d Order Delivery Date for WP e-Commerce <= 1.2 – Unauthenticated Stored Cross-Site Scripting Affected Software : Order Delivery Date for WP e-Commerce CVE ID : CVE-2024-0678 CVSS Score : 6.5 (Medium) Researcher/s : Krzysztof ZajΔ…c Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71fb90b6-a484-4a70-a9dc-795cbf2e275e WP Hotel Booking <= 2.0.9.2 – Improper Authorization on Multiple REST API Routes Affected Software : WP Hotel Booking CVE ID : CVE Unknown CVSS Score : 6.5 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86f15e94-6ca7-4eb2-8a38-b4add9251dab Starbox <= 3.4.8 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Display Name and Social Settings Affected Software : Starbox – the Author Box for Humans CVE ID : CVE-2024-0256 CVSS Score : 6.4 (Medium) Researcher/s : Lucio SΓ‘ Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0eafe473-9177-47c4-aa1e-2350cb827447 Heateor Social Login <= 1.1.30 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : Heateor Social Login WordPress CVE ID : CVE-2024-24712 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a3ebfba-7523-48a4-a315-4395be2cebef Advanced iFrame <= 2023.10 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Advanced iFrame CVE ID : CVE-2023-7069 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e32c51d-2d96-4545-956f-64f65c54b33b Five Star Restaurant Reviews <= 2.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Review URL Affected Software : Five Star Restaurant Reviews CVE ID : CVE-2024-24838 CVSS Score : 6.4 (Medium) Researcher/s : Steven Julian Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fe44e46-dfbf-4286-889c-606280d62218 SlimStat Analytics <= 5.1.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting Affected Software : SlimStat Analytics CVE ID : CVE-2024-1073 CVSS Score : 6.4 (Medium) Researcher/s : Lucio SΓ‘ Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33cba63c-4629-48fd-850f-f68dad626a67 Ultra Companion <= 1.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Ultra Companion – Companion plugin for WPoperation Themes CVE ID : CVE-2024-24803 CVSS Score : 6.4 (Medium) Researcher/s : wpdabh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3639d0a6-6d9f-4f3e-bb25-85d4eb40b547 OWL Carousel <= 1.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : OWL Carousel – WordPress Owl Carousel Slider CVE ID : CVE-2024-24801 CVSS Score : 6.4 (Medium) Researcher/s : resecured.io Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/511957c0-e4c3-4a50-b604-3b604d52d32f SiteOrigin Widgets Bundle <= 1.58.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : SiteOrigin Widgets Bundle CVE ID : CVE-2024-0961 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f7c164f-2f78-4857-94b9-077c2dea13df Scheduling Plugin – Online Booking for WordPress <= 3.5.10 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Scheduling Plugin – Online Booking for WordPress CVE ID : CVE-2024-23517 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71a0aa95-f2a9-4537-a8d1-d78336e36125 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.14.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress CVE ID : CVE-2024-1046 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7911c774-3fb0-4d6c-a847-101e5ad8637a Click To Tweet <= 2.0.14 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Click To Tweet CVE ID : CVE-2024-23514 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7eee591c-2676-479c-ab15-96da10f51ae0 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders CVE ID : CVE-2024-0954 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/875db71d-c799-40b9-95e1-74d53046b0a9 Structured Content <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Classic Editor Shortcode Affected Software : Structured Content (JSON-LD) #wpsc CVE ID : CVE-2024-24839 CVSS Score : 6.4 (Medium) Researcher/s : LVT-tholv2k Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a013106b-4e2a-4dd9-a0ab-7e6c91e715dd Auto Listings <= 2.6.5 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : Auto Listings – Car Listings & Car Dealership Plugin for WordPress CVE ID : CVE-2024-24713 CVSS Score : 6.4 (Medium) Researcher/s : resecured.io Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1a97776-03c7-403d-b803-023647b9d0f2 Calculated Fields Form <= 1.2.52 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Calculated Fields Form CVE ID : CVE-2024-0963 CVSS Score : 6.4 (Medium) Researcher/s : Richard Telleng (stueotue) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d870ff8d-ea4b-4777-9892-0d9982182b9f The Plus Addons for Elementor <= 5.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : The Plus Addons for Elementor CVE ID : CVE-2024-23511 CVSS Score : 6.4 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e66b5c12-3acb-41f7-ae5f-8a9130053e45 CC BMI Calculator <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : CC BMI Calculator CVE ID : CVE-2024-23516 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed0e7717-d9ac-4333-8e79-fc030a410dab GDPR Data Request Form <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : GDPR Data Request Form CVE ID : CVE-2024-24836 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0b8fd44-75af-4fb8-bcc1-94cb5fc9e4eb Premium Addons for Elementor <= 4.10.16 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Premium Addons for Elementor CVE ID : CVE-2024-24831 CVSS Score : 6.4 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7222c7e-939a-4666-9d01-f715d2827954 MapPress <= 2.88.16 – Authenticated (Contributor+) Stored Cross-Site Scripting via Map Settings Affected Software : MapPress Maps for WordPress CVE ID : CVE-2023-7225 CVSS Score : 6.4 (Medium) Researcher/s : Akbar Kustirama Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fce76126-0cfd-464f-b644-45d4301e958d CalculatorPro Calculators <= 1.1.7 – Reflected Cross-Site Scripting via CP_preview_calc Affected Software : CalculatorPro Calculators CVE ID : CVE-2024-24847 CVSS Score : 6.1 (Medium) Researcher/s : Dimas Maulana Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0de79672-f0ba-42d3-a44a-01b93801d7de Mighty Addons for Elementor <= 1.9.3 – Reflected Cross-Site Scripting Affected Software : Mighty Addons for Elementor CVE ID : CVE-2024-24846 CVSS Score : 6.1 (Medium) Researcher/s : Yudistira Arya Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/484d8d14-049d-4fd5-adb8-ad9942bba794 Biteship <= 2.2.24 – Reflected Cross-Site Scripting via biteship_error and biteship_message Affected Software : Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo CVE ID : CVE-2024-24866 CVSS Score : 6.1 (Medium) Researcher/s : thiennv Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0247ba6-d193-4b7d-969d-0cd239c57faa PT Sign Ups <= 1.0.4 – Unauthenticated Stored Cross-Site Scripting Affected Software : PT Sign Ups – Beautiful volunteer sign ups and management made easy CVE ID : CVE-2024-24848 CVSS Score : 6.1 (Medium) Researcher/s : Faizal Abroni Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b751191b-35a8-4331-ac3f-f6090221c65f EventON <= 4.4.0 – Reflected Cross-Site Scripting Affected Software : EventON Pro CVE ID : CVE-2023-7200 CVSS Score : 6.1 (Medium) Researcher/s : kauenavarro Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0d5b1a5-0078-402b-b834-8091bfc02dd5 PowerPack Pro for Elementor < 2.10.8 – Cross-Site Request Forgery to Plugin Settings Modification and Cross-Site Scripting Affected Software : PowerPack Pro for Elementor CVE ID : CVE-2024-24843 CVSS Score : 6.1 (Medium) Researcher/s : Dave Jong Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e68bbee2-1c1a-4751-988e-dde423f8aab3 Ninja Forms Contact Form <= 3.7.1 – Unauthenticated Second Order SQL Injection Affected Software : Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress CVE ID : CVE-2024-0685 CVSS Score : 5.9 (Medium) Researcher/s : stealthcopter Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cb73d5d-ca4a-4103-866d-f7bb369a8ce4 Easy Digital Downloads <= 3.2.6 – Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options Affected Software : Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) CVE ID : CVE-2024-0659 CVSS Score : 5.5 (Medium) Researcher/s : emad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ec207cd-cae5-4950-bbc8-d28f108b4ae7 BEAR <= 1.1.4 – Authenticated (Shop manager+) Stored Cross-Site Scripting via Plugin Options Affected Software : BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net CVE ID : CVE-2024-24834 CVSS Score : 5.5 (Medium) Researcher/s : Mika Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32682598-ad1c-4aa1-bdf2-a7966a4d1dbe Scroll Triggered Box <= 2.3 – Authenticated (Editor+) Stored Cross-Site Scripting Affected Software : Scroll Triggered Box CVE ID : CVE-2024-24865 CVSS Score : 5.5 (Medium) Researcher/s : Savphill Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b92c3d68-2e3e-4500-8da9-f89373126445 MW WP Form <= 5.0.6 – Authenticated (Editor+) Stored Cross-Site Scripting Affected Software : MW WP Form CVE ID : CVE-2024-24804 CVSS Score : 5.5 (Medium) Researcher/s : Huynh Tien Si Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2126761-cbff-4d46-a6df-4566d15216d7 Accessibility <= 1.0.6 – Cross-Site Request Forgery Affected Software : Accessibility CVE ID : CVE-2024-24705 CVSS Score : 5.4 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/432effd4-5c94-4ef9-bc19-b4eacd082264 PilotPress <= 2.0.29 – Authenticated(Subscriber+) Missing Authorization via multiple AJAX functions Affected Software : PilotPress CVE ID : CVE-2024-23524 CVSS Score : 5.4 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a8d121d-434d-4445-874f-d3cf6b6e7233 WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.1 – Cross-Site Request Forgery Affected Software : WOLF – WordPress Posts Bulk Editor and Manager Professional CVE ID : CVE-2024-0790 CVSS Score : 5.4 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c48f94b-d193-429a-9383-628ae12bfdf3 Load More Anything <= 3.3.3 – Missing Authorization to Plugin Settings Modification Affected Software : Load More Anything CVE ID : CVE-2024-24704 CVSS Score : 5.4 (Medium) Researcher/s : Elliot Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/797554c9-7008-451a-8e8d-3242a207347e PDF Flipbook, 3D Flipbook – DearFlip <= 2.2.26 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : PDF Flipbook, 3D Flipbook – DearFlip CVE ID : CVE-2024-0895 CVSS Score : 5.4 (Medium) Researcher/s : Muhammad Daffa Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92e37b28-1a17-417a-b40f-cb4bbe6ec759 Happyforms <= 1.25.10 – Missing Authorization Affected Software : Form builder to get in touch with visitors, grow your email list and collect payments β€” Happyforms CVE ID : CVE-2024-23521 CVSS Score : 5.3 (Medium) Researcher/s : Revan Arifio Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0578c49e-f820-42dd-bd53-f4a281843e69 User Activity Tracking and Log <= 4.1.3 – IP Spoofing Affected Software : User Activity Tracking and Log CVE ID : CVE-2024-0970 CVSS Score : 5.3 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e2268fc-5f29-4c69-9585-81240354ae77 EventPrime <= 3.3.9 – Improper Input Validation via save_event_booking Affected Software : EventPrime – Events Calendar, Bookings and Tickets CVE ID : CVE-2024-24832 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17cbcf67-f10d-41bc-acf7-98e5d99b50af NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 – Missing Authorization via restore_records() Affected Software : NEX-Forms – Ultimate Form Builder – Contact forms and much more CVE ID : CVE-2024-0907 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4 WP Dummy Content Generator <= 3.1.2 – Missing Authorization Affected Software : WP Dummy Content Generator CVE ID : CVE-2024-24805 CVSS Score : 5.3 (Medium) Researcher/s : Huynh Tien Si Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b44d23c-4872-491f-8a91-b0feb888ac54 BEAR <= 1.1.4 – Missing Authorization via Several Functions Affected Software : BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net CVE ID : CVE-2024-24835 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/411b7889-c2c6-48cb-967d-091585705e17 BizPrint <= 4.5.1 – Missing Authorization in showTemplatePreview Affected Software : BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More. CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fc76e1c-546f-4ecd-bd3b-a6f21b2c65bf NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 – Missing Authorization via set_starred() Affected Software : NEX-Forms – Ultimate Form Builder – Contact forms and much more CVE ID : CVE-2024-1129 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53db0f72-3353-42bb-ad75-4c5aa32d7939 Relevanssi Pro < 2.25 – Unauthenticated Sensitive Information Exposure Affected Software : Relevanssi – A Better Search (Pro) CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/550872c8-3663-48fa-ab3f-f90351f3e169 Orbit Fox by ThemeIsle <= 2.10.28 – Missing Authorization Affected Software : Orbit Fox by ThemeIsle CVE ID : CVE-2024-1047 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d LearnDash LMS <= 4.10.1 – Sensitive Information Exposure via API Affected Software : LearnDash LMS CVE ID : CVE-2024-1210 CVSS Score : 5.3 (Medium) Researcher/s : Karl Emil Nikka Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61ca5ab6-5fe9-4313-9b0d-8736663d0e89 LearnDash LMS <= 4.10.1 – Sensitive Information Exposure via assignments Affected Software : LearnDash LMS CVE ID : CVE-2024-1209 CVSS Score : 5.3 (Medium) Researcher/s : Karl Emil Nikka Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7191955e-0db1-4ad1-878b-74f90ca59c91 PropertyHive <= 2.0.6 – Missing Authorization via activate_pro_feature Affected Software : PropertyHive CVE ID : CVE-2024-24718 CVSS Score : 5.3 (Medium) Researcher/s : Yudistira Arya Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/84d55f24-c4de-4574-b0cc-cc1b4935d281 LearnDash LMS <= 4.10.2 – Sensitive Information Exposure via API Affected Software : LearnDash LMS CVE ID : CVE-2024-1208 CVSS Score : 5.3 (Medium) Researcher/s : Karl Emil Nikka Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae735117-e68b-448e-ad41-258d1be3aebc Post Thumbnail Editor <= 2.4.8 – Sensitive Information Exposure Affected Software : Post Thumbnail Editor CVE ID : CVE-2024-24845 CVSS Score : 5.3 (Medium) Researcher/s : Joshua Chan Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b102af8f-2bc3-4548-9a90-d1280b058173 UserPro <= 5.1.6 – Disabled Membership Registration Bypass Affected Software : UserPro – Community and User Profile WordPress Plugin CVE ID : CVE-2024-0701 CVSS Score : 5.3 (Medium) Researcher/s : Rob Stevens Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea070d9c-c04c-432f-a110-47b9eaa67614 ARMember <= 4.0.24 – Improper Access Control to Sensitive Information Exposure via REST API Affected Software : ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup CVE ID : CVE-2024-0969 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea4e6718-4e1e-44ce-8463-860f0d3d80f5 NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 – Missing Authorization via set_read() Affected Software : NEX-Forms – Ultimate Form Builder – Contact forms and much more CVE ID : CVE-2024-1130 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2c3b646-d865-4425-bc8f-00b3555a3d74 WP Visitor Statistics (Real Time Traffic) <= 6.9.4 – Sensitive Information Exposure via Log File Affected Software : WP Visitor Statistics (Real Time Traffic) CVE ID : CVE-2024-24867 CVSS Score : 5.3 (Medium) Researcher/s : Yudistira Arya Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2d69d59-390d-4f3c-96ba-487707cac7a6 Anonymous Restricted Content <= 1.6.2 – Protection Mechanism Bypass Affected Software : Anonymous Restricted Content CVE ID : CVE-2024-0909 CVSS Score : 5.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f478ff7c-7193-4c59-a84f-c7cafff9b6c0 Email Before Download <= 6.9.7 – Cross-Site Request Forgery Affected Software : Email Before Download CVE ID : CVE-2024-23519 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa918a65-0021-4c32-9f6d-d978926c3ef3 WP STAGING WordPress Backup Plugin < 3.2.0 – Sensitive Information Exposure via cache files Affected Software : WP STAGING WordPress Backup Plugin – Migration Backup Restore CVE ID : CVE-2023-7204 CVSS Score : 5.3 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fe8816d8-1687-4a3c-9f2a-23f21d679cc5 BookIt <=2.4.0 – Price Bypass Affected Software : Booking Calendar | Appointment Booking | BookIt CVE ID : CVE-2024-24715 CVSS Score : 4.9 (Medium) Researcher/s : Debangshu Kundu, Arpeet Rathi Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9938c7d-ef0d-45a2-900f-ac8bda9ce75a Popup More <= 2.2.4 – Authenticated (Admin+) Directory Traversal to Limited Local File Inclusion Affected Software : Popup More Popups, Lightboxes, and more popup modules CVE ID : CVE-2024-0844 CVSS Score : 4.7 (Medium) Researcher/s : 0x9567b Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7894a19c-b873-4c5b-8c82-6656cc306ee2 Restrict Usernames Emails Characters <= 3.1.3 – Authenticated(Administrator+) Stored Cross-Site Scripting Affected Software : Restrict Usernames Emails Characters CVE ID : CVE-2023-6165 CVSS Score : 4.4 (Medium) Researcher/s : Yuhang Liu Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12532f84-bc76-4968-a01f-f879ab41b901 Persian Fonts <= 1.6 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Persian Fonts CVE ID : CVE-2023-7167 CVSS Score : 4.4 (Medium) Researcher/s : Bob Matyas Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a427b26-4a0d-4351-8a8b-ec5da1345ebd Chartify <= 2.0.6 – Authenticated(Administrator+) Stored Cross-Site Scripting Affected Software : Chartify – WordPress Chart Plugin CVE ID : CVE-2023-47526 CVSS Score : 4.4 (Medium) Researcher/s : Jeongwoo-Lee(Roronoa) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49d0315e-fcb2-4232-8797-0421cf5d3cd8 SEO Plugin by Squirrly SEO <= 12.3.15 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings Affected Software : SEO Plugin by Squirrly SEO CVE ID : CVE-2024-0597 CVSS Score : 4.4 (Medium) Researcher/s : Akbar Kustirama Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a61a8d8b-f22f-4a16-95f6-6cf52cf545ad Pagelayer <= 1.7.9 – Authenticated(Administrator+) Stored Cross-Site Scripting via Header/Footer code Affected Software : Page Builder: Pagelayer – Drag and Drop website builder CVE ID : CVE-2023-5124 CVSS Score : 4.4 (Medium) Researcher/s : Marc-Alexandre Montpas Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8bd08d0-5c78-40a8-abc1-de387908df9d Add Customer for WooCommerce <= 1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Add Customer for WooCommerce CVE ID : CVE-2024-24841 CVSS Score : 4.4 (Medium) Researcher/s : Dhabaleshwar Das Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba08695e-009e-434a-9db0-06aa1dd6d57a Beds24 Online Booking <= 2.0.23 – Authenticated(Administrator+) Stored Cross-Site Scripting Affected Software : Beds24 Online Booking CVE ID : CVE-2024-24717 CVSS Score : 4.4 (Medium) Researcher/s : Dhabaleshwar Das Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca5bc2af-394b-4fc1-b6c3-ed9ff0a5959a Fatal Error Notify <= 1.5.2 – Cross-Site Request Forgery to Test Error Email Sending Affected Software : Fatal Error Notify CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08b75cac-7b1d-4bed-a1b7-bd1e872f2b4f Active Products Tables for WooCommerce. Professional products tables for WooCommerce store <= 1.0.6.1 – Missing Authorization Affected Software : Active Products Tables for WooCommerce. Professional products tables for WooCommerce store CVE ID : CVE-2024-0797 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0a94841f-b1dd-44f4-b7a1-65a9fdf7b18d WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.1 – Missing Authorization Affected Software : WOLF – WordPress Posts Bulk Editor and Manager Professional CVE ID : CVE-2024-0791 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13c66a8f-b35f-4943-8880-0799b0d150f7 Element Pack Elementor Addons <= 5.4.11 – Missing Authorization via bdt_duplicate_as_draft Affected Software : Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) CVE ID : CVE-2024-24840 CVSS Score : 4.3 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/164a1e09-e967-450c-8938-84c18ebf267d Happy Addons for Elementor <= 3.10.1 – Missing Authorization via add_row_actions Affected Software : Happy Addons for Elementor CVE ID : CVE-2024-24833 CVSS Score : 4.3 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b25df18-dd9a-4b24-8187-283d5f3f334e Post Video Players <= 1.158 – Cross-Site Request Forgery via cincopa_mp_mt_options_page Affected Software : Cincopa video and media plug-in CVE ID : CVE-2024-23515 CVSS Score : 4.3 (Medium) Researcher/s : Skalucy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/285d2b85-cdd0-4447-8cdc-b641751e4a5f Affiliates Manager <= 2.9.34 – Cross-Site Request Forgery Affected Software : Affiliates Manager CVE ID : CVE-2024-0859 CVSS Score : 4.3 (Medium) Researcher/s : Nathaniel Oh (0x4n3) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/433a03c2-09fd-4ce6-843b-55ad09f4b4f7 WooCommerce Conversion Tracking <= 2.0.11 – Missing Authorization via wcct_install_happy_addons Affected Software : WooCommerce Conversion Tracking CVE ID : CVE-2024-24711 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4775ef21-01d6-4c5a-9e3e-f9b6e093fc7f BizPrint <= 4.5.1 – Cross-Site Request Forgery in Printer Management Affected Software : BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More. CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/487a131e-4911-42d6-bfd7-fc697c89552d Fatal Error Notify <= 1.5.2 – Missing Authorization to Test Error Email Sending Affected Software : Fatal Error Notify CVE ID : CVE-2023-7202 CVSS Score : 4.3 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50499cd6-0e27-494a-892c-5ca827d4433b Active Products Tables for WooCommerce. Professional products tables for WooCommerce store <= 1.0.6.1 – Cross-Site Request Forgery Affected Software : Active Products Tables for WooCommerce. Professional products tables for WooCommerce store CVE ID : CVE-2024-0796 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5069fbc4-b3c4-4c0b-892c-2c83f35dc2fe Shareaholic <= 9.7.11 – Missing Authorization via accept_terms_of_service Affected Software : Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic CVE ID : CVE-2024-24709 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5cde239c-20bf-41fa-b7d6-e21b14dcbc22 Setka Editor <= 2.1.20 – Cross-Site Request Forgery via handleRequest Affected Software : A no-code page builder for beautiful performance-based content CVE ID : CVE-2024-24701 CVSS Score : 4.3 (Medium) Researcher/s : emad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7058306f-ec20-4722-aaa1-552a75945a1e Location Picker at Checkout for WooCommerce <= 1.8.9 – Missing Authorization via checkout_map_rules_order_ajax_handler Affected Software : Kikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce CVE ID : CVE-2024-24719 CVSS Score : 4.3 (Medium) Researcher/s : Dhabaleshwar Das Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7394be7e-9a1f-4c85-ac2d-cace39def330 FG Drupal to WordPress <= 3.67.0 – Cross-Site Request Forgery via ajax_importer Affected Software/s : FG Joomla to WordPress, FG PrestaShop to WooCommerce, FG Drupal to WordPress CVE ID : CVE-2024-24837 CVSS Score : 4.3 (Medium) Researcher/s : Friday Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dc34ff1-1b7e-4974-907a-745911df5dc8 Orbit Fox by ThemeIsle <= 2.10.29 – Cross-Site Request Forgery Affected Software : Orbit Fox by ThemeIsle CVE ID : CVE-2024-1162 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88f6a24f-f14a-4d0a-be5a-f8c84910b4fc JTRT Responsive Tables <= 4.1.9 – Cross-Site Request Forgery Affected Software : JTRT Responsive Tables CVE ID : CVE-2024-24802 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89ca9214-145e-43c6-a642-7c371f635332 Page Restrict <= 2.5.5 – Cross-Site Request Forgery via pr_admin_page Affected Software : Page Restrict CVE ID : CVE-2024-24702 CVSS Score : 4.3 (Medium) Researcher/s : emad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/956984d4-4f8b-4e20-8002-4e9809b3872c WP-CFM <= 1.7.8 – Cross-Site Request Forgery via multiple AJAX functions Affected Software : WP-CFM CVE ID : CVE-2024-24706 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9790c592-1445-4f9d-987e-ae5ab49c4dcd RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.4.1 – Missing Authorization Affected Software : RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE ID : CVE-2024-1092 CVSS Score : 4.3 (Medium) Researcher/s : Muhammad Daffa Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98053141-fe97-4bd4-b820-b6cca3426109 Custom Order Numbers for WooCommerce <= 1.6.0 – Cross-Site Request Forgery to Notice Dismissal Affected Software : Custom Order Numbers for WooCommerce CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/981908d3-e1e7-4093-a2ee-69aa50127731 PopupAlly <= 2.1.0 – Cross-Site Request Forgery via optin_submit_callback Affected Software : PopupAlly CVE ID : CVE-2024-23520 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6bef410-8706-4440-b50f-08824ef754f6 Debug <= 1.10 – Cross-Site Request Forgery Affected Software : Debug CVE ID : CVE-2024-24798 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa7276bb-6a9b-4cbd-8333-14c4dfac4108 Custom Order Status for WooCommerce <= 2.3.0 – Cross-Site Request Forgery Affected Software : Custom Order Status for WooCommerce CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab2a4903-2c69-48da-bd4a-79b39b78806c WordPress Review & Structure Data Schema Plugin – Review Schema <= 2.1.14 – Missing Authorization to Arbitrary Review Update Affected Software : WordPress Review & Structure Data Schema Plugin – Review Schema CVE ID : CVE-2024-0836 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7039206-a25a-4aa0-87e2-be11dd1f12eb Starbox – the Author Box for Humans <= 3.4.7 – Insecure Direct Object Reference Affected Software : Starbox – the Author Box for Humans CVE ID : CVE-2024-0366 CVSS Score : 4.3 (Medium) Researcher/s : Sh Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67 CP Media Player <= 1.1.3 – Cross-Site Request Forgery to Player Deletion and Duplication Affected Software : CP Media Player – Audio Player and Video Player CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ced380a5-04a6-40c1-a731-0d3b929e4428 Don’t Muck My Markup <= 1.8 – Cross-Site Request Forgery Affected Software : Don’t Muck My Markup CVE ID : CVE-2024-23510 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1390c22-3c8d-47f1-b225-1bcbc215832a W3SPEEDSTER <= 7.19 – Cross-Site Request Forgery via launch Affected Software : W3SPEEDSTER CVE ID : CVE-2024-24708 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e358355e-097c-4a6d-a21a-3d08098efff0 WordPress Toolbar Plugin <= 2.2.6 – Open Redirect via wptbto Affected Software : WordPress Toolbar CVE ID : CVE-2023-6389 CVSS Score : 4.3 (Medium) Researcher/s : Daniel Ruf Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e88a45e5-f882-419e-b0b0-612912666693 ACF Photo Gallery Field <= 2.6 – Missing Authorization Affected Software : ACF Photo Gallery Field CVE ID : CVE-2024-23518 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f557ddf1-cee3-498c-87bc-fa81bf574591 WooCommerce Box Office <= 1.2.2 – Missing Authorization Affected Software : WooCommerce Box Office CVE ID : CVE-2024-24799 CVSS Score : 4.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff2097a9-fe7a-48f3-be9c-dc0caef74262 Feed Them Social <= 4.2.0 – Cross-Site Request Forgery via review_nag_check Affected Software : Feed Them Social – Page, Post, Video, and Photo Galleries CVE ID : CVE-2024-24710 CVSS Score : 3.5 (Low) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e86152a6-cd8d-4466-bcc5-830413500e12 As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

This content was originally published here.