WordPress Vulnerability Report — June 26, 2024

In this report, 194 vulnerabilities have been publicly disclosed. Security patches for 100 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 94 plugin and themes vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 85 Patched / 91 Unpatched

2.1
Custom Field Suite
2.2
Custom Field Suite
2.3
Custom Field Suite
2.4
Academy LMS – eLearning and online course solution for WordPress
2.5
Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter
2.6
Event Monster – Event Management, Tickets Booking, Upcoming Event
2.7
My Favorites
2.8
Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms
2.9
Zoho Marketing Automation
2.10
Accordions
2.11
Ali2Woo Lite
2.12
Ali2Woo Lite
2.13
Ali2Woo Lite
2.14
Ali2Woo Lite
2.15
Ali2Woo Lite
2.16
Ali2Woo Lite
2.17
Ali2Woo Lite
2.18
Bible Text
2.19
Blogmentor – Blog Layouts for Elementor
2.20
Blogmentor – Blog Layouts for Elementor
2.21
Scheduling Plugin – Online Booking for WordPress
2.22
CB (legacy)
2.23
CB (legacy)
2.24
ContentLock
2.25
ContentLock
2.26
ContentLock
2.27
CSSable Countdown
2.28
Custom Product List Table
2.29
Demo Awesome
2.30
Demo Awesome
2.31
DImage 360
2.32
DOP Shortcodes
2.33
Elegant Themes Icons
2.34
EmbedSocial
2.35
Empty Cart Button for WooCommerce
2.36
Export WP Page to Static HTML/CSS
2.37
FS Poster
2.38
Universal Slider
2.39
Kanban Boards for WordPress
2.40
Kimili Flash Embed
2.41
Laybuy Payment Extension for WooCommerce
2.42
License Manager for WooCommerce
2.43
Lifeline Donation
2.44
Page Builder: Live Composer
2.45
Page Builder: Live Composer
2.46
Page Builder: Live Composer
2.47
Master Slider
2.48
Master Slider
2.49
Master Slider
2.50
MIMO Woocommerce Order Tracking
2.51
Restaurant Reservations
2.52
WordPress Picture / Portfolio / Media Gallery
2.53
OSM Map Widget for Elementor
2.54
Page Builder Sandwich – Front-End Page Builder
2.55
Page Builder Sandwich – Front-End Page Builder
2.56
Page Builder Sandwich – Front-End Page Builder
2.57
PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode
2.58
PDF Viewer for Elementor
2.59
Photo Video Gallery Master
2.60
phpinfo() WP
2.61
Play.ht
2.62
Promolayer
2.63
Replace Image
2.64
Shortcode Addons
2.65
Sketchfab Embed
2.66
Slideshow SE
2.67
Slideshow SE
2.68
SP Project & Document Manager
2.69
Transition Slider – Responsive Image Slider and Gallery
2.70
User Rights Access Manager
2.71
Tabs
2.72
Wheel of Life
2.73
WishList Member X
2.74
WishList Member X
2.75
WishList Member X
2.76
WishList Member X
2.77
WishList Member X
2.78
WishList Member X
2.79
WishList Member X
2.80
WishList Member X
2.81
Woocommerce Customers Order History
2.82
Word Balloon
2.83
WP Blog Post Layouts
2.84
WP Hotel Booking
2.85
WP Logs Book
2.86
WP Logs Book
2.87
Pexels: Free Stock Photos
2.88
WP Scraper
2.89
Widget Bundle
2.90
Widget Bundle
2.91
Widget Bundle
2.92
Loco Translate
2.93
Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN
2.94
Solid Security – Password, Two Factor Authentication, and Brute Force Protection
2.95
SiteGuard WP Plugin
2.96
SEOPress – On-site SEO
2.97
SEOPress – On-site SEO
2.98
SEOPress – On-site SEO
2.99
WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
2.100
Orbit Fox by ThemeIsle
2.101
Gallery Plugin for WordPress – Envira Photo Gallery
2.102
Defender Security – Malware Scanner, Login Security & Firewall
2.103
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel
2.104
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce
2.105
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
2.106
Media Library Assistant
2.107
Booking for Appointments and Events Calendar – Amelia
2.108
User Profile Picture
2.109
WP 2FA – Two-factor authentication for WordPress
2.110
ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages
2.111
Photo Gallery, Images, Slider in Rbs Image Gallery
2.112
Photo Gallery, Images, Slider in Rbs Image Gallery
2.113
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
2.114
Ultimate Blocks – WordPress Blocks Plugin
2.115
WP Maintenance
2.116
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
2.117
BlossomThemes Email Newsletter
2.118
Greenshift – animation and page builder blocks
2.119
Themify – WooCommerce Product Filter
2.120
Hide Dashboard Notifications
2.121
WP SVG Images
2.122
Branda – White Label WordPress, Custom Login Page Customizer
2.123
Serious Slider
2.124
Table Addons for Elementor
2.125
WPZOOM Addons for Elementor (Templates, Widgets)
2.126
Business Directory Plugin – Easy Listing Directories for WordPress
2.127
JetWidgets For Elementor
2.128
MasterStudy LMS WordPress Plugin – for Online Courses and Education
2.129
MasterStudy LMS WordPress Plugin – for Online Courses and Education
2.130
Sparkle Demo Importer
2.131
WP Child Theme Generator
2.132
Enhance Your Posts with the WP Post Author Box, Co-Authors, Guest Authors, and Post Rating System, including Registration Form Builder
2.133
Vimeography: Vimeo Video Gallery WordPress Plugin
2.134
WP Magazine Modules Lite
2.135
WPAdverts – Classifieds Plugin
2.136
Salon Booking System
2.137
Salon Booking System
2.138
WP Job Portal – A Complete Recruitment System for Company or Job Board website
2.139
WP Job Portal – A Complete Recruitment System for Company or Job Board website
2.140
InstaWP Connect – 1-click WP Staging & Migration
2.141
Tickera – WordPress Event Ticketing
2.142
MaxGalleria
2.143
Newsletters
2.144
PropertyHive
2.145
WP-Lister Lite for eBay
2.146
affiliate-toolkit – WordPress Affiliate Plugin
2.147
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
2.148
Online Booking & Scheduling Calendar for WordPress by vcita
2.149
Online Booking & Scheduling Calendar for WordPress by vcita
2.150
WP Secure Maintenance
2.151
Church Admin
2.152
Easy Age Verify
2.153
Falang multilanguage for WordPress
2.154
Login with phone number
2.155
Newspack Newsletters
2.156
Shariff for WordPress
2.157
Image Optimizer, Resizer and CDN – Sirv
2.158
Typing Text
2.159
WPPizza – A Restaurant Plugin
2.160
Responsive video embed
2.161
Squeeze
2.162
Bricks Builder (Premium)
2.163
Consulting Elementor Widgets
2.164
Consulting Elementor Widgets
2.165
Consulting Elementor Widgets
2.166
Consulting Elementor Widgets
2.167
Cost Calculator Builder Pro
2.168
Hercules Core
2.169
Ibtana
2.170
Ibtana
2.171
Newspack Blocks
2.172
The Plus Addons for Elementor Pro
2.173
The Plus Addons for Elementor Pro
2.174
Uber Menu
2.175
Shortcodes by United Themes
2.176
WP Job Manager – Resume Manager

3. WordPress Themes — 15 Patched / 3 Unpatched

3.1
Sinatra
3.2
Grey Opaque
3.3
Mosaic
3.4
Book Landing Page
3.5
Chic Lite
3.6
Customizr
3.7
Digital Newspaper
3.8
Education Zone
3.9
Excellent
3.10
Hueman
3.11
Interface
3.12
Materialis
3.13
Vandana Lite
3.14
Vilva
3.15
Divi
3.16
Enfold
3.17
Flatsome
3.18
Flatsome

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.5.5 is now available! This release features three security fixes. Because this is a security release, it is recommended that you update your sites immediately. This minor release also includes 3 bug fixes in Core.

WordPress Plugins — 85 Patched / 91 Unpatched

Plugin Slug:: custom-field-suite
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High

Plugin Slug:: custom-field-suite
Installations: 50,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High

Plugin Slug:: custom-field-suite
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin Slug:: academy
Installations: 1,000+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Low

Plugin Slug:: custom-add-to-cart-button-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin Slug:: event-monster
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium

Plugin Slug:: my-favorites
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin Slug:: optinly
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin Slug:: zoho-marketinghub
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Accordions
Plugin Slug:: accordions-or-faqs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Bible Text
Plugin Slug:: bible-text
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Blogmentor – Blog Layouts for Elementor
Plugin Slug:: blogmentor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Blogmentor – Blog Layouts for Elementor
Plugin Slug:: blogmentor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Scheduling Plugin – Online Booking for WordPress
Plugin Slug:: calendar-booking
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: CB (legacy)
Plugin Slug:: commons-booking
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: CB (legacy)
Plugin Slug:: commons-booking
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: ContentLock
Plugin Slug:: contentlock
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: ContentLock
Plugin Slug:: contentlock
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: ContentLock
Plugin Slug:: contentlock
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: CSSable Countdown
Plugin Slug:: cssable-countdown
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Custom Product List Table
Plugin Slug:: custom-product-list-table
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Demo Awesome
Plugin Slug:: demo-awesome
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Demo Awesome
Plugin Slug:: demo-awesome
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: DImage 360
Plugin Slug:: dimage-360
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: DOP Shortcodes
Plugin Slug:: dop-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Elegant Themes Icons
Plugin Slug:: elegant-themes-icons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: EmbedSocial
Plugin Slug:: embedalbum-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Empty Cart Button for WooCommerce
Plugin Slug:: empty-cart-button-for-woocommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Export WP Page to Static HTML/CSS
Plugin Slug:: export-wp-page-to-static-html
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: FS Poster
Plugin Slug:: fs-poster
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Universal Slider
Plugin Slug:: fusion-slider
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Kanban Boards for WordPress
Plugin Slug:: kanban
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Kimili Flash Embed
Plugin Slug:: kimili-flash-embed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Laybuy Payment Extension for WooCommerce
Plugin Slug:: laybuy-gateway-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: License Manager for WooCommerce
Plugin Slug:: license-manager-for-woocommerce
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Lifeline Donation
Plugin Slug:: lifeline-donation
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical

Plugin:: Page Builder: Live Composer
Plugin Slug:: live-composer-page-builder
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Page Builder: Live Composer
Plugin Slug:: live-composer-page-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Page Builder: Live Composer
Plugin Slug:: live-composer-page-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Master Slider
Plugin Slug:: master-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Master Slider
Plugin Slug:: master-slider
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Master Slider
Plugin Slug:: master-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: MIMO Woocommerce Order Tracking
Plugin Slug:: mimo-woocommerce-order-tracking
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Restaurant Reservations
Plugin Slug:: nd-restaurant-reservations
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: WordPress Picture / Portfolio / Media Gallery
Plugin Slug:: nimble-portfolio
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: OSM Map Widget for Elementor
Plugin Slug:: osm-map-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Page Builder Sandwich – Front-End Page Builder
Plugin Slug:: page-builder-sandwich
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Page Builder Sandwich – Front-End Page Builder
Plugin Slug:: page-builder-sandwich
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Page Builder Sandwich – Front-End Page Builder
Plugin Slug:: page-builder-sandwich
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode
Plugin Slug:: paypal-pay-buy-donation-and-cart-buttons-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: PDF Viewer for Elementor
Plugin Slug:: pdf-viewer-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Photo Video Gallery Master
Plugin Slug:: photo-video-gallery-master
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High

Plugin:: phpinfo() WP
Plugin Slug:: phpinfo-wp
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Play.ht
Plugin Slug:: play-ht
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Promolayer
Plugin Slug:: promolayer-popup-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Replace Image
Plugin Slug:: replace-image
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Shortcode Addons
Plugin Slug:: shortcode-addons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Sketchfab Embed
Plugin Slug:: sketchfab-oembed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Slideshow SE
Plugin Slug:: slideshow-se
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Slideshow SE
Plugin Slug:: slideshow-se
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: SP Project & Document Manager
Plugin Slug:: sp-client-document-manager
Vulnerability:: Directory Traversal
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Transition Slider – Responsive Image Slider and Gallery
Plugin Slug:: transition-slider-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: User Rights Access Manager
Plugin Slug:: user-rights-access-manager
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Tabs
Plugin Slug:: vc-tabs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Wheel of Life
Plugin Slug:: wheel-of-life
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Critical

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Denial of Service Attack
Patched in Version:: No Fix
Severity Score:: High

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Arbitrary Code Execution
Patched in Version:: No Fix
Severity Score:: Critical

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Woocommerce Customers Order History
Plugin Slug:: woo-customers-order-history
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Word Balloon
Plugin Slug:: word-balloon
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: WP Blog Post Layouts
Plugin Slug:: wp-blog-post-layouts
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: WP Hotel Booking
Plugin Slug:: wp-hotel-booking
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical

Plugin:: WP Logs Book
Plugin Slug:: wp-logs-book
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: WP Logs Book
Plugin Slug:: wp-logs-book
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Pexels: Free Stock Photos
Plugin Slug:: wp-pexels-free-stock-photos
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High

Plugin:: WP Scraper
Plugin Slug:: wp-scraper
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Widget Bundle
Plugin Slug:: wp-widget-bundle
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Widget Bundle
Plugin Slug:: wp-widget-bundle
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Widget Bundle
Plugin Slug:: wp-widget-bundle
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin Slug:: loco-translate
Installations: 1,000,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.6.10
Severity Score:: Medium

Plugin Slug:: wp-smushit
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.16.5
Severity Score:: Medium

Plugin Slug:: better-wp-security
Installations: 900,000+
Vulnerability:: Denial of Service Attack
Patched in Version:: 9.3.2
Severity Score:: Low

Plugin Slug:: siteguard
Installations: 500,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.7.7
Severity Score:: Medium

Plugin Slug:: wp-seopress
Installations: 300,000+
Vulnerability:: Open Redirection
Patched in Version:: 7.8
Severity Score:: Medium

Plugin Slug:: wp-seopress
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.8
Severity Score:: Medium

Plugin Slug:: wp-seopress
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.9.1
Severity Score:: Medium

Plugin Slug:: cartflows
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.8
Severity Score:: Medium

Plugin Slug:: themeisle-companion
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.35
Severity Score:: Medium

Plugin Slug:: envira-gallery-lite
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.8.8
Severity Score:: Medium

Plugin Slug:: defender-security
Installations: 90,000+
Vulnerability:: Broken Authentication
Patched in Version:: 3.3.3
Severity Score:: Medium

Plugin Slug:: depicter
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.0
Severity Score:: Medium

Plugin Slug:: email-subscribers
Installations: 90,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.7.24
Severity Score:: Critical

Plugin Slug:: paid-memberships-pro
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.0
Severity Score:: Medium

Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.17
Severity Score:: High

Plugin Slug:: ameliabooking
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.6
Severity Score:: Medium

Plugin Slug:: metronet-profile-picture
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.2
Severity Score:: Medium

Plugin Slug:: wp-2fa
Installations: 60,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.6.4
Severity Score:: Medium

Plugin Slug:: convertkit
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.9.1
Severity Score:: Medium

Plugin Slug:: robo-gallery
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.20
Severity Score:: Medium

Plugin Slug:: robo-gallery
Installations: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.2.20
Severity Score:: Medium

Plugin Slug:: sina-extension-for-elementor
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.5
Severity Score:: Medium

Plugin Slug:: ultimate-blocks
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.1
Severity Score:: Medium

Plugin Slug:: wp-maintenance
Installations: 50,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 6.1.9.3
Severity Score:: Medium

Plugin Slug:: ays-popup-box
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.5.2
Severity Score:: Medium

Plugin Slug:: blossomthemes-email-newsletter
Installations: 30,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.2.7
Severity Score:: Medium

Plugin Slug:: greenshift-animation-and-page-builder-blocks
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.9.4
Severity Score:: Medium

Plugin Slug:: themify-wc-product-filter
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.0
Severity Score:: Critical

Plugin Slug:: wp-hide-backed-notices
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.1
Severity Score:: Medium

Plugin Slug:: wp-svg-images
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3
Severity Score:: Medium

Plugin Slug:: branda-white-labeling
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.18
Severity Score:: Medium

Plugin Slug:: cryout-serious-slider
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.5
Severity Score:: Medium

Plugin Slug:: table-addons-for-elementor
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.3
Severity Score:: Medium

Plugin Slug:: wpzoom-elementor-addons
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.39
Severity Score:: Medium

Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: CSV Injection
Patched in Version:: 6.4.4
Severity Score:: Medium

Plugin Slug:: jetwidgets-for-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.18
Severity Score:: Medium

Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.13
Severity Score:: High

Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.2.2
Severity Score:: Medium

Plugin Slug:: sparkle-demo-importer
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.8
Severity Score:: Medium

Plugin Slug:: wp-child-theme-generator
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.2
Severity Score:: Medium

Plugin Slug:: wp-post-author
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.8
Severity Score:: Medium

Plugin Slug:: vimeography
Installations: 8,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.2
Severity Score:: Medium

Plugin Slug:: wp-magazine-modules-lite
Installations: 7,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.3
Severity Score:: High

Plugin Slug:: wpadverts
Installations: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.3
Severity Score:: Medium

Plugin Slug:: salon-booking-system
Installations: 5,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 10.0
Severity Score:: High

Plugin Slug:: salon-booking-system
Installations: 5,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 10.3
Severity Score:: Critical

Plugin Slug:: wp-job-portal
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.4
Severity Score:: Medium

Plugin Slug:: wp-job-portal
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.4
Severity Score:: Medium

Plugin Slug:: instawp-connect
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.1.0.39
Severity Score:: Critical

Plugin Slug:: tickera-event-ticketing-system
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.2.9
Severity Score:: Medium

Plugin Slug:: maxgalleria
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.5
Severity Score:: Medium

Plugin Slug:: newsletters-lite
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.9.8
Severity Score:: Medium

Plugin Slug:: propertyhive
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.10
Severity Score:: Medium

Plugin Slug:: wp-lister-for-ebay
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.5.9
Severity Score:: High

Plugin Slug:: affiliate-toolkit-starter
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.4.5
Severity Score:: Medium

Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.4.3
Severity Score:: Medium

Plugin Slug:: meeting-scheduler-by-vcita
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.3
Severity Score:: High

Plugin Slug:: meeting-scheduler-by-vcita
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.1
Severity Score:: Medium

Plugin Slug:: wp-secure-maintainance
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7
Severity Score:: Medium

Plugin Slug:: church-admin
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.5
Severity Score:: Medium

Plugin Slug:: easy-age-verify
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.3
Severity Score:: Medium

Plugin Slug:: falang
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.52
Severity Score:: Medium

Plugin Slug:: login-with-phone-number
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.35
Severity Score:: High

Plugin Slug:: newspack-newsletters
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.13.3
Severity Score:: Medium

Plugin Slug:: shariff-sharing
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.6.14
Severity Score:: Critical

Plugin Slug:: sirv
Installations: 1,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 7.2.7
Severity Score:: Critical

Plugin Slug:: typing-text
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.6
Severity Score:: Medium

Plugin Slug:: wppizza
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.18.14
Severity Score:: High

Plugin Slug:: responsive-video-embed
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.5.1
Severity Score:: Medium

Plugin Slug:: squeeze
Installations: 200+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.4.1
Severity Score:: Critical

Plugin:: Bricks Builder (Premium)
Plugin Slug:: bricksbuilder
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.9.9
Severity Score:: Medium

Plugin:: Consulting Elementor Widgets
Plugin Slug:: consulting-elementor-widgets
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.1
Severity Score:: High

Plugin:: Consulting Elementor Widgets
Plugin Slug:: consulting-elementor-widgets
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.3.1
Severity Score:: Critical

Plugin:: Consulting Elementor Widgets
Plugin Slug:: consulting-elementor-widgets
Vulnerability:: SQL Injection
Patched in Version:: 1.3.1
Severity Score:: High

Plugin:: Consulting Elementor Widgets
Plugin Slug:: consulting-elementor-widgets
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.1
Severity Score:: Critical

Plugin:: Cost Calculator Builder Pro
Plugin Slug:: cost-calculator-builder-pro
Vulnerability:: Content Spoofing
Patched in Version:: 3.1.76
Severity Score:: Medium

Plugin:: Hercules Core
Plugin Slug:: hercules-core
Vulnerability:: Settings Change
Patched in Version:: 6.7
Severity Score:: High

Plugin:: Ibtana
Plugin Slug:: ibtana-visual-editor
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3.4
Severity Score:: Medium

Plugin:: Ibtana
Plugin Slug:: ibtana-visual-editor
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3.4
Severity Score:: Medium

Plugin:: Newspack Blocks
Plugin Slug:: newspack-blocks
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.0.9
Severity Score:: High

Plugin:: The Plus Addons for Elementor Pro
Plugin Slug:: theplus_elementor_addon
Vulnerability:: Local File Inclusion
Patched in Version:: 5.6.0
Severity Score:: High

Plugin:: The Plus Addons for Elementor Pro
Plugin Slug:: theplus_elementor_addon
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.0
Severity Score:: High

Plugin:: Uber Menu
Plugin Slug:: ubermenu
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.8.4
Severity Score:: Medium

Plugin:: Shortcodes by United Themes
Plugin Slug:: ut-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.5
Severity Score:: High

Plugin:: WP Job Manager – Resume Manager
Plugin Slug:: wp-job-manager-resumes
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.2.0
Severity Score:: Medium

WordPress Themes — 15 Patched / 3 Unpatched

Theme Slug:: sinatra
Downloads: 1,639,897
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Theme:: Grey Opaque
Theme Slug:: grey-opaque
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Theme:: Mosaic
Theme Slug:: mosaic
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Theme Slug:: book-landing-page
Downloads: 128,701
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.4
Severity Score:: Medium

Theme Slug:: chic-lite
Downloads: 216,515
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.4
Severity Score:: Medium

Theme Slug:: customizr
Downloads: 4,188,035
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.4.22
Severity Score:: Medium

Theme Slug:: digital-newspaper
Downloads: 47,141
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.6
Severity Score:: Medium

Theme Slug:: education-zone
Downloads: 444,963
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.5
Severity Score:: Medium

Theme Slug:: excellent
Downloads: 116,583
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium

Theme Slug:: hueman
Downloads: 3,005,399
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.7.25
Severity Score:: Medium

Theme Slug:: interface
Downloads: 429,855
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.1
Severity Score:: Medium

Theme Slug:: materialis
Downloads: 255,867
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.30
Severity Score:: Medium

Theme Slug:: vandana-lite
Downloads: 117,403
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.0
Severity Score:: Medium

Theme Slug:: vilva
Downloads: 441,200
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.3
Severity Score:: Medium

Theme:: Divi
Theme Slug:: divi
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.25.2
Severity Score:: Medium

Theme:: Enfold
Theme Slug:: enfold
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.10
Severity Score:: High

Theme:: Flatsome
Theme Slug:: flatsome
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.19.0
Severity Score:: Medium

Theme:: Flatsome
Theme Slug:: flatsome
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.19.0
Severity Score:: Medium

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Source link

WordPress Vulnerability Report — June 26, 2024

Table of Contents

WordPress Core

WordPress Plugins — 85 Patched / 91 Unpatched

WordPress Themes — 15 Patched / 3 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

VirusWord by Promaps, Inc.

Table of Contents

WordPress Core

WordPress Plugins — 85 Patched / 91 Unpatched

WordPress Themes — 15 Patched / 3 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Explore more