WordPress Vulnerability Report — January 24, 2024

WordPress Vulnerability Report — January 24, 2024 In this report, 88 new vulnerabilities have been publicly disclosed. Security patches for 29 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings. In this report, 88 new vulnerabilities have been publicly disclosed. Security patches for 29 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings. Additionally, there are 59 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions. Free Online Training Event! TODAY! Register Now! TODAY! January 24, 2024 @ 1:00 PM – 2:00 PM (CST) Not all WordPress threats and vulnerabilities are “created equal.” Some require more immediate attention and pose a greater risk than others. Even with preventive tools in place, such as Solid Security Pro with Patchstack, you need to understand how to assess and respond to threats and vulnerabilities. This livestream will help you understand what needs your attention first, how to use Security tools like Solid Security Pro to view, rank, and respond to threats, and how to harden your site moving forward. Can’t make the live event? Go ahead and register, and we’ll email you the replay. See webinar time in your time zone. WordPress Core WordPress 6.4.2 was released on December 6, 2023, as a short-cycle maintenance and security release with seven bug fixes and one security patch for a potential Remote Code Execution (RCE) vulnerability that is not directly exploitable in most situations. However, combined with certain vulnerabilities in third-party plugins on a multisite network, this vulnerability could be exploited and pose a high-severity risk. The 6.4.1 update will prevent PHP object injections from being chained into a potential RCE, according to details published by Patchstack. WordPress Plugins — 28 Patched / 59 Unpatched Ninja Tables – Best Data Table Plugin for WordPress Plugin Slug: ninja-tables Installations 80,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-23504 Ninja Tables – Best Data Table Plugin for WordPress Plugin Slug: ninja-tables Installations 80,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-23503 Booking for Appointments and Events Calendar – Amelia Plugin Slug: ameliabooking Installations 60,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-22298 Contact Form builder with drag & drop for WordPress – Kali Forms Plugin Slug: kali-forms Installations 30,000+ Vulnerability: Insecure Direct Object References (IDOR) Patched in Version: No Fix Severity Score: High CVE: 2024-22305 PDF Viewer & 3D PDF Flipbook – DearPDF Plugin Slug: dearpdf-lite Installations 8,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-23505 Browser Theme Color Plugin: Browser Theme Color Plugin Slug: browser-theme-color Installations 3,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-22291 FreshMail For WordPress Plugin: FreshMail For WordPress Plugin Slug: freshmail-integration Installations 2,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-22304 Albo Pretorio On line Plugin: Albo Pretorio On line Plugin Slug: albo-pretorio-on-line Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-22302 Albo Pretorio On line Plugin: Albo Pretorio On line Plugin Slug: albo-pretorio-on-line Installations 1,000+ Vulnerability: Sensitive Data Exposure Patched in Version: No Fix Severity Score: Medium CVE: 2024-22301 CBX Map for Google Map & OpenStreetMap Plugin Slug: cbxgooglemap Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-22297 Posts List Designer by Category – List Category Posts Or Recent Posts Plugin Slug: post-list-designer Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-23502 12 Step Meeting List Plugin: 12 Step Meeting List Plugin Slug: 12-step-meeting-list Installations 900+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-22296 WP To Do Plugin: WP To Do Plugin Slug: wp-todo Installations 300+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-22292 BA Plus Plugin: BA Plus Plugin Slug: ba-plus-before-after-image-slider-free Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-22286 Better Anchor Links Plugin: Better Anchor Links Plugin Slug: better-anchor-links Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: High CVE: 2024-22287 CformsII Plugin: CformsII Plugin Slug: cforms2 Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-22149 Custom Dashboard Widgets Plugin: Custom Dashboard Widgets Plugin Slug: custom-dashboard-widgets Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: High CVE: 2024-22290 Delhivery Logistics Courier Plugin: Delhivery Logistics Courier Plugin Slug: delhivery-logistics-courier Vulnerability: SQL Injection Patched in Version: No Fix Severity Score: High CVE: 2024-22283 enigma chart.js Plugin: enigma chart.js Plugin Slug: enigma-chartjs Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-6081 enigma chart.js Plugin: enigma chart.js Plugin Slug: enigma-chartjs Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-6082 Frontpage Manager Plugin: Frontpage Manager Plugin Slug: frontpage-manager Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2024-22285 Image Tag Manager Plugin: Image Tag Manager Plugin Slug: image-tag-manager Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-22160 lasTunes Plugin: lasTunes Plugin Slug: lastunes Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-6499 Post views Stats Plugin: Post views Stats Plugin Slug: post-views-stats Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-22289 SimpleMap Store Locator Plugin: SimpleMap Store Locator Plugin Slug: simplemap Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-22282 Splashscreen Plugin: Splashscreen Plugin Slug: splashscreen Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-6501 Unlimited Addons for WPBakery Page Builder Plugin: Unlimited Addons for WPBakery Page Builder Plugin Slug: unlimited-addons-for-wpbakery-page-builder Vulnerability: Arbitrary File Upload Patched in Version: No Fix Severity Score: High CVE: 2023-6925 WP Smart Editor Plugin: WP Smart Editor Plugin Slug: wp-smart-editor Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-22148 Advanced Custom Fields (ACF) Plugin: Advanced Custom Fields (ACF) Plugin Slug: advanced-custom-fields Installations 2,000,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 6.2.5 Severity Score: Medium Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders Plugin Slug: essential-addons-for-elementor-lite Installations 2,000,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.9.5 Severity Score: Medium CVE: 2024-0585 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders Plugin Slug: essential-addons-for-elementor-lite Installations 2,000,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.9.5 Severity Score: Medium CVE: 2024-0586 Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms Plugin Slug: fluentform Installations 400,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.1.7 Severity Score: Medium CVE: 2024-0618 Migration, Backup, Staging – WPvivid Plugin Slug: wpvivid-backuprestore Installations 400,000+ Vulnerability: Broken Access Control Patched in Version: 0.9.95 Severity Score: Medium CVE: 2023-4637 PDF Invoices & Packing Slips for WooCommerce Plugin Slug: woocommerce-pdf-invoices-packing-slips Installations 300,000+ Vulnerability: SQL Injection Patched in Version: 3.7.6 Severity Score: High CVE: 2024-22147 Photo Gallery by 10Web – Mobile-Friendly Image Gallery Plugin Slug: photo-gallery Installations 200,000+ Vulnerability: Directory Traversal Patched in Version: 1.8.20 Severity Score: Critical CVE: 2024-0221 Orbit Fox by ThemeIsle Plugin: Orbit Fox by ThemeIsle Plugin Slug: themeisle-companion Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.10.28 Severity Score: Medium CVE: 2024-0508 Burst Statistics – Privacy-Friendly Analytics for WordPress Plugin Slug: burst-statistics Installations 100,000+ Vulnerability: SQL Injection Patched in Version: 1.5.4 Severity Score: High CVE: 2024-0405 FileBird – WordPress Media Library Folders & File Manager Plugin Slug: filebird Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.6.1 Severity Score: Medium CVE: 2024-0691 GiveWP – Donation Plugin and Fundraising Platform Plugin Slug: give Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.3.0 Severity Score: Medium CVE: 2023-51415 Schema & Structured Data for WP & AMP Plugin Slug: schema-and-structured-data-for-wp Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.26 Severity Score: Medium CVE: 2024-22146 Product Import Export for WooCommerce Plugin Slug: product-import-export-for-woo Installations 90,000+ Vulnerability: Arbitrary File Upload Patched in Version: 2.3.8 Severity Score: High CVE: 2024-22152 Import and export users and customers Plugin Slug: import-users-from-csv-with-meta Installations 80,000+ Vulnerability: Broken Access Control Patched in Version: 1.24.7 Severity Score: Medium CVE: 2024-22151 VK Block Patterns Plugin: VK Block Patterns Plugin Slug: vk-block-patterns Installations 80,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.31.2.0 Severity Score: Medium CVE: 2024-0623 Advanced Woo Search Plugin: Advanced Woo Search Plugin Slug: advanced-woo-search Installations 70,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.97 Severity Score: High CVE: 2024-0251 Booking for Appointments and Events Calendar – Amelia Plugin Slug: ameliabooking Installations 60,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.0.94 Severity Score: Medium CVE: 2023-6808 Getwid – Gutenberg Blocks Plugin: Getwid – Gutenberg Blocks Plugin Slug: getwid Installations 50,000+ Vulnerability: Bypass Vulnerability Patched in Version: 2.0.5 Severity Score: Medium CVE: 2023-6963 Getwid – Gutenberg Blocks Plugin: Getwid – Gutenberg Blocks Plugin Slug: getwid Installations 50,000+ Vulnerability: Broken Access Control Patched in Version: 2.0.5 Severity Score: Medium CVE: 2023-6959 User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor Plugin Slug: profile-builder Installations 50,000+ Vulnerability: Broken Access Control Patched in Version: 3.10.9 Severity Score: High CVE: 2024-0324 Photo Gallery, Images, Slider in Rbs Image Gallery Plugin Slug: robo-gallery Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.2.18 Severity Score: Medium CVE: 2024-22295 Simple Membership Plugin: Simple Membership Plugin Slug: simple-membership Installations 50,000+ Vulnerability: Open Redirection Patched in Version: 4.4.2 Severity Score: Low CVE: 2024-22308 WP Recipe Maker Plugin Slug: wp-recipe-maker Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 9.1.1 Severity Score: Medium CVE: 2024-0381 WP Recipe Maker Plugin Slug: wp-recipe-maker Installations 50,000+ Vulnerability: Path Traversal Patched in Version: 9.1.1 Severity Score: Medium CVE: 2024-0380 WP Recipe Maker Plugin Slug: wp-recipe-maker Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 9.1.1 Severity Score: Medium CVE: 2024-0255 WP Recipe Maker Plugin Slug: wp-recipe-maker Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 9.1.1 Severity Score: High CVE: 2023-6970 WP Recipe Maker Plugin Slug: wp-recipe-maker Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 9.1.1 Severity Score: Medium CVE: 2024-0384 WP Recipe Maker Plugin Slug: wp-recipe-maker Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 9.1.1 Severity Score: Medium CVE: 2023-6958 WP Recipe Maker Plugin Slug: wp-recipe-maker Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 9.1.1 Severity Score: Medium CVE: 2024-0382 Shield Security – Smart Bot Blocking & Intrusion Prevention Security Plugin Slug: wp-simple-firewall Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 18.5.8 Severity Score: High CVE: 2024-22163 IP2Location Country Blocker Plugin: IP2Location Country Blocker Plugin Slug: ip2location-country-blocker Installations 20,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 2.33.4 Severity Score: Medium CVE: 2024-22294 Asgaros Forum Plugin: Asgaros Forum Plugin Slug: asgaros-forum Installations 10,000+ Vulnerability: PHP Object Injection Patched in Version: 2.8.0 Severity Score: High CVE: 2024-22284 Cryptocurrency Widgets – Price Ticker & Coins List Plugin Slug: cryptocurrency-price-ticker-widget Installations 10,000+ Vulnerability: SQL Injection Patched in Version: 2.6.6 Severity Score: Critical CVE: 2024-0709 Author Box, Guest Author and Co-Authors for Your Posts – Molongui Plugin Slug: molongui-authorship Installations 10,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 4.7.5 Severity Score: Medium CVE: 2023-7014 Stripe Payment Plugin for WooCommerce Plugin Slug: payment-gateway-stripe-and-woocommerce-integration Installations 10,000+ Vulnerability: SQL Injection Patched in Version: 3.8.0 Severity Score: Critical CVE: 2024-0705 Portfolio & Image Gallery for WordPress | PowerFolio Plugin Slug: portfolio-elementor Installations 10,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.1.1 Severity Score: Medium CVE: 2024-22150 BP Profile Search Plugin: BP Profile Search Plugin Slug: bp-profile-search Installations 9,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.6 Severity Score: High CVE: 2024-22293 HD Quiz Plugin: HD Quiz Plugin Slug: hd-quiz Installations 7,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.8.12 Severity Score: Medium CVE: 2024-22161 WOLF – WordPress Posts Bulk Editor and Manager Professional Plugin Slug: bulk-editor Installations 5,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.0.8.1 Severity Score: High CVE: 2024-22159 ChatBot with AI Plugin: ChatBot with AI Plugin Slug: chatbot Installations 5,000+ Vulnerability: PHP Object Injection Patched in Version: 5.1.1 Severity Score: High CVE: 2024-22309 Slider by Supsystic Plugin: Slider by Supsystic Plugin Slug: slider-by-supsystic Installations 4,000+ Vulnerability: Broken Access Control Patched in Version: 1.8.7 Severity Score: Medium CVE: 2024-22303 FastDup – Fastest WordPress Migration & Duplicator Plugin Slug: fastdup Installations 3,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 2.2.0 Severity Score: Critical CVE: 2023-6592 Formzu WP Plugin: Formzu WP Plugin Slug: formzu-wp Installations 3,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.6.8 Severity Score: Medium CVE: 2024-22310 WP-Lister Lite for eBay Plugin: WP-Lister Lite for eBay Plugin Slug: wp-lister-for-ebay Installations 3,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.5.8 Severity Score: High CVE: 2024-22307 WP Spell Check Plugin: WP Spell Check Plugin Slug: wp-spell-check Installations 3,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 9.18 Severity Score: Medium CVE: 2024-22143 WPZOOM Shortcodes Plugin: WPZOOM Shortcodes Plugin Slug: wpzoom-shortcodes Installations 2,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.0.2 Severity Score: High CVE: 2024-22162 InstaWP Connect – 1-click WP Staging & Migration Plugin Slug: instawp-connect Installations 1,000+ Vulnerability: Privilege Escalation Patched in Version: 0.1.0.9 Severity Score: High CVE: 2024-22145 Display custom fields in the frontend – Post and User Profile Fields Plugin Slug: shortcode-to-display-post-and-user-data Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.3.0 Severity Score: Medium CVE: 2023-6982 Display custom fields in the frontend – Post and User Profile Fields Plugin Slug: shortcode-to-display-post-and-user-data Installations 1,000+ Vulnerability: Insecure Direct Object References (IDOR) Patched in Version: 1.3.0 Severity Score: Medium CVE: 2023-6983 Display custom fields in the frontend – Post and User Profile Fields Plugin Slug: shortcode-to-display-post-and-user-data Installations 1,000+ Vulnerability: Arbitrary Code Execution Patched in Version: 1.3.0 Severity Score: High CVE: 2023-6996 Stock Locations for WooCommerce Plugin: Stock Locations for WooCommerce Plugin Slug: stock-locations-for-woocommerce Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.6.0 Severity Score: Medium CVE: 2024-22153 Advanced Custom Fields PRO Plugin: Advanced Custom Fields PRO Plugin Slug: advanced-custom-fields-pro Vulnerability: Cross Site Scripting (XSS) Patched in Version: 6.2.5 Severity Score: Medium GeneratePress Premium Plugin: GeneratePress Premium Plugin Slug: generatepress-premium Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.4.0 Severity Score: Medium CVE: 2023-6807 PeepSo Core: Photos Plugin: PeepSo Core: Photos Plugin Slug: peepso-photos Vulnerability: Cross Site Scripting (XSS) Patched in Version: 6.3.1.0 Severity Score: Medium CVE: 2024-22158 SalesKing Plugin: SalesKing Plugin Slug: salesking Vulnerability: Privilege Escalation Patched in Version: 1.6.30 Severity Score: Critical CVE: 2024-22157 SalesKing Plugin: SalesKing Plugin Slug: salesking Vulnerability: Settings Change Patched in Version: 1.6.30 Severity Score: Medium CVE: 2024-22156 SalesKing Plugin: SalesKing Plugin Slug: salesking Vulnerability: Sensitive Data Exposure Patched in Version: 1.6.30 Severity Score: High CVE: 2024-22154 WooCommerce Subscriptions Plugin: WooCommerce Subscriptions Plugin Slug: woocommerce-subscriptions Vulnerability: Broken Access Control Patched in Version: 5.8.0 Severity Score: Medium CVE: 2023-50850 WPForms Pro Plugin: WPForms Pro Plugin Slug: wpforms Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.8.5.4 Severity Score: High CVE: 2023-7063 WordPress Themes — 1 Patched / 0 Unpatched Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up Get started with confidence — risk free, guaranteed

This content was originally published here.