In this report, 73 vulnerabilities have been publicly disclosed. Security patches for 48 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.
Additionally, there are 25 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress Core
WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.
The next major release will be version 6.5, planned for March 26, 2024.
WordPress Plugins � 46 Patched / 25 Unpatched
Addon Library
- Plugin:
Addon Library
- Plugin Slug:
- addon-library
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
-
2024-1710
Admin side data storage for Contact Form 7
- Plugin:
Admin side data storage for Contact Form 7
- Plugin Slug:
- admin-side-data-storage-for-contact-form-7
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2024-1776
Admin side data storage for Contact Form 7
- Plugin:
Admin side data storage for Contact Form 7
- Plugin Slug:
- admin-side-data-storage-for-contact-form-7
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2024-1777
Admin side data storage for Contact Form 7
- Plugin:
Admin side data storage for Contact Form 7
- Plugin Slug:
- admin-side-data-storage-for-contact-form-7
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2024-1779
Admin side data storage for Contact Form 7
- Plugin:
Admin side data storage for Contact Form 7
- Plugin Slug:
- admin-side-data-storage-for-contact-form-7
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2024-1778
Adsmonetizer
- Plugin:
Adsmonetizer
- Plugin Slug:
- adsensei-b30
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2024-1437
BeePress
- Plugin:
BeePress
- Plugin Slug:
- beepress
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2024-27197
Configure SMTP
- Plugin:
Configure SMTP
- Plugin Slug:
- configure-smtp
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2024-27192
Download Media
- Plugin:
Download Media
- Plugin Slug:
- download-media
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2024-27190
Duitku Payment Gateway
- Plugin:
Duitku Payment Gateway
- Plugin Slug:
- duitku-social-payment-gateway
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2024-0631
Fontific | Google Fonts
- Plugin:
Fontific | Google Fonts
- Plugin Slug:
- fontific
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2024-27194
Gestpay for WooCommerce
- Plugin:
Gestpay for WooCommerce
- Plugin Slug:
- gestpay-for-woocommerce
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2024-0431
Marketo Forms and Tracking
- Plugin:
Marketo Forms and Tracking
- Plugin Slug:
- marketo-forms-and-tracking
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2020-6849
Media Alt Renamer
- Plugin:
Media Alt Renamer
- Plugin Slug:
- media-alt-renamer
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2024-1434
WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit
- Plugin:
WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit
- Plugin Slug:
- myshopkit-popup-smartbar-slidein
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2024-1436
PayU India
- Plugin:
PayU India
- Plugin Slug:
- payu-india
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2024-27193
Play.ht
- Plugin:
Play.ht
- Plugin Slug:
- play-ht
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2024-1772
postMash � custom post order
- Plugin:
postMash � custom post order
- Plugin Slug:
- postmash
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2024-27196
Rolo Slider
- Plugin:
Rolo Slider
- Plugin Slug:
- rolo-slider
- Vulnerability:
- Settings Change
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2024-1438
Slivery Extender
- Plugin:
Slivery Extender
- Plugin Slug:
- slivery-extender
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2024-27191
SoundCloud Shortcode
- Plugin:
SoundCloud Shortcode
- Plugin Slug:
- soundcloud-shortcode
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2024-25936
Tabs Shortcode and Widget
- Plugin:
Tabs Shortcode and Widget
- Plugin Slug:
- tabs-shortcode-and-widget
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2024-0719
Tainacan
- Plugin:
Tainacan
- Plugin Slug:
- tainacan
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2024-1435
User Shortcodes Plus
- Plugin:
User Shortcodes Plus
- Plugin Slug:
- user-shortcodes-plus
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2023-6969
Watermark RELOADED
- Plugin:
Watermark RELOADED
- Plugin Slug:
- watermark-reloaded
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2024-27195
LiteSpeed Cache
- Plugin:
-
LiteSpeed Cache
- Plugin Slug:
- litespeed-cache
- Installations
- 5,000,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.7.0.1
- Severity Score:
- High
- CVE:
-
2023-45000
LiteSpeed Cache
- Plugin:
-
LiteSpeed Cache
- Plugin Slug:
- litespeed-cache
- Installations
- 5,000,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 5.7.0.1
- Severity Score:
- High
- CVE:
-
2023-40000
Premium Addons for Elementor
- Plugin:
-
Premium Addons for Elementor
- Plugin Slug:
- premium-addons-for-elementor
- Installations
- 700,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.10.19
- Severity Score:
- Medium
- CVE:
-
2024-1242
BackWPup � WordPress Backup Plugin
- Plugin Slug:
- backwpup
- Installations
- 600,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 4.0.3
- Severity Score:
- Low
- CVE:
-
2023-5775
Page Builder: Pagelayer � Drag and Drop website builder
- Plugin Slug:
- pagelayer
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.8.1
- Severity Score:
- Medium
- CVE:
-
2023-7115
Page Builder: Pagelayer � Drag and Drop website builder
- Plugin Slug:
- pagelayer
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.8.3
- Severity Score:
- Medium
- CVE:
-
2024-1590
Orbit Fox by ThemeIsle
- Plugin:
-
Orbit Fox by ThemeIsle
- Plugin Slug:
- themeisle-companion
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.10.32
- Severity Score:
- Medium
- CVE:
-
2024-1323
Orbit Fox by ThemeIsle
- Plugin:
-
Orbit Fox by ThemeIsle
- Plugin Slug:
- themeisle-companion
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.10.31
- Severity Score:
- Medium
- CVE:
-
2024-1499
Ultimate Member � User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
- Plugin Slug:
- ultimate-member
- Installations
- 200,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 2.8.3
- Severity Score:
- Critical
- CVE:
-
2024-1071
User Feedback � Create Interactive Feedback Form, User Surveys, and Polls in Seconds
- Plugin Slug:
- userfeedback-lite
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.0.14
- Severity Score:
- High
- CVE:
-
2024-0903
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content � ProfilePress
- Plugin Slug:
- wp-user-avatar
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.15.1
- Severity Score:
- Medium
- CVE:
-
2024-1806
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content � ProfilePress
- Plugin Slug:
- wp-user-avatar
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.15.1
- Severity Score:
- Medium
- CVE:
-
2024-1409
Elementor Addon Elements
- Plugin:
-
Elementor Addon Elements
- Plugin Slug:
- addon-elements-for-elementor-page-builder
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.13
- Severity Score:
- Medium
- CVE:
-
2024-1422
Elementor Addon Elements
- Plugin:
-
Elementor Addon Elements
- Plugin Slug:
- addon-elements-for-elementor-page-builder
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.13
- Severity Score:
- Medium
- CVE:
-
2024-1393
Elementor Addon Elements
- Plugin:
-
Elementor Addon Elements
- Plugin Slug:
- addon-elements-for-elementor-page-builder
- Installations
- 100,000+
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- 1.13
- Severity Score:
- High
- CVE:
-
2024-1358
Colibri Page Builder
- Plugin:
-
Colibri Page Builder
- Plugin Slug:
- colibri-page-builder
- Installations
- 100,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.0.260
- Severity Score:
- Medium
- CVE:
-
2024-1362
Colibri Page Builder
- Plugin:
-
Colibri Page Builder
- Plugin Slug:
- colibri-page-builder
- Installations
- 100,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.0.260
- Severity Score:
- Medium
- CVE:
-
2024-1361
Brizy � Page Builder
- Plugin:
-
Brizy � Page Builder
- Plugin Slug:
- brizy
- Installations
- 80,000+
- Vulnerability:
- Directory Traversal
- Patched in Version:
- 2.4.41
- Severity Score:
- Medium
- CVE:
-
2024-1165
Brizy � Page Builder
- Plugin:
-
Brizy � Page Builder
- Plugin Slug:
- brizy
- Installations
- 80,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.4.41
- Severity Score:
- Medium
- CVE:
-
2024-1296
Brizy � Page Builder
- Plugin:
-
Brizy � Page Builder
- Plugin Slug:
- brizy
- Installations
- 80,000+
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 2.4.41
- Severity Score:
- Critical
- CVE:
-
2024-1311
Brizy � Page Builder
- Plugin:
-
Brizy � Page Builder
- Plugin Slug:
- brizy
- Installations
- 80,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.4.41
- Severity Score:
- Medium
- CVE:
-
2024-1291
Event Tickets and Registration
- Plugin:
-
Event Tickets and Registration
- Plugin Slug:
- event-tickets
- Installations
- 80,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.8.2
- Severity Score:
- Medium
- CVE:
-
2024-1053
Sydney Toolbox
- Plugin:
-
Sydney Toolbox
- Plugin Slug:
- sydney-toolbox
- Installations
- 80,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.26
- Severity Score:
- Medium
- CVE:
-
2024-1447
Enhanced Text Widget
- Plugin:
-
Enhanced Text Widget
- Plugin Slug:
- enhanced-text-widget
- Installations
- 50,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.6.6
- Severity Score:
- Medium
- CVE:
-
2024-0559
NotificationX � Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor
- Plugin Slug:
- notificationx
- Installations
- 30,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 2.8.3
- Severity Score:
- Critical
- CVE:
-
2024-1698
WP Dashboard Notes
- Plugin:
-
WP Dashboard Notes
- Plugin Slug:
- wp-dashboard-notes
- Installations
- 30,000+
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- 1.0.11
- Severity Score:
- Medium
- CVE:
-
2023-7198
Restrict User Access � Ultimate Membership & Content Protection
- Plugin Slug:
- restrict-user-access
- Installations
- 20,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.6
- Severity Score:
- Medium
- CVE:
-
2024-0687
WP Event Manager � Events Calendar, Registrations, Sell Tickets with WooCommerce
- Plugin Slug:
- wp-event-manager
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.1.42
- Severity Score:
- High
- CVE:
-
2024-0976
YML for Yandex Market
- Plugin:
-
YML for Yandex Market
- Plugin Slug:
- yml-for-yandex-market
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.2.4
- Severity Score:
- High
- CVE:
-
2024-1365
Smart Forms � when you need more than just a contact form
- Plugin Slug:
- smart-forms
- Installations
- 9,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.6.87
- Severity Score:
- Medium
- CVE:
-
2023-7203
Maintenance Page
- Plugin:
-
Maintenance Page
- Plugin Slug:
- maintenance-page
- Installations
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.0.9
- Severity Score:
- Medium
- CVE:
-
2024-1370
Maintenance Page
- Plugin:
-
Maintenance Page
- Plugin Slug:
- maintenance-page
- Installations
- 5,000+
- Vulnerability:
- Bypass Vulnerability
- Patched in Version:
- 1.0.9
- Severity Score:
- Medium
- CVE:
-
2024-1462
SMS Alert Order Notifications � WooCommerce
- Plugin Slug:
- sms-alert
- Installations
- 5,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 3.7.0
- Severity Score:
- Medium
- CVE:
-
2024-1489
Thank You Page Customizer for WooCommerce � Increase Your Sales
- Plugin Slug:
- woo-thank-you-page-customizer
- Installations
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.1.3
- Severity Score:
- Medium
- CVE:
-
2024-1687
Thank You Page Customizer for WooCommerce � Increase Your Sales
- Plugin Slug:
- woo-thank-you-page-customizer
- Installations
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.1.3
- Severity Score:
- Medium
- CVE:
-
2024-1686
Spiffy Calendar
- Plugin:
-
Spiffy Calendar
- Plugin Slug:
- spiffy-calendar
- Installations
- 3,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.9.9
- Severity Score:
- Medium
- CVE:
-
2024-0855
Academy LMS � eLearning and online course solution for WordPress
- Plugin Slug:
- academy
- Installations
- 1,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.9.20
- Severity Score:
- High
- CVE:
-
2024-1505
Archivist � Custom Archive Templates
- Plugin Slug:
- archivist-custom-archive-templates
- Installations
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.7.6
- Severity Score:
- High
- CVE:
-
2024-1810
Comments Extra Fields For Post,Pages and CPT
- Plugin Slug:
- wp-comment-fields
- Installations
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 5.1
- Severity Score:
- Medium
- CVE:
-
2024-0830
Comments Extra Fields For Post,Pages and CPT
- Plugin Slug:
- wp-comment-fields
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.1
- Severity Score:
- Medium
- CVE:
-
2024-0829
KODO Qiniu
- Plugin:
-
KODO Qiniu
- Plugin Slug:
- kodo-qiniu
- Installations
- 400+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.5.1
- Severity Score:
- Medium
Backup
- Plugin:
Backup
- Plugin Slug:
- backup2
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.0.9.9
- Severity Score:
- High
- CVE:
-
2023-7165
Elementor Pro
- Plugin:
Elementor Pro
- Plugin Slug:
- elementor-pro
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 3.19.3
- Severity Score:
- Medium
JobSearch
- Plugin:
JobSearch
- Plugin Slug:
- wp-jobsearch
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 2.3.4
- Severity Score:
- Critical
- CVE:
-
2023-6585
JobSearch
- Plugin:
JobSearch
- Plugin Slug:
- wp-jobsearch
- Vulnerability:
- Broken Authentication
- Patched in Version:
- 2.3.4
- Severity Score:
- Critical
- CVE:
-
2023-6584
WP Social Widget
- Plugin:
WP Social Widget
- Plugin Slug:
- wp-social-widget
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.2.6
- Severity Score:
- Medium
- CVE:
-
2024-27189
WordPress Themes � 2 Patched /0 Unpatched
Colibri WP
- Theme:
-
Colibri WP
- Theme Slug:
- colibri-wp
- Downloads
- 1,232,050
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.0.101
- Severity Score:
- Medium
- CVE:
-
2024-1360
Socialdriver
- Theme:
Socialdriver
- Theme Slug:
- socialdriver
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2024
- Severity Score:
- High
- CVE:
-
2023-4826