WordPress Vulnerability Report � January 24, 2024

In this report, 88 new vulnerabilities have been publicly disclosed. Security patches for 29 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 59 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Free Online Training Event! TODAY! Register Now!

TODAY! January 24, 2024 @ 1:00 PM – 2:00 PM (CST)

Not all WordPress threats and vulnerabilities are �created equal.� Some require more immediate attention and pose a greater risk than others. Even with preventive tools in place, such as Solid Security Pro with Patchstack, you need to understand how to assess and respond to threats and vulnerabilities.

This livestream will help you understand what needs your attention first, how to use Security tools like Solid Security Pro to view, rank, and respond to threats, and how to harden your site moving forward.

Can’t make the live event? Go ahead and register, and we’ll email you the replay. See webinar time in your time zone.

WordPress Core

WordPress 6.4.2 was released on December 6, 2023, as a short-cycle maintenance and security release with seven bug fixes and one security patch for a potential Remote Code Execution (RCE) vulnerability that is not directly exploitable in most situations. However, combined with certain vulnerabilities in third-party plugins on a multisite network, this vulnerability could be exploited and pose a high-severity risk. The 6.4.1 update will prevent PHP object injections from being chained into a potential RCE, according to details published by Patchstack.

WordPress Plugins � 28 Patched / 59 Unpatched

Plugin:: Ninja Tables � Best Data Table Plugin for WordPress
Plugin Slug:: ninja-tables
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-23504

Plugin:: Ninja Tables � Best Data Table Plugin for WordPress
Plugin Slug:: ninja-tables
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-23503

Plugin:: Booking for Appointments and Events Calendar � Amelia
Plugin Slug:: ameliabooking
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22298

Plugin:: Contact Form builder with drag & drop for WordPress � Kali Forms
Plugin Slug:: kali-forms
Installations: 30,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-22305

Plugin:: PDF Viewer & 3D PDF Flipbook � DearPDF
Plugin Slug:: dearpdf-lite
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-23505

Plugin:: Browser Theme Color
Plugin Slug:: browser-theme-color
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22291

Plugin:: FreshMail For WordPress
Plugin Slug:: freshmail-integration
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22304

Plugin:: Albo Pretorio On line
Plugin Slug:: albo-pretorio-on-line
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22302

Plugin:: Albo Pretorio On line
Plugin Slug:: albo-pretorio-on-line
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22301

Plugin:: CBX Map for Google Map & OpenStreetMap
Plugin Slug:: cbxgooglemap
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22297

Plugin:: Posts List Designer by Category � List Category Posts Or Recent Posts
Plugin Slug:: post-list-designer
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-23502

Plugin:: 12 Step Meeting List
Plugin Slug:: 12-step-meeting-list
Installations: 900+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22296

Plugin:: WP To Do
Plugin Slug:: wp-todo
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22292

Plugin:: BA Plus
Plugin Slug:: ba-plus-before-after-image-slider-free
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-22286

Plugin:: Better Anchor Links
Plugin Slug:: better-anchor-links
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-22287

Plugin:: CformsII
Plugin Slug:: cforms2
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-22149

Plugin:: Custom Dashboard Widgets
Plugin Slug:: custom-dashboard-widgets
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-22290

Plugin:: Delhivery Logistics Courier
Plugin Slug:: delhivery-logistics-courier
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-22283

Plugin:: enigma chart.js
Plugin Slug:: enigma-chartjs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6081

Plugin:: enigma chart.js
Plugin Slug:: enigma-chartjs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6082

Plugin:: Frontpage Manager
Plugin Slug:: frontpage-manager
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22285

Plugin:: Image Tag Manager
Plugin Slug:: image-tag-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-22160

Plugin:: lasTunes
Plugin Slug:: lastunes
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6499

Plugin:: Post views Stats
Plugin Slug:: post-views-stats
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-22289

Plugin:: SimpleMap Store Locator
Plugin Slug:: simplemap
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-22282

Plugin:: Splashscreen
Plugin Slug:: splashscreen
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6501

Plugin:: Unlimited Addons for WPBakery Page Builder
Plugin Slug:: unlimited-addons-for-wpbakery-page-builder
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-6925

Plugin:: WP Smart Editor
Plugin Slug:: wp-smart-editor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-22148

Plugin:: Advanced Custom Fields (ACF)
Plugin Slug:: advanced-custom-fields
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.2.5
Severity Score:: Medium

Plugin:: Essential Addons for Elementor � Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.5
Severity Score:: Medium
CVE:: 2024-0585

Plugin:: Essential Addons for Elementor � Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.5
Severity Score:: Medium
CVE:: 2024-0586

Plugin:: Contact Form Plugin � Fastest Contact Form Builder Plugin for WordPress by Fluent Forms
Plugin Slug:: fluentform
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.7
Severity Score:: Medium
CVE:: 2024-0618

Plugin:: Migration, Backup, Staging � WPvivid
Plugin Slug:: wpvivid-backuprestore
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.9.95
Severity Score:: Medium
CVE:: 2023-4637

Plugin:: PDF Invoices & Packing Slips for WooCommerce
Plugin Slug:: woocommerce-pdf-invoices-packing-slips
Installations: 300,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.7.6
Severity Score:: High
CVE:: 2024-22147

Plugin:: Photo Gallery by 10Web � Mobile-Friendly Image Gallery
Plugin Slug:: photo-gallery
Installations: 200,000+
Vulnerability:: Directory Traversal
Patched in Version:: 1.8.20
Severity Score:: Critical
CVE:: 2024-0221

Plugin:: Orbit Fox by ThemeIsle
Plugin Slug:: themeisle-companion
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.28
Severity Score:: Medium
CVE:: 2024-0508

Plugin:: Burst Statistics � Privacy-Friendly Analytics for WordPress
Plugin Slug:: burst-statistics
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.4
Severity Score:: High
CVE:: 2024-0405

Plugin:: FileBird � WordPress Media Library Folders & File Manager
Plugin Slug:: filebird
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.1
Severity Score:: Medium
CVE:: 2024-0691

Plugin:: GiveWP � Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.0
Severity Score:: Medium
CVE:: 2023-51415

Plugin:: Schema & Structured Data for WP & AMP
Plugin Slug:: schema-and-structured-data-for-wp
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.26
Severity Score:: Medium
CVE:: 2024-22146

Plugin:: Product Import Export for WooCommerce
Plugin Slug:: product-import-export-for-woo
Installations: 90,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.3.8
Severity Score:: High
CVE:: 2024-22152

Plugin:: Import and export users and customers
Plugin Slug:: import-users-from-csv-with-meta
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.24.7
Severity Score:: Medium
CVE:: 2024-22151

Plugin:: VK Block Patterns
Plugin Slug:: vk-block-patterns
Installations: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.31.2.0
Severity Score:: Medium
CVE:: 2024-0623

Plugin:: Advanced Woo Search
Plugin Slug:: advanced-woo-search
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.97
Severity Score:: High
CVE:: 2024-0251

Plugin:: Booking for Appointments and Events Calendar � Amelia
Plugin Slug:: ameliabooking
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.94
Severity Score:: Medium
CVE:: 2023-6808

Plugin:: Getwid � Gutenberg Blocks
Plugin Slug:: getwid
Installations: 50,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.0.5
Severity Score:: Medium
CVE:: 2023-6963

Plugin:: Getwid � Gutenberg Blocks
Plugin Slug:: getwid
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.5
Severity Score:: Medium
CVE:: 2023-6959

Plugin:: User Profile Builder � Beautiful User Registration Forms, User Profiles & User Role Editor
Plugin Slug:: profile-builder
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.10.9
Severity Score:: High
CVE:: 2024-0324

Plugin:: Photo Gallery, Images, Slider in Rbs Image Gallery
Plugin Slug:: robo-gallery
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.18
Severity Score:: Medium
CVE:: 2024-22295

Plugin:: Simple Membership
Plugin Slug:: simple-membership
Installations: 50,000+
Vulnerability:: Open Redirection
Patched in Version:: 4.4.2
Severity Score:: Low
CVE:: 2024-22308

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.1
Severity Score:: Medium
CVE:: 2024-0381

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Path Traversal
Patched in Version:: 9.1.1
Severity Score:: Medium
CVE:: 2024-0380

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.1
Severity Score:: Medium
CVE:: 2024-0255

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.1
Severity Score:: High
CVE:: 2023-6970

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.1
Severity Score:: Medium
CVE:: 2024-0384

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.1
Severity Score:: Medium
CVE:: 2023-6958

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.1
Severity Score:: Medium
CVE:: 2024-0382

Plugin:: Shield Security � Smart Bot Blocking & Intrusion Prevention Security
Plugin Slug:: wp-simple-firewall
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 18.5.8
Severity Score:: High
CVE:: 2024-22163

Plugin:: IP2Location Country Blocker
Plugin Slug:: ip2location-country-blocker
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.33.4
Severity Score:: Medium
CVE:: 2024-22294

Plugin:: Asgaros Forum
Plugin Slug:: asgaros-forum
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.8.0
Severity Score:: High
CVE:: 2024-22284

Plugin:: Cryptocurrency Widgets � Price Ticker & Coins List
Plugin Slug:: cryptocurrency-price-ticker-widget
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.6.6
Severity Score:: Critical
CVE:: 2024-0709

Plugin:: Author Box, Guest Author and Co-Authors for Your Posts � Molongui
Plugin Slug:: molongui-authorship
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.7.5
Severity Score:: Medium
CVE:: 2023-7014

Plugin:: Stripe Payment Plugin for WooCommerce
Plugin Slug:: payment-gateway-stripe-and-woocommerce-integration
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.8.0
Severity Score:: Critical
CVE:: 2024-0705

Plugin:: Portfolio & Image Gallery for WordPress | PowerFolio
Plugin Slug:: portfolio-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.1
Severity Score:: Medium
CVE:: 2024-22150

Plugin:: BP Profile Search
Plugin Slug:: bp-profile-search
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6
Severity Score:: High
CVE:: 2024-22293

Plugin:: HD Quiz
Plugin Slug:: hd-quiz
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.12
Severity Score:: Medium
CVE:: 2024-22161

Plugin:: WOLF � WordPress Posts Bulk Editor and Manager Professional
Plugin Slug:: bulk-editor
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.8.1
Severity Score:: High
CVE:: 2024-22159

Plugin:: ChatBot with AI
Plugin Slug:: chatbot
Installations: 5,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 5.1.1
Severity Score:: High
CVE:: 2024-22309

Plugin:: Slider by Supsystic
Plugin Slug:: slider-by-supsystic
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.7
Severity Score:: Medium
CVE:: 2024-22303

Plugin:: FastDup � Fastest WordPress Migration & Duplicator
Plugin Slug:: fastdup
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.0
Severity Score:: Critical
CVE:: 2023-6592

Plugin:: Formzu WP
Plugin Slug:: formzu-wp
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.8
Severity Score:: Medium
CVE:: 2024-22310

Plugin:: WP-Lister Lite for eBay
Plugin Slug:: wp-lister-for-ebay
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.8
Severity Score:: High
CVE:: 2024-22307

Plugin:: WP Spell Check
Plugin Slug:: wp-spell-check
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 9.18
Severity Score:: Medium
CVE:: 2024-22143

Plugin:: WPZOOM Shortcodes
Plugin Slug:: wpzoom-shortcodes
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.2
Severity Score:: High
CVE:: 2024-22162

Plugin:: InstaWP Connect � 1-click WP Staging & Migration
Plugin Slug:: instawp-connect
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 0.1.0.9
Severity Score:: High
CVE:: 2024-22145

Plugin:: Display custom fields in the frontend � Post and User Profile Fields
Plugin Slug:: shortcode-to-display-post-and-user-data
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2023-6982

Plugin:: Display custom fields in the frontend � Post and User Profile Fields
Plugin Slug:: shortcode-to-display-post-and-user-data
Installations: 1,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2023-6983

Plugin:: Display custom fields in the frontend � Post and User Profile Fields
Plugin Slug:: shortcode-to-display-post-and-user-data
Installations: 1,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 1.3.0
Severity Score:: High
CVE:: 2023-6996