WordPress Vulnerability Report � March 13, 2024

In this report, 70 vulnerabilities have been publicly disclosed. Security patches for 57 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 13 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.

The next major release will be version 6.5, planned for March 26, 2024.

WordPress Plugins � 55 Patched / 13 Unpatched

Plugin:: HT Easy GA4 � Google Analytics WordPress Plugin
Plugin Slug:: ht-easy-google-analytics
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1176

Plugin:: Auto Refresh Single Page
Plugin Slug:: auto-refresh-single-page
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-1731

Plugin:: Blue Triad EZAnalytics
Plugin Slug:: blue-triad-ezanalytics
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-1782

Plugin:: Change Memory Limit
Plugin Slug:: change-memory-limit
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1093

Plugin:: Build & Control Block Patterns
Plugin Slug:: control-block-patterns
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1095

Plugin:: Droit Elementor Addons
Plugin Slug:: droit-elementor-addons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-2252

Plugin:: FeedWordPress
Plugin Slug:: feedwordpress
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0839

Plugin:: Maintenance Mode by helderk
Plugin Slug:: hkdev-maintenance-mode
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1478

Plugin:: Master Slider
Plugin Slug:: master-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0611

Plugin:: Master Slider
Plugin Slug:: master-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1449

Plugin:: Page Builder Sandwich � Front-End Page Builder
Plugin Slug:: page-builder-sandwich
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1285

Plugin:: Page Builder Sandwich � Front-End Page Builder
Plugin Slug:: page-builder-sandwich
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1381

Plugin:: Vimeography: Vimeo Video Gallery WordPress Plugin
Plugin Slug:: vimeography
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-0825

Plugin:: File Manager
Plugin Slug:: wp-file-manager
Installations: 1,000,000+
Vulnerability:: Path Traversal
Patched in Version:: 7.2.2
Severity Score:: High
CVE:: 2023-6825

Plugin:: SiteOrigin Widgets Bundle
Plugin Slug:: so-widgets-bundle
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.58.8
Severity Score:: Medium
CVE:: 2024-1723

Plugin:: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
Plugin Slug:: fluentform
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.10
Severity Score:: Medium
CVE:: 2023-6957

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.10.4
Severity Score:: Medium
CVE:: 2024-1366

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.10.4
Severity Score:: Medium
CVE:: 2024-1377

Plugin:: Metform Elementor Contact Form Builder
Plugin Slug:: metform
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.4
Severity Score:: Medium
CVE:: 2024-1585

Plugin:: Royal Elementor Addons and Templates
Plugin Slug:: royal-elementor-addons
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.92
Severity Score:: Medium
CVE:: 2024-1500

Plugin:: Page Builder: Pagelayer � Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.4
Severity Score:: Medium
CVE:: 2024-2127

Plugin:: Orbit Fox by ThemeIsle
Plugin Slug:: themeisle-companion
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.33
Severity Score:: Medium
CVE:: 2024-2126

Plugin:: Ultimate Member � User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.4
Severity Score:: High
CVE:: 2024-2123

Plugin:: Colibri Page Builder
Plugin Slug:: colibri-page-builder
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.263
Severity Score:: Medium
CVE:: 2024-1870

Plugin:: Social Sharing Plugin � Sassy Social Share
Plugin Slug:: sassy-social-share
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.59
Severity Score:: Medium
CVE:: 2024-1989

Plugin:: The Plus Addons for Elementor
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.1
Severity Score:: Medium
CVE:: 2024-1419

Plugin:: WP Chat App
Plugin Slug:: wp-whatsapp
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2024-1761

Plugin:: EmbedPress � Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
Plugin Slug:: embedpress
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.11
Severity Score:: Medium
CVE:: 2024-1802

Plugin:: EmbedPress � Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
Plugin Slug:: embedpress
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.11
Severity Score:: Medium
CVE:: 2024-2128

Plugin:: Event Tickets and Registration
Plugin Slug:: event-tickets
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.8.1
Severity Score:: Medium
CVE:: 2024-1316

Plugin:: Database for Contact Form 7, WPforms, Elementor forms
Plugin Slug:: contact-form-entries
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.4
Severity Score:: Medium
CVE:: 2024-2030

Plugin:: User Registration � Custom Registration Form, Login Form, and User Profile WordPress Plugin
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.5
Severity Score:: High
CVE:: 2024-1720

Plugin:: WP-Members Membership Plugin
Plugin Slug:: wp-members
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.9.2
Severity Score:: Medium
CVE:: 2024-1987

Plugin:: Simple Membership
Plugin Slug:: simple-membership
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.3
Severity Score:: High
CVE:: 2024-1985

Plugin:: Booster for WooCommerce
Plugin Slug:: woocommerce-jetpack
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.1.8
Severity Score:: Medium
CVE:: 2024-1534

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 30,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.6.6.24
Severity Score:: Medium
CVE:: 2024-1760

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.2.11
Severity Score:: Medium
CVE:: 2024-2106

Plugin:: SportsPress � Sports Club & League Manager
Plugin Slug:: sportspress
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.18
Severity Score:: Medium
CVE:: 2024-1178

Plugin:: Product Carousel Slider & Grid Ultimate for WooCommerce
Plugin Slug:: woo-product-carousel-slider-and-grid-ultimate
Installations: 9,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.9.8
Severity Score:: High
CVE:: 2024-1950

Plugin:: JM Twitter Cards
Plugin Slug:: jm-twitter-cards
Installations: 7,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 14
Severity Score:: Medium
CVE:: 2024-1769

Plugin:: Ultimate Bootstrap Elements for Elementor
Plugin Slug:: ultimate-bootstrap-elements-for-elementor
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.7
Severity Score:: Medium
CVE:: 2024-1398

Plugin:: WPKoi Templates for Elementor
Plugin Slug:: wpkoi-templates-for-elementor
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.7
Severity Score:: Medium
CVE:: 2024-2136

Plugin:: Logo Showcase Ultimate � Logo Carousel, Logo Slider & Logo Grid
Plugin Slug:: logo-showcase-ultimate
Installations: 5,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3.9
Severity Score:: High
CVE:: 2024-1951

Plugin:: Auto Affiliate Links
Plugin Slug:: wp-auto-affiliate-links
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.4.3.1
Severity Score:: Medium
CVE:: 2024-1843

Plugin:: EventPrime � Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.3
Severity Score:: Medium
CVE:: 2024-1123

Plugin:: EventPrime � Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.4
Severity Score:: Medium
CVE:: 2024-1124

Plugin:: Profile Box Shortcode And Widget
Plugin Slug:: facebook-likebox-widget-and-shortcode
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.1
Severity Score:: Medium
CVE:: 2024-1401

Plugin:: Password Protected Store for WooCommerce
Plugin Slug:: password-protected-woo-store
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.3
Severity Score:: Medium
CVE:: 2024-1088

Plugin:: WooCommerce Add to Cart Custom Redirect
Plugin Slug:: woocommerce-add-to-cart-custom-redirect
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.14
Severity Score:: High
CVE:: 2024-1862

Plugin:: affiliate-toolkit � WordPress Affiliate Plugin
Plugin Slug:: affiliate-toolkit-starter
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.5
Severity Score:: Medium
CVE:: 2024-1851

Plugin:: affiliate-toolkit � WordPress Affiliate Plugin
Plugin Slug:: affiliate-toolkit-starter
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.5
Severity Score:: Medium
CVE:: 2024-2298

Plugin:: Post Grid, Slider & Carousel Ultimate � with Shortcode, Gutenberg Block & Elementor Widget
Plugin Slug:: post-grid-carousel-ultimate
Installations: 1,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.8
Severity Score:: High
CVE:: 2024-2006