WordPress Vulnerability Report — March 13, 2024

In this report, 70 vulnerabilities have been publicly disclosed. Security patches for 57 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings. Additionally, there are 13 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions. WordPress Core WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately. The next major release will be version 6.5, planned for March 26, 2024. WordPress Plugins — 55 Patched / 13 Unpatched HT Easy GA4 – Google Analytics WordPress Plugin Plugin Slug: ht-easy-google-analytics Installations 6,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-1176 Auto Refresh Single Page Plugin: Auto Refresh Single Page Plugin Slug: auto-refresh-single-page Vulnerability: PHP Object Injection Patched in Version: No Fix Severity Score: High CVE: 2024-1731 Blue Triad EZAnalytics Plugin: Blue Triad EZAnalytics Plugin Slug: blue-triad-ezanalytics Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2024-1782 Change Memory Limit Plugin: Change Memory Limit Plugin Slug: change-memory-limit Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-1093 Build & Control Block Patterns Plugin: Build & Control Block Patterns Plugin Slug: control-block-patterns Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-1095 Droit Elementor Addons Plugin: Droit Elementor Addons Plugin Slug: droit-elementor-addons Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-2252 FeedWordPress Plugin: FeedWordPress Plugin Slug: feedwordpress Vulnerability: Insecure Direct Object References (IDOR) Patched in Version: No Fix Severity Score: Medium CVE: 2024-0839 Maintenance Mode by helderk Plugin: Maintenance Mode by helderk Plugin Slug: hkdev-maintenance-mode Vulnerability: Sensitive Data Exposure Patched in Version: No Fix Severity Score: Medium CVE: 2024-1478 Master Slider Plugin: Master Slider Plugin Slug: master-slider Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-0611 Master Slider Plugin: Master Slider Plugin Slug: master-slider Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2024-1449 Page Builder Sandwich – Front-End Page Builder Plugin: Page Builder Sandwich – Front-End Page Builder Plugin Slug: page-builder-sandwich Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2024-1285 Page Builder Sandwich – Front-End Page Builder Plugin: Page Builder Sandwich – Front-End Page Builder Plugin Slug: page-builder-sandwich Vulnerability: Sensitive Data Exposure Patched in Version: No Fix Severity Score: Medium CVE: 2024-1381 Vimeography: Vimeo Video Gallery WordPress Plugin Plugin: Vimeography: Vimeo Video Gallery WordPress Plugin Plugin Slug: vimeography Vulnerability: PHP Object Injection Patched in Version: No Fix Severity Score: High CVE: 2024-0825 File Manager Plugin: File Manager Plugin Slug: wp-file-manager Installations 1,000,000+ Vulnerability: Path Traversal Patched in Version: 7.2.2 Severity Score: High CVE: 2023-6825 SiteOrigin Widgets Bundle Plugin: SiteOrigin Widgets Bundle Plugin Slug: so-widgets-bundle Installations 600,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.58.8 Severity Score: Medium CVE: 2024-1723 Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder Plugin Slug: fluentform Installations 400,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.1.10 Severity Score: Medium CVE: 2023-6957 Happy Addons for Elementor Plugin: Happy Addons for Elementor Plugin Slug: happy-elementor-addons Installations 400,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.10.4 Severity Score: Medium CVE: 2024-1366 Happy Addons for Elementor Plugin: Happy Addons for Elementor Plugin Slug: happy-elementor-addons Installations 400,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.10.4 Severity Score: Medium CVE: 2024-1377 Metform Elementor Contact Form Builder Plugin Slug: metform Installations 300,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.8.4 Severity Score: Medium CVE: 2024-1585 Royal Elementor Addons and Templates Plugin Slug: royal-elementor-addons Installations 300,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.3.92 Severity Score: Medium CVE: 2024-1500 Page Builder: Pagelayer – Drag and Drop website builder Plugin Slug: pagelayer Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.8.4 Severity Score: Medium CVE: 2024-2127 Orbit Fox by ThemeIsle Plugin: Orbit Fox by ThemeIsle Plugin Slug: themeisle-companion Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.10.33 Severity Score: Medium CVE: 2024-2126 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Plugin Slug: ultimate-member Installations 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.8.4 Severity Score: High CVE: 2024-2123 Colibri Page Builder Plugin: Colibri Page Builder Plugin Slug: colibri-page-builder Installations 100,000+ Vulnerability: Broken Access Control Patched in Version: 1.0.263 Severity Score: Medium CVE: 2024-1870 Social Sharing Plugin – Sassy Social Share Plugin Slug: sassy-social-share Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.3.59 Severity Score: Medium CVE: 2024-1989 The Plus Addons for Elementor Plugin: The Plus Addons for Elementor Plugin Slug: the-plus-addons-for-elementor-page-builder Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.4.1 Severity Score: Medium CVE: 2024-1419 WP Chat App Plugin: WP Chat App Plugin Slug: wp-whatsapp Installations 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.6.2 Severity Score: Medium CVE: 2024-1761 EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor Plugin: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor Plugin Slug: embedpress Installations 90,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.9.11 Severity Score: Medium CVE: 2024-1802 EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor Plugin: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor Plugin Slug: embedpress Installations 90,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.9.11 Severity Score: Medium CVE: 2024-2128 Event Tickets and Registration Plugin: Event Tickets and Registration Plugin Slug: event-tickets Installations 80,000+ Vulnerability: Broken Access Control Patched in Version: 5.8.1 Severity Score: Medium CVE: 2024-1316 Database for Contact Form 7, WPforms, Elementor forms Plugin Slug: contact-form-entries Installations 60,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.3.4 Severity Score: Medium CVE: 2024-2030 User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin Plugin Slug: user-registration Installations 60,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.1.5 Severity Score: High CVE: 2024-1720 WP-Members Membership Plugin Plugin: WP-Members Membership Plugin Plugin Slug: wp-members Installations 60,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.4.9.2 Severity Score: Medium CVE: 2024-1987 Simple Membership Plugin: Simple Membership Plugin Slug: simple-membership Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 4.4.3 Severity Score: High CVE: 2024-1985 Booster for WooCommerce Plugin: Booster for WooCommerce Plugin Slug: woocommerce-jetpack Installations 50,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 7.1.8 Severity Score: Medium CVE: 2024-1534 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Plugin Slug: simply-schedule-appointments Installations 30,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.6.6.24 Severity Score: Medium CVE: 2024-1760 MasterStudy LMS WordPress Plugin – for Online Courses and Education Plugin Slug: masterstudy-lms-learning-management-system Installations 10,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 3.2.11 Severity Score: Medium CVE: 2024-2106 SportsPress – Sports Club & League Manager Plugin Slug: sportspress Installations 10,000+ Vulnerability: Broken Access Control Patched in Version: 2.7.18 Severity Score: Medium CVE: 2024-1178 Product Carousel Slider & Grid Ultimate for WooCommerce Plugin Slug: woo-product-carousel-slider-and-grid-ultimate Installations 9,000+ Vulnerability: PHP Object Injection Patched in Version: 1.9.8 Severity Score: High CVE: 2024-1950 JM Twitter Cards Plugin: JM Twitter Cards Plugin Slug: jm-twitter-cards Installations 7,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 14 Severity Score: Medium CVE: 2024-1769 Ultimate Bootstrap Elements for Elementor Plugin Slug: ultimate-bootstrap-elements-for-elementor Installations 6,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.3.7 Severity Score: Medium CVE: 2024-1398 WPKoi Templates for Elementor Plugin: WPKoi Templates for Elementor Plugin Slug: wpkoi-templates-for-elementor Installations 6,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.5.7 Severity Score: Medium CVE: 2024-2136 Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid Plugin Slug: logo-showcase-ultimate Installations 5,000+ Vulnerability: PHP Object Injection Patched in Version: 1.3.9 Severity Score: High CVE: 2024-1951 Auto Affiliate Links Plugin: Auto Affiliate Links Plugin Slug: wp-auto-affiliate-links Installations 4,000+ Vulnerability: Broken Access Control Patched in Version: 6.4.3.1 Severity Score: Medium CVE: 2024-1843 EventPrime – Events Calendar, Bookings and Tickets Plugin Slug: eventprime-event-calendar-management Installations 3,000+ Vulnerability: Broken Access Control Patched in Version: 3.4.3 Severity Score: Medium CVE: 2024-1123 EventPrime – Events Calendar, Bookings and Tickets Plugin Slug: eventprime-event-calendar-management Installations 3,000+ Vulnerability: Broken Access Control Patched in Version: 3.4.4 Severity Score: Medium CVE: 2024-1124 Profile Box Shortcode And Widget Plugin: Profile Box Shortcode And Widget Plugin Slug: facebook-likebox-widget-and-shortcode Installations 3,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.2.1 Severity Score: Medium CVE: 2024-1401 Password Protected Store for WooCommerce Plugin Slug: password-protected-woo-store Installations 3,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 2.3 Severity Score: Medium CVE: 2024-1088 WooCommerce Add to Cart Custom Redirect Plugin Slug: woocommerce-add-to-cart-custom-redirect Installations 3,000+ Vulnerability: Broken Access Control Patched in Version: 1.2.14 Severity Score: High CVE: 2024-1862 affiliate-toolkit – WordPress Affiliate Plugin Plugin Slug: affiliate-toolkit-starter Installations 2,000+ Vulnerability: Broken Access Control Patched in Version: 3.5.5 Severity Score: Medium CVE: 2024-1851 affiliate-toolkit – WordPress Affiliate Plugin Plugin Slug: affiliate-toolkit-starter Installations 2,000+ Vulnerability: Broken Access Control Patched in Version: 3.5.5 Severity Score: Medium CVE: 2024-2298 Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget Plugin Slug: post-grid-carousel-ultimate Installations 1,000+ Vulnerability: PHP Object Injection Patched in Version: 1.6.8 Severity Score: High CVE: 2024-2006 Simple Restrict Plugin: Simple Restrict Plugin Slug: simple-restrict Installations 1,000+ Vulnerability: Broken Access Control Patched in Version: 1.2.7 Severity Score: Medium CVE: 2024-1083 Easy!Appointments Plugin: Easy!Appointments Plugin Slug: easyappointments Installations 700+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.3.2 Severity Score: Medium CVE: 2024-0698 Booster Elite for WooCommerce Plugin: Booster Elite for WooCommerce Plugin Slug: booster-elite-for-woocommerce Vulnerability: Arbitrary File Upload Patched in Version: 7.1.8 Severity Score: Critical CVE: 2024-1986 BuddyForms Plugin: BuddyForms Plugin Slug: buddyforms Vulnerability: Broken Access Control Patched in Version: 2.8.8 Severity Score: High CVE: 2024-1170 BuddyForms Plugin: BuddyForms Plugin Slug: buddyforms Vulnerability: Broken Access Control Patched in Version: 2.8.8 Severity Score: Medium CVE: 2024-1158 BuddyForms Plugin: BuddyForms Plugin Slug: buddyforms Vulnerability: Broken Access Control Patched in Version: 2.8.8 Severity Score: High CVE: 2024-1169 Digits Plugin: Digits Plugin Slug: digits Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 8.4.2 Severity Score: Medium CVE: 2024-0203 Events Tickets Plus Plugin: Events Tickets Plus Plugin Slug: event-tickets-plus Vulnerability: Broken Access Control Patched in Version: 5.9.1 Severity Score: Medium CVE: 2024-1319 Events Tickets Plus Plugin: Events Tickets Plus Plugin Slug: event-tickets-plus Vulnerability: Broken Access Control Patched in Version: 5.9.1 Severity Score: Medium CVE: 2024-1316 Mollie Forms Plugin: Mollie Forms Plugin Slug: mollie-forms Vulnerability: Broken Access Control Patched in Version: 2.6.4 Severity Score: Medium CVE: 2024-1400 Mollie Forms Plugin: Mollie Forms Plugin Slug: mollie-forms Vulnerability: Broken Access Control Patched in Version: 2.6.4 Severity Score: Medium CVE: 2024-1645 Restaurant Reservations Plugin: Restaurant Reservations Plugin Slug: nd-restaurant-reservations Vulnerability: Local File Inclusion Patched in Version: 2.0 Severity Score: High CVE: 2024-1382 Otter Blocks PRO Plugin: Otter Blocks PRO Plugin Slug: otter-pro Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.6.4 Severity Score: Medium CVE: 2024-1684 Otter Blocks PRO Plugin: Otter Blocks PRO Plugin Slug: otter-pro Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.6.4 Severity Score: High CVE: 2024-1691 Premium Addons PRO Plugin: Premium Addons PRO Plugin Slug: premium-addons-pro Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.9.13 Severity Score: Medium CVE: 2024-1996 File Manager Pro Plugin: File Manager Pro Plugin Slug: wp-file-manager-pro Vulnerability: Path Traversal Patched in Version: 8.3.5 Severity Score: Critical CVE: 2023-6825 WordPress Themes — 2 Patched / 0 Unpatched Blocksy Total Solid Security is part of Solid Suite — The best foundation for WordPress websites. Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite! Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up Get started with confidence — risk free, guaranteed

This content was originally published here.