WordPress Vulnerability Report — January 31, 2024

In this report, 53 vulnerabilities have been publicly disclosed. Security patches for 36 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 17 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the reasons why WordPress websites get hacked. (See our Annual Vulnerability Report for 2022.) Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 35 Patched / 17 Unpatched

2.1
aBitGone CommentSafe
2.2
Add SVG Support for Media Uploader | inventivo
2.3
Advanced Schedule Posts
2.4
Better Follow Button for Jetpack
2.5
enigma chart.js
2.6
enigma chart.js
2.7
(Simply) Guest Author Name
2.8
lasTunes
2.9
illi Link Party!
2.10
illi Link Party!
2.11
illi Link Party!
2.12
Mang Board WP
2.13
Splashscreen
2.14
SVG Uploads Support
2.15
Ultimate Noindex Nofollow Tool
2.16
Marketing Twitter Bot
2.17
WP-Reply Notify
2.18
Better Search Replace
2.19
File Manager
2.20
WP Go Maps (formerly WP Google Maps)
2.21
Migration, Backup, Staging – WPvivid
2.22
Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
2.23
Backuply – Backup, Restore, Migrate and Clone
2.24
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
2.25
AMP for WP – Accelerated Mobile Pages
2.26
FileBird – WordPress Media Library Folders & File Manager
2.27
Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
2.28
VK Block Patterns
2.29
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.30
WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
2.31
Exclusive Addons for Elementor
2.32
Exclusive Addons for Elementor
2.33
10Web AI Assistant – AI content writing assistant
2.34
WP Dashboard Notes
2.35
Meks Smart Social Widget
2.36
PDF Poster – PDF Embedder Plugin for WordPress
2.37
WordPress Simple Shopping Cart
2.38
Cryptocurrency Widgets – Price Ticker & Coins List
2.39
WP Customer Area
2.40
PDF Generator For Fluent Forms – The Contact Form Plugin
2.41
Category Discount Woocommerce
2.42
Category Discount Woocommerce
2.43
Sticky Buttons – floating buttons builder
2.44
Dragfy Addons for Elementor
2.45
InstaWP Connect – 1-click WP Staging & Migration
2.46
InstaWP Connect – 1-click WP Staging & Migration
2.47
Views for WPForms – Display & Edit WPForms Entries on your site frontend
2.48
Allow SVG
2.49
coreActivity: Activity Logging plugin for WordPress
2.50
MaxButtons
2.51
File Manager Pro
2.52
WPForms Pro

3. WordPress Themes — 1 Patched / 0 Unpatched

3.1
ColorMag

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.

The next major release will be version 6.5, planned for March 26, 2024.

WordPress Plugins — 35 Patched / 17 Unpatched

Plugin:: aBitGone CommentSafe
Plugin Slug:: abitgone-commentsafe
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Add SVG Support for Media Uploader | inventivo
Plugin Slug:: add-svg-support-for-media-uploader-inventivo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Advanced Schedule Posts
Plugin Slug:: advanced-schedule-posts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Better Follow Button for Jetpack
Plugin Slug:: better-follow-button-for-jetpack
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: enigma chart.js
Plugin Slug:: enigma-chartjs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: enigma chart.js
Plugin Slug:: enigma-chartjs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: (Simply) Guest Author Name
Plugin Slug:: guest-author-name
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: lasTunes
Plugin Slug:: lastunes
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: illi Link Party!
Plugin Slug:: link-party
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: illi Link Party!
Plugin Slug:: link-party
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: illi Link Party!
Plugin Slug:: link-party
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Mang Board WP
Plugin Slug:: mangboard
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Splashscreen
Plugin Slug:: splashscreen
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: SVG Uploads Support
Plugin Slug:: svg-uploads-support
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Ultimate Noindex Nofollow Tool
Plugin Slug:: ultimate-noindex-nofollow-tool
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Marketing Twitter Bot
Plugin Slug:: wordpress-twitterbot
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: WP-Reply Notify
Plugin Slug:: wp-reply-notify
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin Slug:: better-search-replace
Installations: 1,000,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4.5
Severity Score:: Critical

Plugin Slug:: wp-file-manager
Installations: 1,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.2.2
Severity Score:: High

Plugin Slug:: wp-google-maps
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.0.29
Severity Score:: High

Plugin Slug:: wpvivid-backuprestore
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.9.95
Severity Score:: Medium

Plugin Slug:: formidable
Installations: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.8
Severity Score:: Medium

Plugin Slug:: backuply
Installations: 200,000+
Vulnerability:: Directory Traversal
Patched in Version:: 1.2.4
Severity Score:: Medium

Plugin Slug:: photo-gallery
Installations: 200,000+
Vulnerability:: Directory Traversal
Patched in Version:: 1.8.20
Severity Score:: Critical

Plugin Slug:: accelerated-mobile-pages
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.93
Severity Score:: High

Plugin Slug:: filebird
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.1
Severity Score:: Medium

Plugin Slug:: instant-images
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.1.1
Severity Score:: High

Plugin Slug:: vk-block-patterns
Installations: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.31.2.0
Severity Score:: Medium

Plugin Slug:: form-maker
Installations: 60,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.15.22
Severity Score:: Medium

Plugin Slug:: wp-rss-aggregator
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.23.5
Severity Score:: Medium

Plugin Slug:: exclusive-addons-for-elementor
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.9
Severity Score:: Medium

Plugin Slug:: exclusive-addons-for-elementor
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.9
Severity Score:: Medium

Plugin Slug:: ai-assistant-by-10web
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.19
Severity Score:: Medium

Plugin Slug:: wp-dashboard-notes
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.11
Severity Score:: Medium

Plugin Slug:: meks-smart-social-widget
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.4
Severity Score:: Medium

Plugin Slug:: pdf-poster
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.18
Severity Score:: High

Plugin Slug:: wordpress-simple-paypal-shopping-cart
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.7.2
Severity Score:: Medium

Plugin Slug:: cryptocurrency-price-ticker-widget
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.6.6
Severity Score:: Critical

Plugin Slug:: customer-area
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.3
Severity Score:: High

Plugin Slug:: fluentforms-pdf
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.8
Severity Score:: Medium

Plugin Slug:: woo-product-category-discount
Installations: 7,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.12
Severity Score:: Medium

Plugin Slug:: woo-product-category-discount
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.13
Severity Score:: Medium

Plugin Slug:: sticky-buttons
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.3
Severity Score:: Medium

Plugin Slug:: dragfy-addons-for-elementor
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.3.2
Severity Score:: Medium

Plugin Slug:: instawp-connect
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: 0.1.0.10
Severity Score:: High

Plugin Slug:: instawp-connect
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 0.1.0.10
Severity Score:: High

Plugin Slug:: views-for-wpforms-lite
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.3
Severity Score:: Medium

Plugin Slug:: allow-svg
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.0
Severity Score:: Medium

Plugin Slug:: coreactivity
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.1
Severity Score:: High

Plugin:: MaxButtons
Plugin Slug:: maxbutton
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.7.7
Severity Score:: Medium

Plugin:: File Manager Pro
Plugin Slug:: wp-file-manager-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: 8.3.5
Severity Score:: High

Plugin:: WPForms Pro
Plugin Slug:: wpforms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.5.4
Severity Score:: High

WordPress Themes — 1 Patched / 0 Unpatched

Theme Slug:: colormag
Downloads: 3,799,423
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.3
Severity Score:: Medium

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Source link

WordPress Vulnerability Report — January 31, 2024

Table of Contents

WordPress Core

WordPress Plugins — 35 Patched / 17 Unpatched

WordPress Themes — 1 Patched / 0 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

VirusWord by Promaps, Inc.

Table of Contents

WordPress Core

WordPress Plugins — 35 Patched / 17 Unpatched

WordPress Themes — 1 Patched / 0 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Explore more