WordPress Vulnerability Report — February 7, 2024

WordPress Vulnerability Report — February 7, 2024 Since last week, 158 new vulnerabilities emerged in the WordPress ecosystem, including 1 in WordPress core, 1 in themes, and 156 in plugins. 37 of the vulnerable plugins remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack. In this report, 158 vulnerabilities have been publicly disclosed, including 1 in WordPress core patched in the WordPress 6.4.3 update. Security patches for 120 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings. Additionally, there are 37 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions. WordPress Core WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately. The next major release will be version 6.5, planned for March 26, 2024. WordPress Core Vulnerability: Arbitrary File Upload Patched in Version: 6.4.3 Severity Score: Medium CVE: 2018-14028 WordPress Plugins — 119 Patched / 37 Unpatched MW WP Form Plugin: MW WP Form Plugin Slug: mw-wp-form Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24804 ACF Photo Gallery Field Plugin: ACF Photo Gallery Field Plugin Slug: navz-photo-gallery Installations 50,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-23518 Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms Plugin: Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms Plugin Slug: happyforms Installations 30,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-23521 Email Before Download Plugin: Email Before Download Plugin Slug: email-before-download Installations 10,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-23519 Page Restrict Plugin: Page Restrict Plugin Slug: pagerestrict Installations 10,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24702 Load More Anything Plugin: Load More Anything Plugin Slug: ajax-load-more-anything Installations 6,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-24704 MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution Plugin Slug: dc-woocommerce-multi-vendor Installations 6,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: High CVE: 2024-24703 OWL Carousel – WordPress Owl Carousel Slider Plugin Slug: lgx-owl-carousel Installations 4,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24801 Debug Plugin: Debug Plugin Slug: debug Installations 3,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24798 Don’t Muck My Markup Plugin: Don’t Muck My Markup Plugin Slug: dont-muck-my-markup Installations 3,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-23510 Ultra Companion – Companion plugin for WPoperation Themes Plugin Slug: ultra-companion Installations 3,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24803 Accessibility Plugin: Accessibility Plugin Slug: accessibility Installations 2,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24705 PilotPress Plugin: PilotPress Plugin Slug: pilotpress Installations 2,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-23524 Cincopa video and media plug-in Plugin: Cincopa video and media plug-in Plugin Slug: video-playlist-and-gallery-plugin Installations 2,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-23515 Scheduling Plugin – Online Booking for WordPress Plugin Slug: calendar-booking Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-23517 CC BMI Calculator Plugin: CC BMI Calculator Plugin Slug: cc-bmi-calculator Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-23516 Click To Tweet Plugin: Click To Tweet Plugin Slug: click-to-tweet Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-23514 ERE Recently Viewed – Essential Real Estate Add-On Plugin Slug: ere-recently-viewed Installations 1,000+ Vulnerability: PHP Object Injection Patched in Version: No Fix Severity Score: Critical CVE: 2024-24797 W3SPEEDSTER Plugin: W3SPEEDSTER Plugin Slug: w3speedster-wp Installations 1,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24708 WP-CFM Plugin: WP-CFM Plugin Slug: wp-cfm Installations 1,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24706 Wp-Adv-Quiz Plugin: Wp-Adv-Quiz Plugin Slug: advanced-quiz Installations 200+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-5956 A no-code page builder for beautiful performance-based content Plugin Slug: setka-editor Installations 200+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24701 Autotitle for WordPress Plugin: Autotitle for WordPress Plugin Slug: autotitle-for-wordpress Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: High CVE: 2023-6946 CalculatorPro Calculators Plugin: CalculatorPro Calculators Plugin Slug: calculatorpro-calculators Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-24847 Coupon Referral Program Plugin: Coupon Referral Program Plugin Slug: coupon-referral-program Vulnerability: PHP Object Injection Patched in Version: No Fix Severity Score: Critical CVE: 2024-25100 Custom User CSS Plugin: Custom User CSS Plugin Slug: custom-user-css Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-6391 Scroll Triggered Box Plugin: Scroll Triggered Box Plugin Slug: dreamgrow-scroll-triggered-box Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24865 JTRT Responsive Tables Plugin: JTRT Responsive Tables Plugin Slug: jtrt-responsive-tables Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24802 Mighty Addons for Elementor Plugin: Mighty Addons for Elementor Plugin Slug: mighty-addons Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-24846 Order Delivery Date for WP e-Commerce Plugin: Order Delivery Date for WP e-Commerce Plugin Slug: order-delivery-date Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-0678 Persian Fonts Plugin: Persian Fonts Plugin Slug: persian-fonts Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-7167 Popup More Popups Plugin: Popup More Popups Plugin Slug: popup-more Vulnerability: Local File Inclusion Patched in Version: No Fix Severity Score: Medium CVE: 2024-0844 Post Thumbnail Editor Plugin: Post Thumbnail Editor Plugin Slug: post-thumbnail-editor Vulnerability: Sensitive Data Exposure Patched in Version: No Fix Severity Score: Medium CVE: 2024-24845 PT Sign Ups Plugin: PT Sign Ups Plugin Slug: ptoffice-sign-ups Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-24848 Quicksand Post Filter jQuery Plugin Plugin: Quicksand Post Filter jQuery Plugin Plugin Slug: quicksand-jquery-post-filter Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-24850 Quicksand Post Filter jQuery Plugin Plugin: Quicksand Post Filter jQuery Plugin Plugin Slug: quicksand-jquery-post-filter Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-24849 WordPress Toolbar Plugin: WordPress Toolbar Plugin Slug: wordpress-toolbar Vulnerability: Open Redirection Patched in Version: No Fix Severity Score: Medium CVE: 2023-6389 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders Plugin Slug: essential-addons-for-elementor-lite Installations 2,000,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.9.8 Severity Score: Medium CVE: 2024-0954 Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode Plugin Slug: coming-soon Installations 900,000+ Vulnerability: Broken Access Control Patched in Version: 6.15.22 Severity Score: Medium CVE: 2024-1072 Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress Plugin Slug: ninja-forms Installations 800,000+ Vulnerability: SQL Injection Patched in Version: 3.7.2 Severity Score: Medium CVE: 2024-0685 TablePress – Tables in WordPress made easy Plugin Slug: tablepress Installations 800,000+ Vulnerability: Server Side Request Forgery (SSRF) Patched in Version: 2.2.5 Severity Score: Low CVE: 2024-23825 Premium Addons for Elementor Plugin: Premium Addons for Elementor Plugin Slug: premium-addons-for-elementor Installations 700,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.10.17 Severity Score: Medium CVE: 2024-24831 SiteOrigin Widgets Bundle Plugin: SiteOrigin Widgets Bundle Plugin Slug: so-widgets-bundle Installations 600,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.58.2 Severity Score: Medium CVE: 2024-0961 Admin Menu Editor Plugin: Admin Menu Editor Plugin Slug: admin-menu-editor Installations 400,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.12.1 Severity Score: Medium CVE: 2024-24876 Happy Addons for Elementor Plugin: Happy Addons for Elementor Plugin Slug: happy-elementor-addons Installations 400,000+ Vulnerability: Broken Access Control Patched in Version: 3.10.2 Severity Score: Medium CVE: 2024-24833 Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder Plugin: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder Plugin Slug: formidable Installations 300,000+ Vulnerability: Content Injection Patched in Version: 6.7.1 Severity Score: Medium CVE: 2024-23522 Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder Plugin: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder Plugin Slug: formidable Installations 300,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 6.8 Severity Score: Medium CVE: 2024-0660 Backuply – Backup, Restore, Migrate and Clone Plugin Slug: backuply Installations 200,000+ Vulnerability: Directory Traversal Patched in Version: 1.2.4 Severity Score: Medium CVE: 2024-0697 Cloudflare Plugin: Cloudflare Plugin Slug: cloudflare Installations 200,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 4.12.3 Severity Score: Medium CVE: 2024-0212 Page Builder: Pagelayer – Drag and Drop website builder Plugin Slug: pagelayer Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.8.0 Severity Score: Medium CVE: 2023-5124 Page Builder: Pagelayer – Drag and Drop website builder Plugin Slug: pagelayer Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.7.9 Severity Score: Medium CVE: 2023-6738 SEO Plugin by Squirrly SEO Plugin: SEO Plugin by Squirrly SEO Plugin Slug: squirrly-seo Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 12.3.16 Severity Score: Medium CVE: 2024-0597 Orbit Fox by ThemeIsle Plugin: Orbit Fox by ThemeIsle Plugin Slug: themeisle-companion Installations 200,000+ Vulnerability: Broken Access Control Patched in Version: 2.10.29 Severity Score: Medium CVE: 2024-1047 Orbit Fox by ThemeIsle Plugin: Orbit Fox by ThemeIsle Plugin Slug: themeisle-companion Installations 200,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 2.10.230 Severity Score: Medium CVE: 2024-1162 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress Plugin Slug: wp-user-avatar Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.14.4 Severity Score: Medium CVE: 2024-1046 Elementor Addon Elements Plugin: Elementor Addon Elements Plugin Slug: addon-elements-for-elementor-page-builder Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.12.12 Severity Score: Medium CVE: 2024-0834 Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) Plugin: Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) Plugin Slug: bdthemes-element-pack-lite Installations 100,000+ Vulnerability: Broken Access Control Patched in Version: 5.4.12 Severity Score: Medium CVE: 2024-24840 Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider) Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider) Plugin Slug: bdthemes-prime-slider-lite Installations 100,000+ Vulnerability: Broken Access Control Patched in Version: 3.11.11 Severity Score: Medium CVE: 2024-24883 Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels Plugin Slug: instant-images Installations 100,000+ Vulnerability: Broken Access Control Patched in Version: 6.1.1 Severity Score: High CVE: 2024-0869 Minimal Coming Soon – Coming Soon Page Plugin Slug: minimal-coming-soon-maintenance-mode Installations 100,000+ Vulnerability: Bypass Vulnerability Patched in Version: 2.38 Severity Score: Low CVE: 2024-1075 Relevanssi – A Better Search Plugin: Relevanssi – A Better Search Plugin Slug: relevanssi Installations 100,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 4.22 Severity Score: Medium The Plus Addons for Elementor Plugin: The Plus Addons for Elementor Plugin Slug: the-plus-addons-for-elementor-page-builder Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.3.4 Severity Score: Medium CVE: 2024-23511 Cookie Information | Free GDPR Consent Solution Plugin Slug: wp-gdpr-compliance Installations 100,000+ Vulnerability: Broken Access Control Patched in Version: 2.0.23 Severity Score: High CVE: 2023-6700 SlimStat Analytics Plugin: SlimStat Analytics Plugin Slug: wp-slimstat Installations 90,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.1.4 Severity Score: Medium CVE: 2024-1073 WP STAGING WordPress Backup Plugin – Migration Backup Restore Plugin Slug: wp-staging Installations 80,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 3.2.0 Severity Score: Medium CVE: 2023-7204 Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid Plugin Slug: boldgrid-backup Installations 70,000+ Vulnerability: Arbitrary File Download Patched in Version: 1.15.9 Severity Score: High CVE: 2024-24869 Advanced iFrame Plugin: Advanced iFrame Plugin Slug: advanced-iframe Installations 60,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2024.0 Severity Score: Medium CVE: 2024-24870 Advanced iFrame Plugin: Advanced iFrame Plugin Slug: advanced-iframe Installations 60,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2024.0 Severity Score: Medium CVE: 2023-7069 Calculated Fields Form Plugin: Calculated Fields Form Plugin Slug: calculated-fields-form Installations 60,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.2.53 Severity Score: Medium CVE: 2024-0963 Database for Contact Form 7, WPforms, Elementor forms Plugin Slug: contact-form-entries Installations 60,000+ Vulnerability: Arbitrary File Upload Patched in Version: 1.3.3 Severity Score: High CVE: 2024-1069 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Plugin Slug: form-maker Installations 60,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.15.22 Severity Score: Medium CVE: 2024-0667 Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) Plugin Slug: easy-digital-downloads Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.2.7 Severity Score: Medium CVE: 2024-0659 Exclusive Addons for Elementor Plugin: Exclusive Addons for Elementor Plugin Slug: exclusive-addons-for-elementor Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.6.9 Severity Score: Medium CVE: 2024-0823 Exclusive Addons for Elementor Plugin: Exclusive Addons for Elementor Plugin Slug: exclusive-addons-for-elementor Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.6.9 Severity Score: Medium CVE: 2024-0824 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator Plugin Slug: feedzy-rss-feeds Installations 50,000+ Vulnerability: Broken Access Control Patched in Version: 4.4.2 Severity Score: Medium CVE: 2024-1092 MapPress Maps for WordPress Plugin: MapPress Maps for WordPress Plugin Slug: mappress-google-maps-for-wordpress Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.88.17 Severity Score: Medium CVE: 2023-7225 Shariff Wrapper Plugin: Shariff Wrapper Plugin Slug: shariff Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.6.10 Severity Score: Medium CVE: 2024-1106 Starbox – the Author Box for Humans Plugin Slug: starbox Installations 50,000+ Vulnerability: Insecure Direct Object References (IDOR) Patched in Version: 3.4.8 Severity Score: Medium CVE: 2024-0366 Shield Security – Smart Bot Blocking & Intrusion Prevention Security Plugin Slug: wp-simple-firewall Installations 50,000+ Vulnerability: Local File Inclusion Patched in Version: 18.5.10 Severity Score: High CVE: 2023-6989 WooCommerce Conversion Tracking Plugin: WooCommerce Conversion Tracking Plugin Slug: woocommerce-conversion-tracking Installations 40,000+ Vulnerability: Broken Access Control Patched in Version: 2.0.12 Severity Score: Medium CVE: 2024-24711 WP 404 Auto Redirect to Similar Post Plugin Slug: wp-404-auto-redirect-to-similar-post Installations 40,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.0.4 Severity Score: High CVE: 2024-0509 Apollo13 Framework Extensions Plugin: Apollo13 Framework Extensions Plugin Slug: apollo13-framework-extensions Installations 30,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.9.3 Severity Score: Medium CVE: 2024-24880 Feed Them Social – Page, Post, Video, and Photo Galleries Plugin Slug: feed-them-social Installations 30,000+ Vulnerability: Broken Access Control Patched in Version: 4.2.1 Severity Score: Medium CVE: 2024-24710 Html5 Video Player – mp4 player, Video Player for WordPress Plugin Slug: html5-video-player Installations 30,000+ Vulnerability: SQL Injection Patched in Version: 2.5.25 Severity Score: Critical CVE: 2024-1061 Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic Plugin Slug: shareaholic Installations 30,000+ Vulnerability: Broken Access Control Patched in Version: 9.7.12 Severity Score: Medium CVE: 2024-24709 Structured Content (JSON-LD) #wpsc Plugin Slug: structured-content Installations 30,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.6.2 Severity Score: Medium CVE: 2024-24839 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net Plugin Slug: woo-bulk-editor Installations 30,000+ Vulnerability: Broken Access Control Patched in Version: 1.1.4.1 Severity Score: Medium CVE: 2024-24835 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net Plugin Slug: woo-bulk-editor Installations 30,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.1.4.1 Severity Score: Medium CVE: 2024-24834 WP Dashboard Notes Plugin: WP Dashboard Notes Plugin Slug: wp-dashboard-notes Installations 30,000+ Vulnerability: Broken Access Control Patched in Version: 1.0.11 Severity Score: Medium CVE: 2023-7239 Meks Smart Social Widget Plugin: Meks Smart Social Widget Plugin Slug: meks-smart-social-widget Installations 20,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.6.4 Severity Score: Medium CVE: 2024-0664 WordPress Simple Shopping Cart Plugin: WordPress Simple Shopping Cart Plugin Slug: wordpress-simple-paypal-shopping-cart Installations 20,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.7.2 Severity Score: Medium CVE: 2023-6497 WP Visitor Statistics (Real Time Traffic) Plugin Slug: wp-stats-manager Installations 20,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 6.9.5 Severity Score: Medium CVE: 2024-24867 Affiliates Manager Plugin: Affiliates Manager Plugin Slug: affiliates-manager Installations 10,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 2.9.35 Severity Score: Medium CVE: 2024-0859 Awesome Support – WordPress HelpDesk & Support Plugin Plugin Slug: awesome-support Installations 10,000+ Vulnerability: Broken Access Control Patched in Version: 6.1.7 Severity Score: Medium CVE: 2024-24716 Booking Calendar | Appointment Booking | BookIt Plugin Slug: bookit Installations 10,000+ Vulnerability: Bypass Vulnerability Patched in Version: 2.4.2 Severity Score: Medium CVE: 2024-24715 Knowledge Base for Documentation, FAQs with AI Assistance Plugin Slug: echo-knowledge-base Installations 10,000+ Vulnerability: PHP Object Injection Patched in Version: 11.31.0 Severity Score: High CVE: 2024-24842 Link Library Plugin: Link Library Plugin Slug: link-library Installations 10,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 7.6 Severity Score: High CVE: 2024-24879 Link Library Plugin: Link Library Plugin Slug: link-library Installations 10,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 7.6 Severity Score: Medium CVE: 2024-24875 NEX-Forms – Ultimate Form Builder – Contact forms and much more Plugin Slug: nex-forms-express-wp-form-builder Installations 10,000+ Vulnerability: Broken Access Control Patched in Version: 8.5.7 Severity Score: Medium CVE: 2024-1130 WordPress Review & Structure Data Schema Plugin – Review Schema Plugin Slug: review-schema Installations 10,000+ Vulnerability: Broken Access Control Patched in Version: 2.2.0 Severity Score: Medium CVE: 2024-0836 Wonder Slider Lite Plugin: Wonder Slider Lite Plugin Slug: wonderplugin-slider-lite Installations 10,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 14.0 Severity Score: High CVE: 2024-24877 Woocommerce Vietnam Checkout Plugin: Woocommerce Vietnam Checkout Plugin Slug: woo-vietnam-checkout Installations 10,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.0.8 Severity Score: Medium CVE: 2024-24885 Woostify Sites Library Plugin: Woostify Sites Library Plugin Slug: woostify-sites-library Installations 10,000+ Vulnerability: Broken Access Control Patched in Version: 1.4.8 Severity Score: High CVE: 2023-6279 Product Labels For Woocommerce (Sale Badges) Plugin Slug: aco-product-labels-for-woocommerce Installations 9,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.5.4 Severity Score: Medium CVE: 2024-24886 FG Joomla to WordPress Plugin: FG Joomla to WordPress Plugin Slug: fg-joomla-to-wordpress Installations 9,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 4.17.0 Severity Score: Medium WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc Plugin Slug: wp-sms Installations 9,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 6.5.3 Severity Score: High CVE: 2024-24881 Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin Plugin Slug: mage-eventpress Installations 8,000+ Vulnerability: PHP Object Injection Patched in Version: 4.1.2 Severity Score: High CVE: 2024-24796 Fatal Error Notify Plugin: Fatal Error Notify Plugin Slug: fatal-error-notify Installations 7,000+ Vulnerability: Broken Access Control Patched in Version: 1.5.3 Severity Score: Medium CVE: 2023-7202 GDPR Data Request Form Plugin: GDPR Data Request Form Plugin Slug: gdpr-data-request-form Installations 7,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.7 Severity Score: Medium CVE: 2024-24836 Themify Builder Plugin: Themify Builder Plugin Slug: themify-builder Installations 7,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 7.0.6 Severity Score: Medium CVE: 2024-24872 ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup Plugin Slug: armember-membership Installations 6,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 4.0.25 Severity Score: Medium CVE: 2024-0969 Contact Form 7 Connector Plugin: Contact Form 7 Connector Plugin Slug: ari-cf7-connector Installations 5,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.2.3 Severity Score: Medium CVE: 2024-24884 WOLF – WordPress Posts Bulk Editor and Manager Professional Plugin Slug: bulk-editor Installations 5,000+ Vulnerability: Broken Access Control Patched in Version: 1.0.8.2 Severity Score: Medium CVE: 2024-0791 WOLF – WordPress Posts Bulk Editor and Manager Professional Plugin Slug: bulk-editor Installations 5,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.0.8.2 Severity Score: Medium CVE: 2024-0790 PopupAlly Plugin: PopupAlly Plugin Slug: popupally Installations 5,000+ Vulnerability: Broken Access Control Patched in Version: 2.1.1 Severity Score: Medium CVE: 2024-23520 ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks Plugin Slug: product-blocks Installations 4,000+ Vulnerability: PHP Object Injection Patched in Version: 3.1.5 Severity Score: High CVE: 2024-23512 WP Dummy Content Generator Plugin: WP Dummy Content Generator Plugin Slug: wp-dummy-content-generator Installations 4,000+ Vulnerability: Broken Access Control Patched in Version: 3.1.3 Severity Score: Medium CVE: 2024-24805 Advanced Forms for ACF Plugin: Advanced Forms for ACF Plugin Slug: advanced-forms Installations 3,000+ Vulnerability: Broken Access Control Patched in Version: 1.9.3.3 Severity Score: Medium CVE: 2024-1121 Auto Listings – Car Listings & Car Dealership Plugin for WordPress Plugin Slug: auto-listings Installations 3,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.6.6 Severity Score: Medium CVE: 2024-24713 (Simply) Guest Author Name Plugin: (Simply) Guest Author Name Plugin Slug: guest-author-name Installations 3,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.35 Severity Score: Medium CVE: 2024-0254 Beds24 Online Booking Plugin: Beds24 Online Booking Plugin Slug: beds24-online-booking Installations 2,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.0.24 Severity Score: Medium CVE: 2024-24717 EventPrime – Events Calendar, Bookings and Tickets Plugin Slug: eventprime-event-calendar-management Installations 2,000+ Vulnerability: Broken Access Control Patched in Version: 3.4.0 Severity Score: High CVE: 2024-24832 Active Products Tables for WooCommerce. Professional products tables for WooCommerce store Plugin Slug: profit-products-tables-for-woocommerce Installations 2,000+ Vulnerability: Broken Access Control Patched in Version: 1.0.6.2 Severity Score: Medium CVE: 2024-0797 Active Products Tables for WooCommerce. Professional products tables for WooCommerce store Plugin Slug: profit-products-tables-for-woocommerce Installations 2,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.0.6.2 Severity Score: Medium CVE: 2024-0796 PropertyHive Plugin: PropertyHive Plugin Slug: propertyhive Installations 2,000+ Vulnerability: Broken Access Control Patched in Version: 2.0.7 Severity Score: Medium CVE: 2024-24718 PropertyHive Plugin: PropertyHive Plugin Slug: propertyhive Installations 2,000+ Vulnerability: PHP Object Injection Patched in Version: 2.0.6 Severity Score: High CVE: 2024-23513 SP Project & Document Manager Plugin: SP Project & Document Manager Plugin Slug: sp-client-document-manager Installations 2,000+ Vulnerability: SQL Injection Patched in Version: 4.70 Severity Score: High CVE: 2024-24868 Add Customer for WooCommerce Plugin: Add Customer for WooCommerce Plugin Slug: add-customer-for-woocommerce Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.7.1 Severity Score: Medium CVE: 2024-24841 Anonymous Restricted Content Plugin: Anonymous Restricted Content Plugin Slug: anonymous-restricted-content Installations 1,000+ Vulnerability: Bypass Vulnerability Patched in Version: 1.6.3 Severity Score: Medium CVE: 2024-0909 Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo Plugin Slug: biteship Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.2.25 Severity Score: High CVE: 2024-24866 Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress Plugin: Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress Plugin Slug: contest-gallery Installations 1,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 21.2.9 Severity Score: Medium CVE: 2024-24887 Polls CP Plugin: Polls CP Plugin Slug: cp-polls Installations 1,000+ Vulnerability: Content Injection Patched in Version: 1.0.72 Severity Score: Medium CVE: 2024-24874 Polls CP Plugin: Polls CP Plugin Slug: cp-polls Installations 1,000+ Vulnerability: Bypass Vulnerability Patched in Version: 1.0.72 Severity Score: Medium CVE: 2024-24873 FG Drupal to WordPress Plugin: FG Drupal to WordPress Plugin Slug: fg-drupal-to-wp Installations 1,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 3.68.0 Severity Score: Medium FG PrestaShop to WooCommerce Plugin: FG PrestaShop to WooCommerce Plugin Slug: fg-prestashop-to-woocommerce Installations 1,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 4.45.0 Severity Score: Medium Five Star Restaurant Reviews Plugin: Five Star Restaurant Reviews Plugin Slug: good-reviews-wp Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.3.6 Severity Score: Medium CVE: 2024-24838 Heateor Social Login WordPress Plugin: Heateor Social Login WordPress Plugin Slug: heateor-social-login Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.1.31 Severity Score: Medium CVE: 2024-24712 Icons Font Loader Plugin: Icons Font Loader Plugin Slug: icons-font-loader Installations 1,000+ Vulnerability: Arbitrary File Upload Patched in Version: 1.1.5 Severity Score: High CVE: 2024-24714 Kikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce Plugin Slug: map-location-picker-at-checkout-for-woocommerce Installations 1,000+ Vulnerability: Broken Access Control Patched in Version: 1.9.0 Severity Score: Medium CVE: 2024-24719 Restrict Usernames Emails Characters Plugin Slug: restrict-usernames-emails-characters Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.1.4 Severity Score: Medium CVE: 2023-6165 WP Club Manager – WordPress Sports Club Plugin Plugin Slug: wp-club-manager Installations 1,000+ Vulnerability: Broken Access Control Patched in Version: 2.2.11 Severity Score: Medium CVE: 2024-1177 Chartify – WordPress Chart Plugin Plugin Slug: chart-builder Installations 700+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.0.7 Severity Score: Medium CVE: 2023-47526 Portugal CTT Tracking for WooCommerce Plugin Slug: portugal-ctt-tracking-woocommerce Installations 700+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.2 Severity Score: High CVE: 2024-24878 Wp-Adv-Quiz Plugin: Wp-Adv-Quiz Plugin Slug: advanced-quiz Installations 200+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.0.3 Severity Score: Medium CVE: 2023-5943 Allow SVG coreActivity: Activity Logging plugin for WordPress Plugin Slug: coreactivity Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.8.1 Severity Score: High CVE: 2024-0852 EventON Pro Plugin: EventON Pro Plugin Slug: eventon-wordpress-event-calendar-plugin Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.4.1 Severity Score: High CVE: 2023-7200 PowerPack Pro for Elementor Plugin: PowerPack Pro for Elementor Plugin Slug: powerpack-elements Vulnerability: Settings Change Patched in Version: 2.10.8 Severity Score: High CVE: 2024-24844 PowerPack Pro for Elementor Plugin: PowerPack Pro for Elementor Plugin Slug: powerpack-elements Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 2.10.8 Severity Score: High CVE: 2024-24843 Relevanssi Premium Plugin: Relevanssi Premium Plugin Slug: relevanssi-premium Vulnerability: Sensitive Data Exposure Patched in Version: 2.25 Severity Score: Medium LearnDash LMS Plugin: LearnDash LMS Plugin Slug: sfwd-lms Vulnerability: Sensitive Data Exposure Patched in Version: 4.10.3 Severity Score: Medium CVE: 2024-1208 LearnDash LMS Plugin: LearnDash LMS Plugin Slug: sfwd-lms Vulnerability: Sensitive Data Exposure Patched in Version: 4.10.2 Severity Score: Medium CVE: 2024-1210 LearnDash LMS Plugin: LearnDash LMS Plugin Slug: sfwd-lms Vulnerability: Sensitive Data Exposure Patched in Version: 4.10.2 Severity Score: Medium CVE: 2024-1209 Userpro Plugin: Userpro Plugin Slug: userpro Vulnerability: Bypass Vulnerability Patched in Version: 5.1.7 Severity Score: Medium CVE: 2024-0701 Userpro Plugin: Userpro Plugin Slug: userpro Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.1.6 Severity Score: Medium CVE: 2023-2439 WooCommerce Box Office Plugin: WooCommerce Box Office Plugin Slug: woocommerce-box-office Vulnerability: Broken Access Control Patched in Version: 1.2.3 Severity Score: Medium CVE: 2024-24799 WordPress Themes — 1 Patched / 0 Unpatched Blocksy Theme: Blocksy Theme Slug: blocksy Downloads 2,786,039 Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.0.20 Severity Score: Medium CVE: 2024-24871 Solid Security is part of Solid Suite — The best foundation for WordPress websites. Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite! Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up Get started with confidence — risk free, guaranteed

This content was originally published here.