virusword.com

Learn Wordpress

Home/Woocommerce/WordPress Vulnerability Report — May 22, 2024

WordPress Vulnerability Report — May 22, 2024

In this report, 153 vulnerabilities have been publicly disclosed. Security patches for 119 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 34 plugin and themes vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

window[“587c405a_dfaa_41a6_88a0_cfee675cbc8b”] = {“blockId”:”587c405a-dfaa-41a6-88a0-cfee675cbc8b”,”type”:”warning”,”content”:”

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.”,”className”:””};

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

window[“11f6da05_c970_4d05_89f8_e32f555bf151”] = {“blockId”:”11f6da05-c970-4d05-89f8-e32f555bf151″,”className”:””,”isOpen”:true};

window[“df8d7e80_ec24_4a89_8904_30b2c3f63cb7”] = {“blockId”:”df8d7e80-ec24-4a89-8904-30b2c3f63cb7″,”type”:”notice”,”content”:”

Our WordPress Vulnerability Report\u00a0covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of\u00a0Low,\u00a0Medium,\u00a0High, or\u00a0Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress \u2014 and the web \u2014 more secure.”,”className”:””};

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.5.3 was released on May 7, 2024, as a short-cycle maintenance release. This release features 12 bug fixes on Core and 9 bug fixes for the Block editor.

The next major release will be version 6.6 planned for July 2024.

window[“0307515b_74c4_4623_adaa_9f93addf5eb0”] = {“blockId”:”0307515b-74c4-4623-adaa-9f93addf5eb0″,”text”:”No new core vulnerabilities were disclosed this week.”,”className”:””};

No new core vulnerabilities were disclosed this week.

WordPress Plugins — 109 Patched / 33 Unpatched

reCAPTCHA Jetpack

Plugin:

reCAPTCHA Jetpack

Plugin Slug:
recaptcha-jetpack

Installations
700+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-3941

The vulnerability has not been patched. You should deactivate the plugin.

reCAPTCHA Jetpack

Plugin:

reCAPTCHA Jetpack

Plugin Slug:
recaptcha-jetpack

Installations
700+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-3940

The vulnerability has not been patched. You should deactivate the plugin.

UnGallery

Plugin:

UnGallery

Plugin Slug:
ungallery

Installations
50+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-3582

The vulnerability has not been patched. You should deactivate the plugin.

Add Custom CSS and JS

Plugin:

Add Custom CSS and JS

Plugin Slug:
add-custom-css-and-js

Installations
10+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-3903

The vulnerability has not been patched. You should deactivate the plugin.

WP Stacker

Plugin:

WP Stacker

Plugin Slug:
wp-stacker

Installations
10+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-5003

The vulnerability has not been patched. You should deactivate the plugin.

AdFoxly – Ad Manager, AdSense Ads & Ads.txt

Plugin:

AdFoxly – Ad Manager, AdSense Ads & Ads.txt

Plugin Slug:
adfoxly

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-34802

The vulnerability has not been patched. You should deactivate the plugin.

Base64 Encoder/Decoder

Plugin:

Base64 Encoder/Decoder

Plugin Slug:
base64-encoderdecoder

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-3824

The vulnerability has not been patched. You should deactivate the plugin.

Base64 Encoder/Decoder

Plugin:

Base64 Encoder/Decoder

Plugin Slug:
base64-encoderdecoder

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-3823

The vulnerability has not been patched. You should deactivate the plugin.

Base64 Encoder/Decoder

Plugin:

Base64 Encoder/Decoder

Plugin Slug:
base64-encoderdecoder

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-3822

The vulnerability has not been patched. You should deactivate the plugin.

Crafthemes Demo Import

Plugin:

Crafthemes Demo Import

Plugin Slug:
crafthemes-demo-import

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-34800

The vulnerability has not been patched. You should deactivate the plugin.

Dextaz Ping

Plugin:

Dextaz Ping

Plugin Slug:
dextaz-ping

Vulnerability:
Remote Code Execution (RCE)

Patched in Version:
No Fix

Severity Score:
Critical

CVE:

2024-34792

The vulnerability has not been patched. You should deactivate the plugin.

Elegant Blocks

Plugin:

Elegant Blocks

Plugin Slug:
elegant-blocks

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-34769

The vulnerability has not been patched. You should deactivate the plugin.

Fast Custom Social Share by CodeBard

Plugin:

Fast Custom Social Share by CodeBard

Plugin Slug:
fast-custom-social-share-by-codebard

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-34807

The vulnerability has not been patched. You should deactivate the plugin.

HL Twitter

Plugin:

HL Twitter

Plugin Slug:
hl-twitter

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-3630

The vulnerability has not been patched. You should deactivate the plugin.

HL Twitter

Plugin:

HL Twitter

Plugin Slug:
hl-twitter

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-3629

The vulnerability has not been patched. You should deactivate the plugin.

LetterPress

Plugin:

LetterPress

Plugin Slug:
letterpress

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-3590

The vulnerability has not been patched. You should deactivate the plugin.

Newsletter Popup

Plugin:

Newsletter Popup

Plugin Slug:
newsletter-popup

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-3644

The vulnerability has not been patched. You should deactivate the plugin.

Popup4Phone

Plugin:

Popup4Phone

Plugin Slug:
popup4phone

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-3580

The vulnerability has not been patched. You should deactivate the plugin.

Popup4Phone

Plugin:

Popup4Phone

Plugin Slug:
popup4phone

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-3231

The vulnerability has not been patched. You should deactivate the plugin.

PopupAlly

Plugin:

PopupAlly

Plugin Slug:
popupally

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-34796

The vulnerability has not been patched. You should deactivate the plugin.

Praison SEO WordPress

Plugin:

Praison SEO WordPress

Plugin Slug:
seo-wordpress

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-34801

The vulnerability has not been patched. You should deactivate the plugin.

Simple Popup Manager

Plugin:

Simple Popup Manager

Plugin Slug:
simple-popup-manager

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-34797

The vulnerability has not been patched. You should deactivate the plugin.

SP Project & Document Manager

Plugin:

SP Project & Document Manager

Plugin Slug:
sp-client-document-manager

Vulnerability:
Insecure Direct Object References (IDOR)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-3748

The vulnerability has not been patched. You should deactivate the plugin.

SP Project & Document Manager

Plugin:

SP Project & Document Manager

Plugin Slug:
sp-client-document-manager

Vulnerability:
Directory Traversal

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-1693

The vulnerability has not been patched. You should deactivate the plugin.

Tainacan

Plugin:

Tainacan

Plugin Slug:
tainacan

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-34795

The vulnerability has not been patched. You should deactivate the plugin.

Tainacan

Plugin:

Tainacan

Plugin Slug:
tainacan

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-34794

The vulnerability has not been patched. You should deactivate the plugin.

WP Backpack

Plugin:

WP Backpack

Plugin Slug:
wp-backpack

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-4756

The vulnerability has not been patched. You should deactivate the plugin.

WP Next Post Navi

Plugin:

WP Next Post Navi

Plugin Slug:
wp-next-post-navi

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-34793

The vulnerability has not been patched. You should deactivate the plugin.

WP Prayer

Plugin:

WP Prayer

Plugin Slug:
wp-prayer

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-3405

The vulnerability has not been patched. You should deactivate the plugin.

WPB Elementor Addons

Plugin:

WPB Elementor Addons

Plugin Slug:
wpb-elementor-addons

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-34791

The vulnerability has not been patched. You should deactivate the plugin.

Elementor Website Builder – More than Just a Page Builder

Plugin:

Elementor Website Builder – More than Just a Page Builder

Plugin Slug:
elementor

Installations
5,000,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.21.6

Severity Score:
Medium

CVE:

2024-4619

The vulnerability has been patched, so you should update to version 3.21.6.

Yoast SEO

Plugin:

Yoast SEO

Plugin Slug:
wordpress-seo

Installations
5,000,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
22.7

Severity Score:
Medium

CVE:

2024-4984

The vulnerability has been patched, so you should update to version 22.7.

Jetpack – WP Security, Backup, Speed, & Growth

Plugin:

Jetpack – WP Security, Backup, Speed, & Growth

Plugin Slug:
jetpack

Installations
4,000,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
13.4

Severity Score:
Medium

CVE:

2024-4392

The vulnerability has been patched, so you should update to version 13.4.

Rank Math SEO with AI Best SEO Tools

Plugin:

Rank Math SEO with AI Best SEO Tools

Plugin Slug:
seo-by-rank-math

Installations
2,000,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.0.219-beta

Severity Score:
Medium

CVE:

2024-4617

The vulnerability has been patched, so you should update to version 1.0.219-beta.

Elementor Header & Footer Builder

Plugin:

Elementor Header & Footer Builder

Plugin Slug:
header-footer-elementor

Installations
1,000,000+

Vulnerability:
Content Injection

Patched in Version:
1.6.27

Severity Score:
Medium

CVE:

2024-2619

The vulnerability has been patched, so you should update to version 1.6.27.

Elementor Header & Footer Builder

Plugin:

Elementor Header & Footer Builder

Plugin Slug:
header-footer-elementor

Installations
1,000,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.6.29

Severity Score:
Medium

CVE:

2024-4634

The vulnerability has been patched, so you should update to version 1.6.29.

Page Builder by SiteOrigin

Plugin:

Page Builder by SiteOrigin

Plugin Slug:
siteorigin-panels

Installations
700,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.29.16

Severity Score:
Medium

CVE:

2024-4361

The vulnerability has been patched, so you should update to version 2.29.16.

The Events Calendar

Plugin:

The Events Calendar

Plugin Slug:
the-events-calendar

Installations
700,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
6.4.0.1

Severity Score:
High

CVE:

2024-4180

The vulnerability has been patched, so you should update to version 6.4.0.1.

WP Shortcodes Plugin — Shortcodes Ultimate

Plugin:

WP Shortcodes Plugin — Shortcodes Ultimate

Plugin Slug:
shortcodes-ultimate

Installations
600,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
7.1.6

Severity Score:
Medium

CVE:

2024-4553

The vulnerability has been patched, so you should update to version 7.1.6.

WP Shortcodes Plugin — Shortcodes Ultimate

Plugin:

WP Shortcodes Plugin — Shortcodes Ultimate

Plugin Slug:
shortcodes-ultimate

Installations
600,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
7.1.2

Severity Score:
Medium

CVE:

2024-3548

The vulnerability has been patched, so you should update to version 7.1.2.

Happy Addons for Elementor

Plugin:

Happy Addons for Elementor

Plugin Slug:
happy-elementor-addons

Installations
400,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.10.9

Severity Score:
Medium

CVE:

2024-4865

The vulnerability has been patched, so you should update to version 3.10.9.

Happy Addons for Elementor

Plugin:

Happy Addons for Elementor

Plugin Slug:
happy-elementor-addons

Installations
400,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.10.8

Severity Score:
Medium

CVE:

2024-4478

The vulnerability has been patched, so you should update to version 3.10.8.

Royal Elementor Addons and Templates

Plugin:

Royal Elementor Addons and Templates

Plugin Slug:
royal-elementor-addons

Installations
300,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.3.975

Severity Score:
Medium

CVE:

2024-3887

The vulnerability has been patched, so you should update to version 1.3.975.

Menu Icons by ThemeIsle

Plugin:

Menu Icons by ThemeIsle

Plugin Slug:
menu-icons

Installations
200,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
0.13.14

Severity Score:
Medium

CVE:

2024-4635

The vulnerability has been patched, so you should update to version 0.13.14.

GiveWP – Donation Plugin and Fundraising Platform

Plugin:

GiveWP – Donation Plugin and Fundraising Platform

Plugin Slug:
give

Installations
100,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.11.0

Severity Score:
Medium

CVE:

2024-3714

The vulnerability has been patched, so you should update to version 3.11.0.

HT Mega – Absolute Addons For Elementor

Plugin:

HT Mega – Absolute Addons For Elementor

Plugin Slug:
ht-mega-for-elementor

Installations
100,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.5.3

Severity Score:
Medium

CVE:

2024-4876

The vulnerability has been patched, so you should update to version 2.5.3.

HT Mega – Absolute Addons For Elementor

Plugin:

HT Mega – Absolute Addons For Elementor

Plugin Slug:
ht-mega-for-elementor

Installations
100,000+

Vulnerability:
Broken Access Control

Patched in Version:
2.5.3

Severity Score:
Medium

CVE:

2024-4875

The vulnerability has been patched, so you should update to version 2.5.3.

iframe

Plugin:

iframe

Plugin Slug:
iframe

Installations
90,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.1

Severity Score:
Medium

CVE:

2024-34805

The vulnerability has been patched, so you should update to version 5.1.

Master Slider – Responsive Touch Slider

Plugin:

Master Slider – Responsive Touch Slider

Plugin Slug:
master-slider

Installations
90,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.9.10

Severity Score:
Medium

CVE:

2024-4470

The vulnerability has been patched, so you should update to version 3.9.10.

Import and export users and customers

Plugin:

Import and export users and customers

Plugin Slug:
import-users-from-csv-with-meta

Installations
80,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.26.7

Severity Score:
Medium

CVE:

2024-4656

The vulnerability has been patched, so you should update to version 1.26.7.

Sydney Toolbox

Plugin:

Sydney Toolbox

Plugin Slug:
sydney-toolbox

Installations
80,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.32

Severity Score:
Medium

CVE:

2024-4473

The vulnerability has been patched, so you should update to version 1.32.

Tutor LMS – eLearning and online course solution

Plugin:

Tutor LMS – eLearning and online course solution

Plugin Slug:
tutor

Installations
80,000+

Vulnerability:
Broken Access Control

Patched in Version:
2.7.1

Severity Score:
High

CVE:

2024-4223

The vulnerability has been patched, so you should update to version 2.7.1.

Tutor LMS – eLearning and online course solution

Plugin:

Tutor LMS – eLearning and online course solution

Plugin Slug:
tutor

Installations
80,000+

Vulnerability:
Insecure Direct Object References (IDOR)

Patched in Version:
2.7.1

Severity Score:
Medium

CVE:

2024-4279

The vulnerability has been patched, so you should update to version 2.7.1.

Tutor LMS – eLearning and online course solution

Plugin:

Tutor LMS – eLearning and online course solution

Plugin Slug:
tutor

Installations
80,000+

Vulnerability:
SQL Injection

Patched in Version:
2.7.1

Severity Score:
High

CVE:

2024-4318

The vulnerability has been patched, so you should update to version 2.7.1.

Visual Portfolio, Photo Gallery & Post Grid

Plugin:

Visual Portfolio, Photo Gallery & Post Grid

Plugin Slug:
visual-portfolio

Installations
70,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.3.3

Severity Score:
Medium

CVE:

2024-4363

The vulnerability has been patched, so you should update to version 3.3.3.

Exclusive Addons for Elementor

Plugin:

Exclusive Addons for Elementor

Plugin Slug:
exclusive-addons-for-elementor

Installations
60,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.6.9.7

Severity Score:
Medium

CVE:

2024-4618

The vulnerability has been patched, so you should update to version 2.6.9.7.

WP Table Builder – WordPress Table Plugin

Plugin:

WP Table Builder – WordPress Table Plugin

Plugin Slug:
wp-table-builder

Installations
60,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.4.15

Severity Score:
Medium

CVE:

2024-4700

The vulnerability has been patched, so you should update to version 1.4.15.

Order Export & Order Import for WooCommerce

Plugin:

Order Export & Order Import for WooCommerce

Plugin Slug:
order-import-export-for-woocommerce

Installations
50,000+

Vulnerability:
PHP Object Injection

Patched in Version:
2.5.0

Severity Score:
Medium

CVE:

2024-34751

The vulnerability has been patched, so you should update to version 2.5.0.

Ultimate Blocks – WordPress Blocks Plugin

Plugin:

Ultimate Blocks – WordPress Blocks Plugin

Plugin Slug:
ultimate-blocks

Installations
50,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.1.7

Severity Score:
Medium

CVE:

2024-3241

The vulnerability has been patched, so you should update to version 3.1.7.

DethemeKit For Elementor

Plugin:

DethemeKit For Elementor

Plugin Slug:
dethemekit-for-elementor

Installations
40,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.1.4

Severity Score:
Medium

CVE:

2024-4374

The vulnerability has been patched, so you should update to version 2.1.4.

DethemeKit For Elementor

Plugin:

DethemeKit For Elementor

Plugin Slug:
dethemekit-for-elementor

Installations
40,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.1.3

Severity Score:
Medium

CVE:

2024-34575

The vulnerability has been patched, so you should update to version 2.1.3.

Piotnet Addons For Elementor

Plugin:

Piotnet Addons For Elementor

Plugin Slug:
piotnet-addons-for-elementor

Installations
40,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.4.28

Severity Score:
Medium

CVE:

2024-4432

The vulnerability has been patched, so you should update to version 2.4.28.

Visualizer: Tables and Charts Manager for WordPress

Plugin:

Visualizer: Tables and Charts Manager for WordPress

Plugin Slug:
visualizer

Installations
30,000+

Vulnerability:
SQL Injection

Patched in Version:
3.11.0

Severity Score:
High

CVE:

2024-3750

The vulnerability has been patched, so you should update to version 3.11.0.

All-in-One Video Gallery

Plugin:

All-in-One Video Gallery

Plugin Slug:
all-in-one-video-gallery

Installations
20,000+

Vulnerability:
Local File Inclusion

Patched in Version:
3.7.0

Severity Score:
High

CVE:

2024-4670

The vulnerability has been patched, so you should update to version 3.7.0.

Envo Extra

Plugin:

Envo Extra

Plugin Slug:
envo-extra

Installations
20,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.8.17

Severity Score:
Medium

CVE:

2024-4385

The vulnerability has been patched, so you should update to version 1.8.17.

Post Grid Elementor Addon

Plugin:

Post Grid Elementor Addon

Plugin Slug:
post-grid-elementor-addon

Installations
20,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.0.17

Severity Score:
Medium

CVE:

2024-34789

The vulnerability has been patched, so you should update to version 2.0.17.

WPZOOM Addons for Elementor (Templates, Widgets)

Plugin:

WPZOOM Addons for Elementor (Templates, Widgets)

Plugin Slug:
wpzoom-elementor-addons

Installations
20,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.1.37

Severity Score:
Medium

CVE:

2024-4370

The vulnerability has been patched, so you should update to version 1.1.37.

Mega Elements – Addons for Elementor

Plugin:

Mega Elements – Addons for Elementor

Plugin Slug:
mega-elements-addons-for-elementor

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.2.2

Severity Score:
Medium

CVE:

2024-4702

The vulnerability has been patched, so you should update to version 1.2.2.

Simple Basic Contact Form

Plugin:

Simple Basic Contact Form

Plugin Slug:
simple-basic-contact-form

Installations
10,000+

Vulnerability:
Broken Access Control

Patched in Version:
20240511

Severity Score:
Medium

CVE:

2024-4144

The vulnerability has been patched, so you should update to version 20240511.

140+ Widgets | Best Addons For Elementor – FREE

Plugin:

140+ Widgets | Best Addons For Elementor – FREE

Plugin Slug:
xpro-elementor-addons

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.4.3.1

Severity Score:
Medium

CVE:

2024-4440

The vulnerability has been patched, so you should update to version 1.4.3.1.

YITH WooCommerce Gift Cards

Plugin:

YITH WooCommerce Gift Cards

Plugin Slug:
yith-woocommerce-gift-cards

Installations
10,000+

Vulnerability:
Broken Access Control

Patched in Version:
4.13.0

Severity Score:
Medium

CVE:

2024-0870

The vulnerability has been patched, so you should update to version 4.13.0.

VikBooking Hotel Booking Engine & PMS

Plugin:

VikBooking Hotel Booking Engine & PMS

Plugin Slug:
vikbooking

Installations
8,000+

Vulnerability:
Insecure Direct Object References (IDOR)

Patched in Version:
1.6.8

Severity Score:
Medium

CVE:

2024-2441

The vulnerability has been patched, so you should update to version 1.6.8.

WP Compress – Image Optimizer [All-In-One]

Plugin:

WP Compress – Image Optimizer [All-In-One]

Plugin Slug:
wp-compress-image-optimizer

Installations
7,000+

Vulnerability:
Broken Access Control

Patched in Version:
6.20.02

Severity Score:
Medium

CVE:

2024-4445

The vulnerability has been patched, so you should update to version 6.20.02.

WP Compress – Image Optimizer [All-In-One]

Plugin:

WP Compress – Image Optimizer [All-In-One]

Plugin Slug:
wp-compress-image-optimizer

Installations
7,000+

Vulnerability:
Open Redirection

Patched in Version:
6.20.02

Severity Score:
Medium

CVE:

2023-6812

The vulnerability has been patched, so you should update to version 6.20.02.

JCH Optimize

Plugin:

JCH Optimize

Plugin Slug:
jch-optimize

Installations
6,000+

Vulnerability:
Path Traversal

Patched in Version:
4.2.1

Severity Score:
Medium

CVE:

2024-34808

The vulnerability has been patched, so you should update to version 4.2.1.

Move Addons for Elementor

Plugin:

Move Addons for Elementor

Plugin Slug:
move-addons

Installations
3,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.3.2

Severity Score:
Medium

CVE:

2024-4695

The vulnerability has been patched, so you should update to version 1.3.2.

Debug Log – Manger Tool

Plugin:

Debug Log – Manger Tool

Plugin Slug:
debug-log-config-tool

Installations
2,000+

Vulnerability:
Sensitive Data Exposure

Patched in Version:
1.5

Severity Score:
Medium

CVE:

2024-34798

The vulnerability has been patched, so you should update to version 1.5.

FundEngine – Donation and Crowdfunding Platform

Plugin:

FundEngine – Donation and Crowdfunding Platform

Plugin Slug:
wp-fundraising-donation

Installations
2,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.7.0

Severity Score:
Medium

CVE:

2024-34758

The vulnerability has been patched, so you should update to version 1.7.0.

Kognetiks Chatbot for WordPress

Plugin:

Kognetiks Chatbot for WordPress

Plugin Slug:
chatbot-chatgpt

Installations
1,000+

Vulnerability:
Arbitrary File Upload

Patched in Version:
2.0.1

Severity Score:
Critical

CVE:

2024-32700

The vulnerability has been patched, so you should update to version 2.0.1.

Copymatic – AI Content Writer & Generator

Plugin:

Copymatic – AI Content Writer & Generator

Plugin Slug:
copymatic

Installations
1,000+

Vulnerability:
Arbitrary File Upload

Patched in Version:
1.7

Severity Score:
Critical

CVE:

2024-31351

The vulnerability has been patched, so you should update to version 1.7.

Custom Post Type Attachment

Plugin:

Custom Post Type Attachment

Plugin Slug:
custom-post-type-pdf-attachment

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.4.6

Severity Score:
Medium

CVE:

2024-4546

The vulnerability has been patched, so you should update to version 3.4.6.

Fastly

Plugin:

Fastly

Plugin Slug:
fastly

Installations
1,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.2.26

Severity Score:
Medium

CVE:

2024-34803

The vulnerability has been patched, so you should update to version 1.2.26.

Fastly

Plugin:

Fastly

Plugin Slug:
fastly

Installations
1,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.2.26

Severity Score:
Medium

CVE:

2024-34768

The vulnerability has been patched, so you should update to version 1.2.26.

Save as PDF Plugin by Pdfcrowd

Plugin:

Save as PDF Plugin by Pdfcrowd

Plugin Slug:
save-as-pdf-by-pdfcrowd

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.2.0

Severity Score:
Medium

CVE:

2023-5971

The vulnerability has been patched, so you should update to version 3.2.0.

ShiftController Employee Shift Scheduling

Plugin:

ShiftController Employee Shift Scheduling

Plugin Slug:
shiftcontroller

Installations
1,000+

Vulnerability:
PHP Object Injection

Patched in Version:
4.9.58

Severity Score:
High

CVE:

2024-4733

The vulnerability has been patched, so you should update to version 4.9.58.

Popup Builder

Plugin:

Popup Builder

Plugin Slug:
easy-notify-lite

Installations
700+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.1.30

Severity Score:
Medium

CVE:

2024-34567

The vulnerability has been patched, so you should update to version 1.1.30.

Popup – Popup More Popups

Plugin:

Popup – Popup More Popups

Plugin Slug:
popup-more

Installations
400+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.3.3

Severity Score:
Medium

CVE:

2024-32800

The vulnerability has been patched, so you should update to version 2.3.3.

Bulk Posts Editing For WordPress

Plugin:

Bulk Posts Editing For WordPress

Plugin Slug:
ithemeland-bulk-posts-editing-lite

Installations
200+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
4.2.4

Severity Score:
Medium

CVE:

2024-4204

The vulnerability has been patched, so you should update to version 4.2.4.

Bulk Posts Editing For WordPress

Plugin:

Bulk Posts Editing For WordPress

Plugin Slug:
ithemeland-bulk-posts-editing-lite

Installations
200+

Vulnerability:
Broken Access Control

Patched in Version:
4.2.4

Severity Score:
Medium

CVE:

2024-4199

The vulnerability has been patched, so you should update to version 4.2.4.

month name translation benaceur

Plugin:

month name translation benaceur

Plugin Slug:
month-name-translation-benaceur

Installations
200+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.3.8

Severity Score:
Medium

CVE:

2024-3634

The vulnerability has been patched, so you should update to version 2.3.8.

Advanced Custom Fields PRO

Plugin:

Advanced Custom Fields PRO

Plugin Slug:
advanced-custom-fields-pro

Vulnerability:
Arbitrary Code Execution

Patched in Version:
6.2.10

Severity Score:
High

CVE:

2024-34761

The vulnerability has been patched, so you should update to version 6.2.10.

Advanced Custom Fields PRO

Plugin:

Advanced Custom Fields PRO

Plugin Slug:
advanced-custom-fields-pro

Vulnerability:
Local File Inclusion

Patched in Version:
6.2.10

Severity Score:
Critical

CVE:

2024-34762

The vulnerability has been patched, so you should update to version 6.2.10.

ConvertPlus

Plugin:

ConvertPlus

Plugin Slug:
convertplug

Vulnerability:
PHP Object Injection

Patched in Version:
3.5.26.1

Severity Score:
High

CVE:

2024-4838

The vulnerability has been patched, so you should update to version 3.5.26.1.

Cost Calculator Builder Pro

Plugin:

Cost Calculator Builder Pro

Plugin Slug:
cost-calculator-builder-pro

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
3.1.73

Severity Score:
Medium

CVE:

2024-4789

The vulnerability has been patched, so you should update to version 3.1.73.

ElementsKit Pro

Plugin:

ElementsKit Pro

Plugin Slug:
elementskit

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.6.2

Severity Score:
Medium

CVE:

2024-4452

The vulnerability has been patched, so you should update to version 3.6.2.

Penci Soledad Data Migrator

Plugin:

Penci Soledad Data Migrator

Plugin Slug:
penci-data-migrator

Vulnerability:
Local File Inclusion

Patched in Version:
1.3.1

Severity Score:
Critical

CVE:

2024-3551

The vulnerability has been patched, so you should update to version 1.3.1.

Swift Framework Page Builder

Plugin:

Swift Framework Page Builder

Plugin Slug:
socialdriver-framework

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2024.0.0

Severity Score:
Medium

CVE:

2024-2697

The vulnerability has been patched, so you should update to version 2024.0.0.

Tutor LMS Pro

Plugin:

Tutor LMS Pro

Plugin Slug:
tutor-pro

Vulnerability:
Broken Access Control

Patched in Version:
2.7.1

Severity Score:
High

CVE:

2024-4352

The vulnerability has been patched, so you should update to version 2.7.1.

Tutor LMS Pro

Plugin:

Tutor LMS Pro

Plugin Slug:
tutor-pro

Vulnerability:
Broken Access Control

Patched in Version:
2.7.1

Severity Score:
High

CVE:

2024-4222

The vulnerability has been patched, so you should update to version 2.7.1.

Tutor LMS Pro

Plugin:

Tutor LMS Pro

Plugin Slug:
tutor-pro

Vulnerability:
Privilege Escalation

Patched in Version:
2.7.1

Severity Score:
High

CVE:

2024-4351

The vulnerability has been patched, so you should update to version 2.7.1.

Uber Menu

Plugin:

Uber Menu

Plugin Slug:
ubermenu

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.8.3

Severity Score:
Medium

CVE:

2024-4710

The vulnerability has been patched, so you should update to version 3.8.3.

Automatic

Plugin:

Automatic

Plugin Slug:
wp-automatic

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.95.0

Severity Score:
Medium

CVE:

2024-4849

The vulnerability has been patched, so you should update to version 3.95.0.

WordPress Themes — 10 Patched / 1 Unpatched

ImageMagick Sharpen Resized Images

Theme:

ImageMagick Sharpen Resized Images

Theme Slug:
imagemagick-sharpen-resized-images

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-34790

The vulnerability has not been patched. You should switch themes.

Blocksy

Theme:

Blocksy

Theme Slug:
blocksy

Downloads
3,200,500

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.0.47

Severity Score:
Medium

CVE:

2024-4943

The vulnerability has been patched, so you should update to version 2.0.47.

ChaosTheory

Theme:

ChaosTheory

Theme Slug:
chaostheory

Downloads
441,334

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.3.2

Severity Score:
Medium

CVE:

2024-34766

The vulnerability has been patched, so you should update to version 1.3.2.

Consus

Theme:

Consus

Theme Slug:
consus

Downloads
16,413

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.0.7

Severity Score:
Medium

CVE:

2024-34810

The vulnerability has been patched, so you should update to version 1.0.7.

EmpowerWP

Theme:

EmpowerWP

Theme Slug:
empowerwp

Downloads
219,617

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.0.22

Severity Score:
Medium

CVE:

2024-34809

The vulnerability has been patched, so you should update to version 1.0.22.

Ketos

Theme:

Ketos

Theme Slug:
ketos

Downloads
28,821

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.0.6

Severity Score:
Medium

CVE:

2024-34810

The vulnerability has been patched, so you should update to version 1.0.6.

Mindscape

Theme:

Mindscape

Theme Slug:
mindscape

Downloads
42,404

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.0.23

Severity Score:
Medium

CVE:

2024-34810

The vulnerability has been patched, so you should update to version 1.0.23.

Niveau

Theme:

Niveau

Theme Slug:
niveau

Downloads
16,949

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.0.9

Severity Score:
Medium

CVE:

2024-34810

The vulnerability has been patched, so you should update to version 1.0.9.

Oasis

Theme:

Oasis

Theme Slug:
oasis

Downloads
69,561

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.0.13

Severity Score:
Medium

CVE:

2024-34810

The vulnerability has been patched, so you should update to version 1.0.13.

Skyline WP

Theme:

Skyline WP

Theme Slug:
skyline-wp

Downloads
169,826

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.0.11

Severity Score:
Medium

CVE:

2024-34810

The vulnerability has been patched, so you should update to version 1.0.11.

Zeka

Theme:

Zeka

Theme Slug:
zeka

Downloads
20,361

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.0.10

Severity Score:
Medium

CVE:

2024-34810

The vulnerability has been patched, so you should update to version 1.0.10.

window[“98929d30_4e56_4573_ada9_2473c5bdf5a9”] = {“blockId”:”98929d30-4e56-4573-ada9-2473c5bdf5a9″,”className”:””,”heading”:”Solid Security is part of Solid Suite \u2014 The best foundation for WordPress websites.”,”text”:”Every WordPress site needs security, backups, and management tools. That\u2019s Solid Suite \u2014 an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy\u2019s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!”,”buttonText”:”Get Solid Security”,”buttonLink”:”\/pricing”,”buttonTarget”:”_self”,”buttonRel”:””};

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

The post WordPress Vulnerability Report — May 22, 2024 appeared first on SolidWP.

Source link

Explore more

Get our Wordpress Guide Get Plugins Get Connected