WordPress Vulnerability Report — February 28, 2024

In this report, 73 vulnerabilities have been publicly disclosed. Security patches for 48 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 25 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the reasons why WordPress websites get hacked. (See our Annual Vulnerability Report for 2022.) Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 46 Patched / 25 Unpatched

2.1
Addon Library
2.2
Admin side data storage for Contact Form 7
2.3
Admin side data storage for Contact Form 7
2.4
Admin side data storage for Contact Form 7
2.5
Admin side data storage for Contact Form 7
2.6
Adsmonetizer
2.7
BeePress
2.8
Configure SMTP
2.9
Download Media
2.10
Duitku Payment Gateway
2.11
Fontific | Google Fonts
2.12
Gestpay for WooCommerce
2.13
Marketo Forms and Tracking
2.14
Media Alt Renamer
2.15
WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit
2.16
PayU India
2.17
Play.ht
2.18
postMash – custom post order
2.19
Rolo Slider
2.20
Slivery Extender
2.21
SoundCloud Shortcode
2.22
Tabs Shortcode and Widget
2.23
Tainacan
2.24
User Shortcodes Plus
2.25
Watermark RELOADED
2.26
LiteSpeed Cache
2.27
LiteSpeed Cache
2.28
Premium Addons for Elementor
2.29
BackWPup – WordPress Backup Plugin
2.30
Page Builder: Pagelayer – Drag and Drop website builder
2.31
Page Builder: Pagelayer – Drag and Drop website builder
2.32
Orbit Fox by ThemeIsle
2.33
Orbit Fox by ThemeIsle
2.34
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
2.35
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
2.36
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
2.37
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
2.38
Elementor Addon Elements
2.39
Elementor Addon Elements
2.40
Elementor Addon Elements
2.41
Colibri Page Builder
2.42
Colibri Page Builder
2.43
Brizy – Page Builder
2.44
Brizy – Page Builder
2.45
Brizy – Page Builder
2.46
Brizy – Page Builder
2.47
Event Tickets and Registration
2.48
Sydney Toolbox
2.49
Enhanced Text Widget
2.50
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor
2.51
WP Dashboard Notes
2.52
Restrict User Access – Ultimate Membership & Content Protection
2.53
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
2.54
YML for Yandex Market
2.55
Smart Forms – when you need more than just a contact form
2.56
Maintenance Page
2.57
Maintenance Page
2.58
SMS Alert Order Notifications – WooCommerce
2.59
Thank You Page Customizer for WooCommerce – Increase Your Sales
2.60
Thank You Page Customizer for WooCommerce – Increase Your Sales
2.61
Spiffy Calendar
2.62
Academy LMS – eLearning and online course solution for WordPress
2.63
Archivist – Custom Archive Templates
2.64
Comments Extra Fields For Post,Pages and CPT
2.65
Comments Extra Fields For Post,Pages and CPT
2.66
KODO Qiniu
2.67
Backup
2.68
Elementor Pro
2.69
JobSearch
2.70
JobSearch
2.71
WP Social Widget

3. WordPress Themes — 2 Patched /0 Unpatched

3.1
Colibri WP
3.2
Socialdriver

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.

The next major release will be version 6.5, planned for March 26, 2024.

WordPress Plugins — 46 Patched / 25 Unpatched

Plugin:: Addon Library
Plugin Slug:: addon-library
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical

Plugin:: Admin side data storage for Contact Form 7
Plugin Slug:: admin-side-data-storage-for-contact-form-7
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Admin side data storage for Contact Form 7
Plugin Slug:: admin-side-data-storage-for-contact-form-7
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Admin side data storage for Contact Form 7
Plugin Slug:: admin-side-data-storage-for-contact-form-7
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Admin side data storage for Contact Form 7
Plugin Slug:: admin-side-data-storage-for-contact-form-7
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Adsmonetizer
Plugin Slug:: adsensei-b30
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: BeePress
Plugin Slug:: beepress
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Configure SMTP
Plugin Slug:: configure-smtp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Download Media
Plugin Slug:: download-media
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Duitku Payment Gateway
Plugin Slug:: duitku-social-payment-gateway
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Fontific | Google Fonts
Plugin Slug:: fontific
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Gestpay for WooCommerce
Plugin Slug:: gestpay-for-woocommerce
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Marketo Forms and Tracking
Plugin Slug:: marketo-forms-and-tracking
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Media Alt Renamer
Plugin Slug:: media-alt-renamer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit
Plugin Slug:: myshopkit-popup-smartbar-slidein
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: PayU India
Plugin Slug:: payu-india
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Play.ht
Plugin Slug:: play-ht
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High

Plugin:: postMash – custom post order
Plugin Slug:: postmash
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Rolo Slider
Plugin Slug:: rolo-slider
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Slivery Extender
Plugin Slug:: slivery-extender
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: SoundCloud Shortcode
Plugin Slug:: soundcloud-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Tabs Shortcode and Widget
Plugin Slug:: tabs-shortcode-and-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Tainacan
Plugin Slug:: tainacan
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: User Shortcodes Plus
Plugin Slug:: user-shortcodes-plus
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Watermark RELOADED
Plugin Slug:: watermark-reloaded
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High

Plugin Slug:: litespeed-cache
Installations: 5,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.7.0.1
Severity Score:: High

Plugin Slug:: litespeed-cache
Installations: 5,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.7.0.1
Severity Score:: High

Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.10.19
Severity Score:: Medium

Plugin Slug:: backwpup
Installations: 600,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.0.3
Severity Score:: Low

Plugin Slug:: pagelayer
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.1
Severity Score:: Medium

Plugin Slug:: pagelayer
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.3
Severity Score:: Medium

Plugin Slug:: themeisle-companion
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.32
Severity Score:: Medium

Plugin Slug:: themeisle-companion
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.31
Severity Score:: Medium

Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.8.3
Severity Score:: Critical

Plugin Slug:: userfeedback-lite
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.14
Severity Score:: High

Plugin Slug:: wp-user-avatar
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15.1
Severity Score:: Medium

Plugin Slug:: wp-user-avatar
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15.1
Severity Score:: Medium

Plugin Slug:: addon-elements-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.13
Severity Score:: Medium

Plugin Slug:: addon-elements-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.13
Severity Score:: Medium

Plugin Slug:: addon-elements-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.13
Severity Score:: High

Plugin Slug:: colibri-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.260
Severity Score:: Medium

Plugin Slug:: colibri-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.260
Severity Score:: Medium

Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Directory Traversal
Patched in Version:: 2.4.41
Severity Score:: Medium

Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.41
Severity Score:: Medium

Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.4.41
Severity Score:: Critical

Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.41
Severity Score:: Medium

Plugin Slug:: event-tickets
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.8.2
Severity Score:: Medium

Plugin Slug:: sydney-toolbox
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.26
Severity Score:: Medium

Plugin Slug:: enhanced-text-widget
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.6
Severity Score:: Medium

Plugin Slug:: notificationx
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.8.3
Severity Score:: Critical

Plugin Slug:: wp-dashboard-notes
Installations: 30,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.0.11
Severity Score:: Medium

Plugin Slug:: restrict-user-access
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.6
Severity Score:: Medium

Plugin Slug:: wp-event-manager
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.42
Severity Score:: High

Plugin Slug:: yml-for-yandex-market
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.4
Severity Score:: High

Plugin Slug:: smart-forms
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.87
Severity Score:: Medium

Plugin Slug:: maintenance-page
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.9
Severity Score:: Medium

Plugin Slug:: maintenance-page
Installations: 5,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.0.9
Severity Score:: Medium

Plugin Slug:: sms-alert
Installations: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.7.0
Severity Score:: Medium

Plugin Slug:: woo-thank-you-page-customizer
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.3
Severity Score:: Medium

Plugin Slug:: woo-thank-you-page-customizer
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.3
Severity Score:: Medium

Plugin Slug:: spiffy-calendar
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.9
Severity Score:: Medium

Plugin Slug:: academy
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.9.20
Severity Score:: High

Plugin Slug:: archivist-custom-archive-templates
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.6
Severity Score:: High

Plugin Slug:: wp-comment-fields
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.1
Severity Score:: Medium

Plugin Slug:: wp-comment-fields
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1
Severity Score:: Medium

Plugin Slug:: kodo-qiniu
Installations: 400+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5.1
Severity Score:: Medium

Plugin:: Backup
Plugin Slug:: backup2
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.0.9.9
Severity Score:: High

Plugin:: Elementor Pro
Plugin Slug:: elementor-pro
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.19.3
Severity Score:: Medium

Plugin:: JobSearch
Plugin Slug:: wp-jobsearch
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.3.4
Severity Score:: Critical

Plugin:: JobSearch
Plugin Slug:: wp-jobsearch
Vulnerability:: Broken Authentication
Patched in Version:: 2.3.4
Severity Score:: Critical

Plugin:: WP Social Widget
Plugin Slug:: wp-social-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.6
Severity Score:: Medium

WordPress Themes — 2 Patched /0 Unpatched

Theme Slug:: colibri-wp
Downloads: 1,232,050
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.101
Severity Score:: Medium

Theme:: Socialdriver
Theme Slug:: socialdriver
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2024
Severity Score:: High

Source link

WordPress Vulnerability Report — February 28, 2024

Table of Contents

WordPress Core

WordPress Plugins — 46 Patched / 25 Unpatched

WordPress Themes — 2 Patched /0 Unpatched

VirusWord by Promaps, Inc.

Table of Contents

WordPress Core

WordPress Plugins — 46 Patched / 25 Unpatched

WordPress Themes — 2 Patched /0 Unpatched

Explore more