WordPress Vulnerability Report � February 21, 2024

In this report, 96 vulnerabilities have been publicly disclosed. Security patches for 76 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 20 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.

The next major release will be version 6.5, planned for March 26, 2024.

WordPress Plugins � 75 Patched / 20 Unpatched

Plugin:: Featured Image from URL (FIFU)
Plugin Slug:: featured-image-from-url
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1496

Plugin:: Malware Scanner
Plugin Slug:: miniorange-malware-protection
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-25902

Plugin:: Multi Step Form
Plugin Slug:: multi-step-form
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25905

Plugin:: Comments Like Dislike
Plugin Slug:: comments-like-dislike
Installations: 9,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25906

Plugin:: PJ News Ticker
Plugin Slug:: pj-news-ticker
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25094

Plugin:: TinyMCE and TinyMCE Advanced Professsional Formats and Styles
Plugin Slug:: tinymce-and-tinymce-advanced-professsional-formats-and-styles
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25904

Plugin:: MyWaze
Plugin Slug:: my-waze
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25594

Plugin:: PB oEmbed HTML5 Audio � with Cache Support
Plugin Slug:: pb-oembed-html5-audio-with-cache-support
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25098

Plugin:: Canto
Plugin Slug:: canto
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-25096

Plugin:: GigPress
Plugin Slug:: gigpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-7233

Plugin:: MoveTo
Plugin Slug:: moveto
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-25913

Plugin:: MoveTo
Plugin Slug:: moveto
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-25912

Plugin:: MoveTo
Plugin Slug:: moveto
Vulnerability:: Denial of Service Attack
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-25911

Plugin:: MoveTo
Plugin Slug:: moveto
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-25910

Plugin:: Oliver POS
Plugin Slug:: oliver-pos
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-0702

Plugin:: postMash � custom post order
Plugin Slug:: postmash
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-25927

Plugin:: Sitepact’s Contact Form 7 Extension For Klaviyo
Plugin Slug:: sitepact-klaviyo-contact-form-7
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-25928

Plugin:: Widgets Controller
Plugin Slug:: widgets-controller
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-25926

Plugin:: Pexels: Free Stock Photos
Plugin Slug:: wp-pexels-free-stock-photos
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25915

Plugin:: Easy Forms for Mailchimp
Plugin Slug:: yikes-inc-easy-mailchimp-extender
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-25095

Plugin:: Essential Addons for Elementor � Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.9
Severity Score:: Medium
CVE:: 2024-1171

Plugin:: Essential Addons for Elementor � Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.9
Severity Score:: Medium
CVE:: 2024-1172

Plugin:: Essential Addons for Elementor � Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.9
Severity Score:: Medium
CVE:: 2024-1276

Plugin:: Essential Addons for Elementor � Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.9
Severity Score:: Medium
CVE:: 2024-1236

Plugin:: Ocean Extra
Plugin Slug:: ocean-extra
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.5
Severity Score:: Medium
CVE:: 2024-1277

Plugin:: Premium Addons for Elementor
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.10.19
Severity Score:: Medium
CVE:: 2024-0326

Plugin:: Broken Link Checker
Plugin Slug:: broken-link-checker
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.4
Severity Score:: Medium
CVE:: 2024-25592

Plugin:: WP Shortcodes Plugin � Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.0.3
Severity Score:: Medium
CVE:: 2024-1510

Plugin:: SiteOrigin Widgets Bundle
Plugin Slug:: so-widgets-bundle
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.58.3
Severity Score:: Medium
CVE:: 2024-1070

Plugin:: SiteOrigin Widgets Bundle
Plugin Slug:: so-widgets-bundle
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.58.4
Severity Score:: Medium
CVE:: 2024-1058

Plugin:: Password Protected � Ultimate Plugin to Password Protect Your WordPress Content with Ease
Plugin Slug:: password-protected
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.7
Severity Score:: Medium
CVE:: 2024-0656

Plugin:: Popup Builder � Create highly converting, mobile friendly marketing popups.
Plugin Slug:: popup-builder
Installations: 200,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 4.2.6
Severity Score:: Medium
CVE:: 2023-6294

Plugin:: WP Activity Log
Plugin Slug:: wp-security-audit-log
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.2
Severity Score:: High
CVE:: 2023-50905

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content � ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15.0
Severity Score:: Medium
CVE:: 2024-1570

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content � ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15.0
Severity Score:: High
CVE:: 2024-1519

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content � ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15.0
Severity Score:: Medium
CVE:: 2024-1408

Plugin:: Best WordPress Gallery Plugin � FooGallery
Plugin Slug:: foogallery
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.9
Severity Score:: Medium
CVE:: 2024-0604

Plugin:: Login Lockdown � Protect Login Form
Plugin Slug:: login-lockdown
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.09
Severity Score:: Medium
CVE:: 2024-1340

Plugin:: Page scroll to id
Plugin Slug:: page-scroll-to-id
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.9
Severity Score:: Medium
CVE:: 2024-1445

Plugin:: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
Plugin Slug:: powerpack-lite-for-elementor
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.16
Severity Score:: Medium
CVE:: 2024-1411

Plugin:: Schema & Structured Data for WP & AMP
Plugin Slug:: schema-and-structured-data-for-wp
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.27
Severity Score:: Medium
CVE:: 2024-1288

Plugin:: Schema & Structured Data for WP & AMP
Plugin Slug:: schema-and-structured-data-for-wp
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.27
Severity Score:: Medium
CVE:: 2024-1586

Plugin:: Defender Security � Malware Scanner, Login Security & Firewall
Plugin Slug:: defender-security
Installations: 90,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 4.4.2
Severity Score:: Medium
CVE:: 2024-25595

Plugin:: EmbedPress � Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
Plugin Slug:: embedpress
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.9
Severity Score:: Medium
CVE:: 2024-1425

Plugin:: EmbedPress � Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
Plugin Slug:: embedpress
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.9
Severity Score:: Medium
CVE:: 2024-1349

Plugin:: Email Encoder � Protect Email Addresses and Phone Numbers
Plugin Slug:: email-encoder-bundle
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.1
Severity Score:: Medium
CVE:: 2024-1282

Plugin:: Elementor Addons by Livemesh
Plugin Slug:: addons-for-elementor
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.3.1
Severity Score:: Medium
CVE:: 2024-25598

Plugin:: Simple Share Buttons Adder
Plugin Slug:: simple-share-buttons-adder
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.4.12
Severity Score:: Medium
CVE:: 2024-0621

Plugin:: Microsoft Clarity
Plugin Slug:: microsoft-clarity
Installations: 60,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 0.9.4
Severity Score:: High
CVE:: 2024-0590

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.1
Severity Score:: Medium
CVE:: 2024-1159

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.1
Severity Score:: Medium
CVE:: 2024-1160

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.1
Severity Score:: Medium
CVE:: 2024-1157

Plugin:: MapPress Maps for WordPress
Plugin Slug:: mappress-google-maps-for-wordpress
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.88.16
Severity Score:: Medium
CVE:: 2024-0421

Plugin:: MapPress Maps for WordPress
Plugin Slug:: mappress-google-maps-for-wordpress
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.88.15
Severity Score:: Medium
CVE:: 2024-0420

Plugin:: Booster for WooCommerce
Plugin Slug:: woocommerce-jetpack
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.1.7
Severity Score:: Medium
CVE:: 2024-1054

Plugin:: WP Maintenance
Plugin Slug:: wp-maintenance
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 6.1.7
Severity Score:: Medium
CVE:: 2024-1472

Plugin:: Custom Field Template
Plugin Slug:: custom-field-template
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.1
Severity Score:: Medium
CVE:: 2024-25919

Plugin:: WP Editor
Plugin Slug:: wp-editor
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2024-25591

Plugin:: Maspik � Spam Blacklist
Plugin Slug:: contact-forms-anti-spam
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.10.7
Severity Score:: Medium
CVE:: 2024-25101

Plugin:: My Private Site
Plugin Slug:: jonradio-private-site
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.0
Severity Score:: Medium
CVE:: 2024-0978

Plugin:: My Calendar
Plugin Slug:: my-calendar
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.24
Severity Score:: Medium
CVE:: 2024-25916

Plugin:: Analytics Insights � Google Analytics Dashboard for WordPress
Plugin Slug:: analytics-insights
Installations: 10,000+
Vulnerability:: Open Redirection
Patched in Version:: 6.3
Severity Score:: Medium
CVE:: 2024-0250

Plugin:: Directorist � WordPress Business Directory Plugin with Classified Ads Listings
Plugin Slug:: directorist
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.8.5
Severity Score:: Medium
CVE:: 2024-1322

Plugin:: Link Library
Plugin Slug:: link-library
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.6.1
Severity Score:: High
CVE:: 2024-1559

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.2.6
Severity Score:: Critical
CVE:: 2024-1512

Plugin:: NEX-Forms � Ultimate Form Builder � Contact forms and much more
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5.6
Severity Score:: Medium
CVE:: 2024-25593

Plugin:: Paid Membership Subscriptions � Effortless Memberships, Recurring Payments & Content Restriction
Plugin Slug:: paid-member-subscriptions
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.11.2
Severity Score:: Medium
CVE:: 2024-1390

Plugin:: Smart Manager � WooCommerce Bulk Edit Products, Orders, Coupons, Any WordPress Post Type (Advanced)
Plugin Slug:: smart-manager-for-wp-e-commerce
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 8.28.0
Severity Score:: High
CVE:: 2024-0566

Plugin:: WP SMS � Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Plugin Slug:: wp-sms
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4
Severity Score:: Medium
CVE:: 2024-25920

Plugin:: Coming Soon Maintenance Mode
Plugin Slug:: coming-soon-maintenance-mode
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.6
Severity Score:: Medium
CVE:: 2024-1475

Plugin:: Community by PeepSo � Social Network, Membership, Registration, User Profiles
Plugin Slug:: peepso-core
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 6.2.7.1
Severity Score:: Medium
CVE:: 2024-25923

Plugin:: WP Testimonials
Plugin Slug:: testimonial-widgets
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.4
Severity Score:: High
CVE:: 2024-25924

Plugin:: Piraeus Bank WooCommerce Payment Gateway
Plugin Slug:: woo-payment-gateway-for-piraeus-bank
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.7.0
Severity Score:: Critical
CVE:: 2024-0610

Plugin:: WPify Woo Czech
Plugin Slug:: wpify-woo
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.9
Severity Score:: Medium
CVE:: 2024-1492

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.3
Severity Score:: Medium
CVE:: 2024-25099

Plugin:: SKT Page Builder
Plugin Slug:: skt-builder
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2
Severity Score:: Medium
CVE:: 2024-1337

Plugin:: Doofinder WP & WooCommerce Search
Plugin Slug:: doofinder-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.9
Severity Score:: Medium
CVE:: 2024-25596

Plugin:: EazyDocs � Most Powerful Knowledge base, wiki, Documentation Builder Plugin (easy docs, knowledgebase)
Plugin Slug:: eazydocs
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.0
Severity Score:: Medium
CVE:: 2024-0248

Plugin:: InstaWP Connect � 1-click WP Staging & Migration
Plugin Slug:: instawp-connect
Installations: 2,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 0.1.0.9
Severity Score:: Critical
CVE:: 2024-25918

Plugin:: SMTP Mail
Plugin Slug:: smtp-mail
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.21
Severity Score:: Medium
CVE:: 2024-25914

Plugin:: GD Rating System
Plugin Slug:: gd-rating-system
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.1
Severity Score:: High
CVE:: 2024-25093

Plugin:: Landing Page Cat � Coming Soon Page, Maintenance Page & Squeeze Pages
Plugin Slug:: landing-page-cat
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.7.3
Severity Score:: Medium
CVE:: 2024-0708