WordPress Vulnerability Report — February 28, 2024

In this report, 73 vulnerabilities have been publicly disclosed. Security patches for 48 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings. Additionally, there are 25 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions. WordPress Core WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately. The next major release will be version 6.5, planned for March 26, 2024. WordPress Plugins — 46 Patched / 25 Unpatched Addon Library Plugin: Addon Library Plugin Slug: addon-library Vulnerability: Arbitrary File Upload Patched in Version: No Fix Severity Score: Critical CVE: 2024-1710 Admin side data storage for Contact Form 7 Plugin: Admin side data storage for Contact Form 7 Plugin Slug: admin-side-data-storage-for-contact-form-7 Vulnerability: SQL Injection Patched in Version: No Fix Severity Score: High CVE: 2024-1776 Admin side data storage for Contact Form 7 Plugin: Admin side data storage for Contact Form 7 Plugin Slug: admin-side-data-storage-for-contact-form-7 Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-1777 Admin side data storage for Contact Form 7 Plugin: Admin side data storage for Contact Form 7 Plugin Slug: admin-side-data-storage-for-contact-form-7 Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-1779 Admin side data storage for Contact Form 7 Plugin: Admin side data storage for Contact Form 7 Plugin Slug: admin-side-data-storage-for-contact-form-7 Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-1778 Adsmonetizer Plugin: Adsmonetizer Plugin Slug: adsensei-b30 Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-1437 BeePress Plugin: BeePress Plugin Slug: beepress Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: High CVE: 2024-27197 Configure SMTP Plugin: Configure SMTP Plugin Slug: configure-smtp Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-27192 Download Media Plugin: Download Media Plugin Slug: download-media Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-27190 Duitku Payment Gateway Plugin: Duitku Payment Gateway Plugin Slug: duitku-social-payment-gateway Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-0631 Fontific | Google Fonts Plugin: Fontific | Google Fonts Plugin Slug: fontific Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-27194 Gestpay for WooCommerce Plugin: Gestpay for WooCommerce Plugin Slug: gestpay-for-woocommerce Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-0431 Marketo Forms and Tracking Plugin: Marketo Forms and Tracking Plugin Slug: marketo-forms-and-tracking Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2020-6849 Media Alt Renamer Plugin: Media Alt Renamer Plugin Slug: media-alt-renamer Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-1434 WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit Plugin: WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit Plugin Slug: myshopkit-popup-smartbar-slidein Vulnerability: Sensitive Data Exposure Patched in Version: No Fix Severity Score: Medium CVE: 2024-1436 PayU India Plugin: PayU India Plugin Slug: payu-india Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-27193 Play.ht Plugin: Play.ht Plugin Slug: play-ht Vulnerability: PHP Object Injection Patched in Version: No Fix Severity Score: High CVE: 2024-1772 postMash – custom post order Plugin: postMash – custom post order Plugin Slug: postmash Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-27196 Rolo Slider Plugin: Rolo Slider Plugin Slug: rolo-slider Vulnerability: Settings Change Patched in Version: No Fix Severity Score: High CVE: 2024-1438 Slivery Extender Plugin: Slivery Extender Plugin Slug: slivery-extender Vulnerability: Remote Code Execution (RCE) Patched in Version: No Fix Severity Score: High CVE: 2024-27191 SoundCloud Shortcode Plugin: SoundCloud Shortcode Plugin Slug: soundcloud-shortcode Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-25936 Tabs Shortcode and Widget Plugin: Tabs Shortcode and Widget Plugin Slug: tabs-shortcode-and-widget Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-0719 Tainacan Plugin: Tainacan Plugin Slug: tainacan Vulnerability: Sensitive Data Exposure Patched in Version: No Fix Severity Score: Medium CVE: 2024-1435 User Shortcodes Plus Plugin: User Shortcodes Plus Plugin Slug: user-shortcodes-plus Vulnerability: Insecure Direct Object References (IDOR) Patched in Version: No Fix Severity Score: Medium CVE: 2023-6969 Watermark RELOADED Plugin: Watermark RELOADED Plugin Slug: watermark-reloaded Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: High CVE: 2024-27195 LiteSpeed Cache Plugin: LiteSpeed Cache Plugin Slug: litespeed-cache Installations 5,000,000+ Vulnerability: Broken Access Control Patched in Version: 5.7.0.1 Severity Score: High CVE: 2023-45000 LiteSpeed Cache Plugin: LiteSpeed Cache Plugin Slug: litespeed-cache Installations 5,000,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.7.0.1 Severity Score: High CVE: 2023-40000 Premium Addons for Elementor Plugin: Premium Addons for Elementor Plugin Slug: premium-addons-for-elementor Installations 700,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.10.19 Severity Score: Medium CVE: 2024-1242 BackWPup – WordPress Backup Plugin Plugin Slug: backwpup Installations 600,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 4.0.3 Severity Score: Low CVE: 2023-5775 Page Builder: Pagelayer – Drag and Drop website builder Plugin Slug: pagelayer Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.8.1 Severity Score: Medium CVE: 2023-7115 Page Builder: Pagelayer – Drag and Drop website builder Plugin Slug: pagelayer Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.8.3 Severity Score: Medium CVE: 2024-1590 Orbit Fox by ThemeIsle Plugin: Orbit Fox by ThemeIsle Plugin Slug: themeisle-companion Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.10.32 Severity Score: Medium CVE: 2024-1323 Orbit Fox by ThemeIsle Plugin: Orbit Fox by ThemeIsle Plugin Slug: themeisle-companion Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.10.31 Severity Score: Medium CVE: 2024-1499 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Plugin Slug: ultimate-member Installations 200,000+ Vulnerability: SQL Injection Patched in Version: 2.8.3 Severity Score: Critical CVE: 2024-1071 User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds Plugin Slug: userfeedback-lite Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.0.14 Severity Score: High CVE: 2024-0903 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress Plugin Slug: wp-user-avatar Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.15.1 Severity Score: Medium CVE: 2024-1806 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress Plugin Slug: wp-user-avatar Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.15.1 Severity Score: Medium CVE: 2024-1409 Elementor Addon Elements Plugin Slug: addon-elements-for-elementor-page-builder Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.13 Severity Score: Medium CVE: 2024-1422 Elementor Addon Elements Plugin Slug: addon-elements-for-elementor-page-builder Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.13 Severity Score: Medium CVE: 2024-1393 Elementor Addon Elements Plugin Slug: addon-elements-for-elementor-page-builder Installations 100,000+ Vulnerability: Local File Inclusion Patched in Version: 1.13 Severity Score: High CVE: 2024-1358 Colibri Page Builder Plugin: Colibri Page Builder Plugin Slug: colibri-page-builder Installations 100,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.0.260 Severity Score: Medium CVE: 2024-1362 Colibri Page Builder Plugin: Colibri Page Builder Plugin Slug: colibri-page-builder Installations 100,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.0.260 Severity Score: Medium CVE: 2024-1361 Brizy – Page Builder Plugin Slug: brizy Installations 80,000+ Vulnerability: Directory Traversal Patched in Version: 2.4.41 Severity Score: Medium CVE: 2024-1165 Brizy – Page Builder Plugin Slug: brizy Installations 80,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.4.41 Severity Score: Medium CVE: 2024-1296 Brizy – Page Builder Plugin Slug: brizy Installations 80,000+ Vulnerability: Arbitrary File Upload Patched in Version: 2.4.41 Severity Score: Critical CVE: 2024-1311 Brizy – Page Builder Plugin Slug: brizy Installations 80,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.4.41 Severity Score: Medium CVE: 2024-1291 Event Tickets and Registration Plugin: Event Tickets and Registration Plugin Slug: event-tickets Installations 80,000+ Vulnerability: Broken Access Control Patched in Version: 5.8.2 Severity Score: Medium CVE: 2024-1053 Sydney Toolbox Plugin: Sydney Toolbox Plugin Slug: sydney-toolbox Installations 80,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.26 Severity Score: Medium CVE: 2024-1447 Enhanced Text Widget Plugin: Enhanced Text Widget Plugin Slug: enhanced-text-widget Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.6.6 Severity Score: Medium CVE: 2024-0559 NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor Plugin: NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor Plugin Slug: notificationx Installations 30,000+ Vulnerability: SQL Injection Patched in Version: 2.8.3 Severity Score: Critical CVE: 2024-1698 WP Dashboard Notes Plugin: WP Dashboard Notes Plugin Slug: wp-dashboard-notes Installations 30,000+ Vulnerability: Insecure Direct Object References (IDOR) Patched in Version: 1.0.11 Severity Score: Medium CVE: 2023-7198 Restrict User Access – Ultimate Membership & Content Protection Plugin Slug: restrict-user-access Installations 20,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 2.6 Severity Score: Medium CVE: 2024-0687 WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce Plugin Slug: wp-event-manager Installations 20,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.1.42 Severity Score: High CVE: 2024-0976 YML for Yandex Market Plugin: YML for Yandex Market Plugin Slug: yml-for-yandex-market Installations 10,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.2.4 Severity Score: High CVE: 2024-1365 Smart Forms – when you need more than just a contact form Plugin Slug: smart-forms Installations 9,000+ Vulnerability: Broken Access Control Patched in Version: 2.6.87 Severity Score: Medium CVE: 2023-7203 Maintenance Page Plugin: Maintenance Page Plugin Slug: maintenance-page Installations 5,000+ Vulnerability: Broken Access Control Patched in Version: 1.0.9 Severity Score: Medium CVE: 2024-1370 Maintenance Page Plugin: Maintenance Page Plugin Slug: maintenance-page Installations 5,000+ Vulnerability: Bypass Vulnerability Patched in Version: 1.0.9 Severity Score: Medium CVE: 2024-1462 SMS Alert Order Notifications – WooCommerce Plugin Slug: sms-alert Installations 5,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 3.7.0 Severity Score: Medium CVE: 2024-1489 Thank You Page Customizer for WooCommerce – Increase Your Sales Plugin Slug: woo-thank-you-page-customizer Installations 5,000+ Vulnerability: Broken Access Control Patched in Version: 1.1.3 Severity Score: Medium CVE: 2024-1687 Thank You Page Customizer for WooCommerce – Increase Your Sales Plugin Slug: woo-thank-you-page-customizer Installations 5,000+ Vulnerability: Broken Access Control Patched in Version: 1.1.3 Severity Score: Medium CVE: 2024-1686 Spiffy Calendar Plugin: Spiffy Calendar Plugin Slug: spiffy-calendar Installations 3,000+ Vulnerability: Broken Access Control Patched in Version: 4.9.9 Severity Score: Medium CVE: 2024-0855 Academy LMS – eLearning and online course solution for WordPress Plugin Slug: academy Installations 1,000+ Vulnerability: Privilege Escalation Patched in Version: 1.9.20 Severity Score: High CVE: 2024-1505 Archivist – Custom Archive Templates Plugin Slug: archivist-custom-archive-templates Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.7.6 Severity Score: High CVE: 2024-1810 Comments Extra Fields For Post,Pages and CPT Plugin Slug: wp-comment-fields Installations 1,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 5.1 Severity Score: Medium CVE: 2024-0830 Comments Extra Fields For Post,Pages and CPT Plugin Slug: wp-comment-fields Installations 1,000+ Vulnerability: Broken Access Control Patched in Version: 5.1 Severity Score: Medium CVE: 2024-0829 KODO Qiniu Plugin: KODO Qiniu Plugin Slug: kodo-qiniu Installations 400+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.5.1 Severity Score: Medium Backup Plugin: Backup Plugin Slug: backup2 Vulnerability: Sensitive Data Exposure Patched in Version: 2.0.9.9 Severity Score: High CVE: 2023-7165 Elementor Pro Plugin: Elementor Pro Plugin Slug: elementor-pro Vulnerability: Sensitive Data Exposure Patched in Version: 3.19.3 Severity Score: Medium JobSearch Plugin: JobSearch Plugin Slug: wp-jobsearch Vulnerability: Remote Code Execution (RCE) Patched in Version: 2.3.4 Severity Score: Critical CVE: 2023-6585 JobSearch Plugin: JobSearch Plugin Slug: wp-jobsearch Vulnerability: Broken Authentication Patched in Version: 2.3.4 Severity Score: Critical CVE: 2023-6584 WP Social Widget Plugin: WP Social Widget Plugin Slug: wp-social-widget Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.2.6 Severity Score: Medium CVE: 2024-27189 WordPress Themes — 2 Patched /0 Unpatched Colibri WP Theme: Colibri WP Theme Slug: colibri-wp Downloads 1,232,050 Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.0.101 Severity Score: Medium CVE: 2024-1360 Socialdriver Theme: Socialdriver Theme Slug: socialdriver Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2024 Severity Score: High CVE: 2023-4826 Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up Get started with confidence — risk free, guaranteed

This content was originally published here.