WordPress Vulnerability Report — January 31, 2024

WordPress Vulnerability Report — January 31, 2024 In this week’s report, a total of 53 vulnerabilities have been publicly disclosed. There are security patches for 36 of these plugins and themes. Run those updates as soon as possible. Also, there are 17 plugin vulnerabilities with no patch available yet. In this report, 53 vulnerabilities have been publicly disclosed. Security patches for 36 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings. Additionally, there are 17 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions. WordPress Core WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately. The next major release will be version 6.5, planned for March 26, 2024. WordPress Plugins — 35 Patched / 17 Unpatched aBitGone CommentSafe Plugin: aBitGone CommentSafe Plugin Slug: abitgone-commentsafe Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: High CVE: 2023-7174 Add SVG Support for Media Uploader | inventivo Plugin: Add SVG Support for Media Uploader | inventivo Plugin Slug: add-svg-support-for-media-uploader-inventivo Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-7088 Advanced Schedule Posts Plugin: Advanced Schedule Posts Plugin Slug: advanced-schedule-posts Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-0249 Better Follow Button for Jetpack Plugin: Better Follow Button for Jetpack Plugin Slug: better-follow-button-for-jetpack Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-7168 enigma chart.js Plugin: enigma chart.js Plugin Slug: enigma-chartjs Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-6081 enigma chart.js Plugin: enigma chart.js Plugin Slug: enigma-chartjs Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-6082 (Simply) Guest Author Name Plugin: (Simply) Guest Author Name Plugin Slug: guest-author-name Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-0254 lasTunes Plugin: lasTunes Plugin Slug: lastunes Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-6499 illi Link Party! Plugin: illi Link Party! Plugin Slug: link-party Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-7231 illi Link Party! Plugin: illi Link Party! Plugin Slug: link-party Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2023-7228 illi Link Party! Plugin: illi Link Party! Plugin Slug: link-party Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-7229 Mang Board WP Plugin: Mang Board WP Plugin Slug: mangboard Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-22306 Splashscreen Plugin: Splashscreen Plugin Slug: splashscreen Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-6501 SVG Uploads Support Plugin: SVG Uploads Support Plugin Slug: svg-uploads-support Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-7086 Ultimate Noindex Nofollow Tool Plugin: Ultimate Noindex Nofollow Tool Plugin Slug: ultimate-noindex-nofollow-tool Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-7196 Marketing Twitter Bot Plugin: Marketing Twitter Bot Plugin Slug: wordpress-twitterbot Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2023-7197 WP-Reply Notify Plugin: WP-Reply Notify Plugin Slug: wp-reply-notify Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-7195 Better Search Replace Plugin: Better Search Replace Plugin Slug: better-search-replace Installations 1,000,000+ Vulnerability: PHP Object Injection Patched in Version: 1.4.5 Severity Score: Critical CVE: 2023-6933 File Manager Plugin: File Manager Plugin Slug: wp-file-manager Installations 1,000,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 7.2.2 Severity Score: High CVE: 2024-0761 WP Go Maps (formerly WP Google Maps) Plugin Slug: wp-google-maps Installations 400,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 9.0.29 Severity Score: High CVE: 2023-6697 Migration, Backup, Staging – WPvivid Plugin Slug: wpvivid-backuprestore Installations 400,000+ Vulnerability: Broken Access Control Patched in Version: 0.9.95 Severity Score: Medium CVE: 2023-4637 Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder Plugin: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder Plugin Slug: formidable Installations 300,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 6.8 Severity Score: Medium CVE: 2024-0660 Backuply – Backup, Restore, Migrate and Clone Plugin Slug: backuply Installations 200,000+ Vulnerability: Directory Traversal Patched in Version: 1.2.4 Severity Score: Medium CVE: 2024-0697 Photo Gallery by 10Web – Mobile-Friendly Image Gallery Plugin Slug: photo-gallery Installations 200,000+ Vulnerability: Directory Traversal Patched in Version: 1.8.20 Severity Score: Critical CVE: 2024-0221 AMP for WP – Accelerated Mobile Pages Plugin Slug: accelerated-mobile-pages Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.0.93 Severity Score: High CVE: 2024-0587 FileBird – WordPress Media Library Folders & File Manager Plugin Slug: filebird Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.6.1 Severity Score: Medium CVE: 2024-0691 Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels Plugin Slug: instant-images Installations 100,000+ Vulnerability: Broken Access Control Patched in Version: 6.1.1 Severity Score: High CVE: 2024-0869 VK Block Patterns Plugin: VK Block Patterns Plugin Slug: vk-block-patterns Installations 80,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.31.2.0 Severity Score: Medium CVE: 2024-0623 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Plugin Slug: form-maker Installations 60,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.15.22 Severity Score: Medium CVE: 2024-0667 WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging Plugin Slug: wp-rss-aggregator Installations 60,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.23.5 Severity Score: Medium CVE: 2024-0630 Exclusive Addons for Elementor Plugin: Exclusive Addons for Elementor Plugin Slug: exclusive-addons-for-elementor Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.6.9 Severity Score: Medium CVE: 2024-0823 Exclusive Addons for Elementor Plugin: Exclusive Addons for Elementor Plugin Slug: exclusive-addons-for-elementor Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.6.9 Severity Score: Medium CVE: 2024-0824 10Web AI Assistant – AI content writing assistant Plugin Slug: ai-assistant-by-10web Installations 30,000+ Vulnerability: Broken Access Control Patched in Version: 1.0.19 Severity Score: Medium CVE: 2023-6985 WP Dashboard Notes Plugin: WP Dashboard Notes Plugin Slug: wp-dashboard-notes Installations 30,000+ Vulnerability: Broken Access Control Patched in Version: 1.0.11 Severity Score: Medium CVE: 2023-7239 Meks Smart Social Widget Plugin: Meks Smart Social Widget Plugin Slug: meks-smart-social-widget Installations 20,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.6.4 Severity Score: Medium CVE: 2024-0664 PDF Poster – PDF Embedder Plugin for WordPress Plugin Slug: pdf-poster Installations 20,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.1.18 Severity Score: High CVE: 2024-23508 WordPress Simple Shopping Cart Plugin: WordPress Simple Shopping Cart Plugin Slug: wordpress-simple-paypal-shopping-cart Installations 20,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.7.2 Severity Score: Medium CVE: 2023-6497 Cryptocurrency Widgets – Price Ticker & Coins List Plugin Slug: cryptocurrency-price-ticker-widget Installations 10,000+ Vulnerability: SQL Injection Patched in Version: 2.6.6 Severity Score: Critical CVE: 2024-0709 WP Customer Area Plugin: WP Customer Area Plugin Slug: customer-area Installations 10,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 8.2.3 Severity Score: High CVE: 2024-0665 PDF Generator For Fluent Forms – The Contact Form Plugin Plugin Slug: fluentforms-pdf Installations 10,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.1.8 Severity Score: Medium CVE: 2023-6953 Category Discount Woocommerce Plugin: Category Discount Woocommerce Plugin Slug: woo-product-category-discount Installations 7,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 4.12 Severity Score: Medium CVE: 2024-0617 Category Discount Woocommerce Plugin: Category Discount Woocommerce Plugin Slug: woo-product-category-discount Installations 7,000+ Vulnerability: Broken Access Control Patched in Version: 4.13 Severity Score: Medium CVE: 2024-0617 Sticky Buttons – floating buttons builder Plugin Slug: sticky-buttons Installations 6,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.2.3 Severity Score: Medium CVE: 2024-0703 Dragfy Addons for Elementor Plugin: Dragfy Addons for Elementor Plugin Slug: dragfy-addons-for-elementor Installations 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 8.3.2 Severity Score: Medium CVE: 2024-0448 InstaWP Connect – 1-click WP Staging & Migration Plugin Slug: instawp-connect Installations 1,000+ Vulnerability: SQL Injection Patched in Version: 0.1.0.10 Severity Score: High CVE: 2024-23507 InstaWP Connect – 1-click WP Staging & Migration Plugin Slug: instawp-connect Installations 1,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 0.1.0.10 Severity Score: High CVE: 2024-23506 Views for WPForms – Display & Edit WPForms Entries on your site frontend Plugin Slug: views-for-wpforms-lite Installations 1,000+ Vulnerability: Broken Access Control Patched in Version: 3.2.3 Severity Score: Medium CVE: 2024-0370 Allow SVG coreActivity: Activity Logging plugin for WordPress Plugin Slug: coreactivity Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.8.1 Severity Score: High CVE: 2024-0852 MaxButtons Plugin: MaxButtons Plugin Slug: maxbutton Vulnerability: Cross Site Scripting (XSS) Patched in Version: 9.7.7 Severity Score: Medium CVE: 2023-7029 File Manager Pro Plugin: File Manager Pro Plugin Slug: wp-file-manager-pro Vulnerability: Arbitrary File Upload Patched in Version: 8.3.5 Severity Score: High CVE: 2023-6846 WPForms Pro Plugin: WPForms Pro Plugin Slug: wpforms Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.8.5.4 Severity Score: High CVE: 2023-7063 WordPress Themes — 1 Patched / 0 Unpatched ColorMag Solid Security is part of Solid Suite — The best foundation for WordPress websites. Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite! Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up Get started with confidence — risk free, guaranteed

This content was originally published here.