WordPress Vulnerability Report � June 26, 2024

In this report, 194 vulnerabilities have been publicly disclosed. Security patches for 100 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 94 plugin and themes vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.5.5 is now available! This release features three security fixes. Because this is a security release, it is recommended that you update your sites immediately. This minor release also includes 3 bug fixes in Core.

WordPress Plugins � 85 Patched / 91 Unpatched

Plugin:: Custom Field Suite
Plugin Slug:: custom-field-suite
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-3562

Plugin:: Custom Field Suite
Plugin Slug:: custom-field-suite
Installations: 50,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-3561

Plugin:: Custom Field Suite
Plugin Slug:: custom-field-suite
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3558

Plugin:: Academy LMS � eLearning and online course solution for WordPress
Plugin Slug:: academy
Installations: 1,000+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2024-37234

Plugin:: Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter
Plugin Slug:: custom-add-to-cart-button-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37202

Plugin:: Event Monster � Event Management, Tickets Booking, Upcoming Event
Plugin Slug:: event-monster
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5059

Plugin:: My Favorites
Plugin Slug:: my-favorites
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37114

Plugin:: Optinly � Exit Intent, Newsletter Popups, Gamification & Opt-in Forms
Plugin Slug:: optinly
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37220

Plugin:: Zoho Marketing Automation
Plugin Slug:: zoho-marketinghub
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37225

Plugin:: Accordions
Plugin Slug:: accordions-or-faqs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37122

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37214

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37213

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37212

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37211

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37210

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4450

Plugin:: Ali2Woo Lite
Plugin Slug:: ali2woo-lite
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-2381

Plugin:: Bible Text
Plugin Slug:: bible-text
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5444

Plugin:: Blogmentor � Blog Layouts for Elementor
Plugin Slug:: blogmentor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37229

Plugin:: Blogmentor � Blog Layouts for Elementor
Plugin Slug:: blogmentor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4623

Plugin:: Scheduling Plugin � Online Booking for WordPress
Plugin Slug:: calendar-booking
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1634

Plugin:: CB (legacy)
Plugin Slug:: commons-booking
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4382

Plugin:: CB (legacy)
Plugin Slug:: commons-booking
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4381

Plugin:: ContentLock
Plugin Slug:: contentlock
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6022

Plugin:: ContentLock
Plugin Slug:: contentlock
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6023

Plugin:: ContentLock
Plugin Slug:: contentlock
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6024

Plugin:: CSSable Countdown
Plugin Slug:: cssable-countdown
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4384

Plugin:: Custom Product List Table
Plugin Slug:: custom-product-list-table
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4541

Plugin:: Demo Awesome
Plugin Slug:: demo-awesome
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37207

Plugin:: Demo Awesome
Plugin Slug:: demo-awesome
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37206

Plugin:: DImage 360
Plugin Slug:: dimage-360
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-35774

Plugin:: DOP Shortcodes
Plugin Slug:: dop-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4377

Plugin:: Elegant Themes Icons
Plugin Slug:: elegant-themes-icons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37100

Plugin:: EmbedSocial
Plugin Slug:: embedalbum-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3984

Plugin:: Empty Cart Button for WooCommerce
Plugin Slug:: empty-cart-button-for-woocommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37217

Plugin:: Export WP Page to Static HTML/CSS
Plugin Slug:: export-wp-page-to-static-html
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3597

Plugin:: FS Poster
Plugin Slug:: fs-poster
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37237

Plugin:: Universal Slider
Plugin Slug:: fusion-slider
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5649

Plugin:: Kanban Boards for WordPress
Plugin Slug:: kanban
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37226

Plugin:: Kimili Flash Embed
Plugin Slug:: kimili-flash-embed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37221

Plugin:: Laybuy Payment Extension for WooCommerce
Plugin Slug:: laybuy-gateway-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37203

Plugin:: License Manager for WooCommerce
Plugin Slug:: license-manager-for-woocommerce
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1639

Plugin:: Lifeline Donation
Plugin Slug:: lifeline-donation
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-5432

Plugin:: Page Builder: Live Composer
Plugin Slug:: live-composer-page-builder
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-35780

Plugin:: Page Builder: Live Composer
Plugin Slug:: live-composer-page-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-35779

Plugin:: Page Builder: Live Composer
Plugin Slug:: live-composer-page-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-35768

Plugin:: Master Slider
Plugin Slug:: master-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37222

Plugin:: Master Slider
Plugin Slug:: master-slider
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-50900

Plugin:: Master Slider
Plugin Slug:: master-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4375

Plugin:: MIMO Woocommerce Order Tracking
Plugin Slug:: mimo-woocommerce-order-tracking
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5768

Plugin:: Restaurant Reservations
Plugin Slug:: nd-restaurant-reservations
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37223

Plugin:: WordPress Picture / Portfolio / Media Gallery
Plugin Slug:: nimble-portfolio
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-5021

Plugin:: OSM Map Widget for Elementor
Plugin Slug:: osm-map-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4663

Plugin:: Page Builder Sandwich � Front-End Page Builder
Plugin Slug:: page-builder-sandwich
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37219

Plugin:: Page Builder Sandwich � Front-End Page Builder
Plugin Slug:: page-builder-sandwich
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37219

Plugin:: Page Builder Sandwich � Front-End Page Builder
Plugin Slug:: page-builder-sandwich
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37218

Plugin:: PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode
Plugin Slug:: paypal-pay-buy-donation-and-cart-buttons-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5448

Plugin:: PDF Viewer for Elementor
Plugin Slug:: pdf-viewer-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0845

Plugin:: Photo Video Gallery Master
Plugin Slug:: photo-video-gallery-master
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-5724

Plugin:: phpinfo() WP
Plugin Slug:: phpinfo-wp
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-35776

Plugin:: Play.ht
Plugin Slug:: play-ht
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37233

Plugin:: Promolayer
Plugin Slug:: promolayer-popup-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3602

Plugin:: Replace Image
Plugin Slug:: replace-image
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4873

Plugin:: Shortcode Addons
Plugin Slug:: shortcode-addons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37121

Plugin:: Sketchfab Embed
Plugin Slug:: sketchfab-oembed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37216

Plugin:: Slideshow SE
Plugin Slug:: slideshow-se
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-35778

Plugin:: Slideshow SE
Plugin Slug:: slideshow-se
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-35769

Plugin:: SP Project & Document Manager
Plugin Slug:: sp-client-document-manager
Vulnerability:: Directory Traversal
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37224

Plugin:: Transition Slider � Responsive Image Slider and Gallery
Plugin Slug:: transition-slider-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37215

Plugin:: User Rights Access Manager
Plugin Slug:: user-rights-access-manager
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37209

Plugin:: Tabs
Plugin Slug:: vc-tabs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37120

Plugin:: Wheel of Life
Plugin Slug:: wheel-of-life
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3627

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-37113

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-37112

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Denial of Service Attack
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37111

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37110

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Arbitrary Code Execution
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-37109

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37108

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37107

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37106

Plugin:: Woocommerce Customers Order History
Plugin Slug:: woo-customers-order-history
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37201

Plugin:: Word Balloon
Plugin Slug:: word-balloon
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-35781

Plugin:: WP Blog Post Layouts
Plugin Slug:: wp-blog-post-layouts
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5503

Plugin:: WP Hotel Booking
Plugin Slug:: wp-hotel-booking
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-3605

Plugin:: WP Logs Book
Plugin Slug:: wp-logs-book
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-4477

Plugin:: WP Logs Book
Plugin Slug:: wp-logs-book
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4474

Plugin:: Pexels: Free Stock Photos
Plugin Slug:: wp-pexels-free-stock-photos
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-6132

Plugin:: WP Scraper
Plugin Slug:: wp-scraper
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37208

Plugin:: Widget Bundle
Plugin Slug:: wp-widget-bundle
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4970

Plugin:: Widget Bundle
Plugin Slug:: wp-widget-bundle
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4969

Plugin:: Widget Bundle
Plugin Slug:: wp-widget-bundle
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-4616

Plugin:: Loco Translate
Plugin Slug:: loco-translate
Installations: 1,000,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.6.10
Severity Score:: Medium
CVE:: 2024-37236

Plugin:: Smush Image Optimization � Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN
Plugin Slug:: wp-smushit
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.16.5
Severity Score:: Medium
CVE:: 2023-3352

Plugin:: Solid Security � Password, Two Factor Authentication, and Brute Force Protection
Plugin Slug:: better-wp-security
Installations: 900,000+
Vulnerability:: Denial of Service Attack
Patched in Version:: 9.3.2
Severity Score:: Low
CVE:: 2022-44593

Plugin:: SiteGuard WP Plugin
Plugin Slug:: siteguard
Installations: 500,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.7.7
Severity Score:: Medium
CVE:: 2024-37881

Plugin:: SEOPress � On-site SEO
Plugin Slug:: wp-seopress
Installations: 300,000+
Vulnerability:: Open Redirection
Patched in Version:: 7.8
Severity Score:: Medium
CVE:: 2024-4900

Plugin:: SEOPress � On-site SEO
Plugin Slug:: wp-seopress
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.8
Severity Score:: Medium
CVE:: 2024-4899

Plugin:: SEOPress � On-site SEO
Plugin Slug:: wp-seopress
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.9.1
Severity Score:: Medium
CVE:: 2024-1168

Plugin:: WooCommerce Checkout & Funnel Builder by CartFlows � Create High Converting Stores For WooCommerce
Plugin Slug:: cartflows
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.8
Severity Score:: Medium
CVE:: 2024-4632

Plugin:: Orbit Fox by ThemeIsle
Plugin Slug:: themeisle-companion
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.35
Severity Score:: Medium
CVE:: 2024-2484

Plugin:: Gallery Plugin for WordPress � Envira Photo Gallery
Plugin Slug:: envira-gallery-lite
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.8.8
Severity Score:: Medium
CVE:: 2024-37095

Plugin:: Defender Security � Malware Scanner, Login Security & Firewall
Plugin Slug:: defender-security
Installations: 90,000+
Vulnerability:: Broken Authentication
Patched in Version:: 3.3.3
Severity Score:: Medium
CVE:: 2022-44581

Plugin:: Slider & Popup Builder by Depicter � Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel
Plugin Slug:: depicter
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.0
Severity Score:: Medium
CVE:: 2024-4390

Plugin:: Email Subscribers by Icegram Express � Email Marketing, Newsletters, Automation for WordPress & WooCommerce
Plugin Slug:: email-subscribers
Installations: 90,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.7.24
Severity Score:: Critical
CVE:: 2024-5756

Plugin:: Paid Memberships Pro � Content Restriction, User Registration, & Paid Subscriptions
Plugin Slug:: paid-memberships-pro
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.0
Severity Score:: Medium
CVE:: 2024-1407

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.17
Severity Score:: High
CVE:: 2024-5605

Plugin:: Booking for Appointments and Events Calendar � Amelia
Plugin Slug:: ameliabooking
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2024-6225

Plugin:: User Profile Picture
Plugin Slug:: metronet-profile-picture
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.2
Severity Score:: Medium
CVE:: 2024-5639

Plugin:: WP 2FA � Two-factor authentication for WordPress
Plugin Slug:: wp-2fa
Installations: 60,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.6.4
Severity Score:: Medium
CVE:: 2022-44587

Plugin:: ConvertKit � Email Newsletter, Email Marketing, Subscribers and Landing Pages
Plugin Slug:: convertkit
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.9.1
Severity Score:: Medium
CVE:: 2024-3961

Plugin:: Photo Gallery, Images, Slider in Rbs Image Gallery
Plugin Slug:: robo-gallery
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.20
Severity Score:: Medium
CVE:: 2024-3894

Plugin:: Photo Gallery, Images, Slider in Rbs Image Gallery
Plugin Slug:: robo-gallery
Installations: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.2.20
Severity Score:: Medium
CVE:: 2024-5343

Plugin:: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
Plugin Slug:: sina-extension-for-elementor
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.5
Severity Score:: Medium
CVE:: 2024-5036

Plugin:: Ultimate Blocks � WordPress Blocks Plugin
Plugin Slug:: ultimate-blocks
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.1
Severity Score:: Medium
CVE:: 2023-6692

Plugin:: WP Maintenance
Plugin Slug:: wp-maintenance
Installations: 50,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 6.1.9.3
Severity Score:: Medium
CVE:: 2024-0789

Plugin:: Popup Box � Create Countdown, Coupon, Video, Contact Form Popups
Plugin Slug:: ays-popup-box
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.5.2
Severity Score:: Medium
CVE:: 2024-37096

Plugin:: BlossomThemes Email Newsletter
Plugin Slug:: blossomthemes-email-newsletter
Installations: 30,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.2.7
Severity Score:: Medium
CVE:: 2024-37098

Plugin:: Greenshift � animation and page builder blocks
Plugin Slug:: greenshift-animation-and-page-builder-blocks
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.9.4
Severity Score:: Medium
CVE:: 2024-35765

Plugin:: Themify � WooCommerce Product Filter
Plugin Slug:: themify-wc-product-filter
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.0
Severity Score:: Critical
CVE:: 2024-6027

Plugin:: Hide Dashboard Notifications
Plugin Slug:: wp-hide-backed-notices
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.1
Severity Score:: Medium
CVE:: 2024-1955

Plugin:: WP SVG Images
Plugin Slug:: wp-svg-images
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3
Severity Score:: Medium
CVE:: 2024-5945

Plugin:: Branda � White Label WordPress, Custom Login Page Customizer
Plugin Slug:: branda-white-labeling
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.18
Severity Score:: Medium
CVE:: 2024-5191

Plugin:: Serious Slider
Plugin Slug:: cryout-serious-slider
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.5
Severity Score:: Medium
CVE:: 2024-35762

Plugin:: Table Addons for Elementor
Plugin Slug:: table-addons-for-elementor
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.3
Severity Score:: Medium
CVE:: 2024-4313

Plugin:: WPZOOM Addons for Elementor (Templates, Widgets)
Plugin Slug:: wpzoom-elementor-addons
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.39
Severity Score:: Medium
CVE:: 2024-5686

Plugin:: Business Directory Plugin � Easy Listing Directories for WordPress
Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: CSV Injection
Patched in Version:: 6.4.4
Severity Score:: Medium
CVE:: 2023-5527

Plugin:: JetWidgets For Elementor
Plugin Slug:: jetwidgets-for-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.18
Severity Score:: Medium
CVE:: 2024-4626

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.13
Severity Score:: High
CVE:: 2024-37094

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.2.2
Severity Score:: Medium
CVE:: 2024-37093

Plugin:: Sparkle Demo Importer
Plugin Slug:: sparkle-demo-importer
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.8
Severity Score:: Medium
CVE:: 2024-6120

Plugin:: WP Child Theme Generator
Plugin Slug:: wp-child-theme-generator
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.2
Severity Score:: Medium
CVE:: 2024-3610

Plugin:: Enhance Your Posts with the WP Post Author Box, Co-Authors, Guest Authors, and Post Rating System, including Registration Form Builder
Plugin Slug:: wp-post-author
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.8
Severity Score:: Medium
CVE:: 2024-37101

Plugin:: Vimeography: Vimeo Video Gallery WordPress Plugin
Plugin Slug:: vimeography
Installations: 8,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.2
Severity Score:: Medium
CVE:: 2024-35770

Plugin:: WP Magazine Modules Lite
Plugin Slug:: wp-magazine-modules-lite
Installations: 7,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.3
Severity Score:: High
CVE:: 2024-5574

Plugin:: WPAdverts � Classifieds Plugin
Plugin Slug:: wpadverts
Installations: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.3
Severity Score:: Medium
CVE:: 2024-37238

Plugin:: Salon Booking System
Plugin Slug:: salon-booking-system
Installations: 5,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 10.0
Severity Score:: High
CVE:: 2024-37231

Plugin:: Salon Booking System
Plugin Slug:: salon-booking-system
Installations: 5,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 10.3
Severity Score:: Critical
CVE:: 2024-3229

Plugin:: WP Job Portal � A Complete Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.4
Severity Score:: Medium
CVE:: 2024-35760

Plugin:: WP Job Portal � A Complete Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.4
Severity Score:: Medium
CVE:: 2024-35759

Plugin:: InstaWP Connect � 1-click WP Staging & Migration
Plugin Slug:: instawp-connect
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.1.0.39
Severity Score:: Critical
CVE:: 2024-37228

Plugin:: Tickera � WordPress Event Ticketing
Plugin Slug:: tickera-event-ticketing-system
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.2.9
Severity Score:: Medium
CVE:: 2024-5860

Plugin:: MaxGalleria
Plugin Slug:: maxgalleria
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.5
Severity Score:: Medium
CVE:: 2024-5970

Plugin:: Newsletters
Plugin Slug:: newsletters-lite
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.9.8
Severity Score:: Medium
CVE:: 2024-37227

Plugin:: PropertyHive
Plugin Slug:: propertyhive
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.10
Severity Score:: Medium
CVE:: 2024-37204

Plugin:: WP-Lister Lite for eBay
Plugin Slug:: wp-lister-for-ebay
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.5.9
Severity Score:: High
CVE:: 2024-24709

Plugin:: affiliate-toolkit � WordPress Affiliate Plugin
Plugin Slug:: affiliate-toolkit-starter
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.4.5
Severity Score:: Medium
CVE:: 2024-37205

Plugin:: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner � Groundhogg
Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.4.3
Severity Score:: Medium
CVE:: 2024-37235

Plugin:: Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug:: meeting-scheduler-by-vcita
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.3
Severity Score:: High
CVE:: 2024-5791

Plugin:: Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug:: meeting-scheduler-by-vcita
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.1
Severity Score:: Medium
CVE:: 2024-35761

Plugin:: WP Secure Maintenance
Plugin Slug:: wp-secure-maintainance
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2024-4753

Plugin:: Church Admin
Plugin Slug:: church-admin
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.5
Severity Score:: Medium
CVE:: 2024-35764

Plugin:: Easy Age Verify
Plugin Slug:: easy-age-verify
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.3
Severity Score:: Medium
CVE:: 2024-35757

Plugin:: Falang multilanguage for WordPress
Plugin Slug:: falang
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.52
Severity Score:: Medium
CVE:: 2024-37240

Plugin:: Login with phone number
Plugin Slug:: login-with-phone-number
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.35
Severity Score:: High
CVE:: 2024-6125

Plugin:: Newspack Newsletters
Plugin Slug:: newspack-newsletters
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.13.3
Severity Score:: Medium
CVE:: 2024-37242

Plugin:: Shariff for WordPress
Plugin Slug:: shariff-sharing
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.6.14
Severity Score:: Critical
CVE:: 2024-4098

Plugin:: Image Optimizer, Resizer and CDN � Sirv
Plugin Slug:: sirv
Installations: 1,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 7.2.7
Severity Score:: Critical
CVE:: 2024-5853

Plugin:: Typing Text
Plugin Slug:: typing-text
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.6
Severity Score:: Medium
CVE:: 2024-5058

Plugin:: WPPizza � A Restaurant Plugin
Plugin Slug:: wppizza
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.18.14
Severity Score:: High
CVE:: 2024-35766

Plugin:: Responsive video embed
Plugin Slug:: responsive-video-embed
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.5.1
Severity Score:: Medium
CVE:: 2024-5475

Plugin:: Squeeze
Plugin Slug:: squeeze
Installations: 200+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.4.1
Severity Score:: Critical
CVE:: 2024-35767

Plugin:: Bricks Builder (Premium)
Plugin Slug:: bricksbuilder
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.9.9
Severity Score:: Medium
CVE:: 2024-4874

Plugin:: Consulting Elementor Widgets
Plugin Slug:: consulting-elementor-widgets
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2024-37092

Plugin:: Consulting Elementor Widgets
Plugin Slug:: consulting-elementor-widgets
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.3.1
Severity Score:: Critical
CVE:: 2024-37091

Plugin:: Consulting Elementor Widgets
Plugin Slug:: consulting-elementor-widgets
Vulnerability:: SQL Injection
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2024-37090

Plugin:: Consulting Elementor Widgets
Plugin Slug:: consulting-elementor-widgets
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.1
Severity Score:: Critical
CVE:: 2024-37089

Plugin:: Cost Calculator Builder Pro
Plugin Slug:: cost-calculator-builder-pro
Vulnerability:: Content Spoofing
Patched in Version:: 3.1.76
Severity Score:: Medium
CVE:: 2024-4787

Plugin:: Hercules Core
Plugin Slug:: hercules-core
Vulnerability:: Settings Change
Patched in Version:: 6.7
Severity Score:: High
CVE:: 2024-37232

Plugin:: Ibtana
Plugin Slug:: ibtana-visual-editor
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3.4
Severity Score:: Medium
CVE:: 2024-37123

Plugin:: Ibtana
Plugin Slug:: ibtana-visual-editor
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3.4
Severity Score:: Medium
CVE:: 2024-5541

Plugin:: Newspack Blocks
Plugin Slug:: newspack-blocks
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.0.9
Severity Score:: High
CVE:: 2024-37115

Plugin:: The Plus Addons for Elementor Pro
Plugin Slug:: theplus_elementor_addon
Vulnerability:: Local File Inclusion
Patched in Version:: 5.6.0
Severity Score:: High
CVE:: 2024-5455

Plugin:: The Plus Addons for Elementor Pro
Plugin Slug:: theplus_elementor_addon
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.0
Severity Score:: High
CVE:: 2024-5344

Plugin:: Uber Menu
Plugin Slug:: ubermenu
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.8.4
Severity Score:: Medium
CVE:: 2024-3593

Plugin:: Shortcodes by United Themes
Plugin Slug:: ut-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.5
Severity Score:: High
CVE:: 2024-37097

Plugin:: WP Job Manager – Resume Manager
Plugin Slug:: wp-job-manager-resumes
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.2.0
Severity Score:: Medium
CVE:: 2024-37241

WordPress Themes � 15 Patched / 3 Unpatched

Theme:: Sinatra
Theme Slug:: sinatra
Downloads: 1,639,897
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37116

Theme:: Grey Opaque
Theme Slug:: grey-opaque
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5966

Theme:: Mosaic
Theme Slug:: mosaic
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5965

Theme:: Book Landing Page
Theme Slug:: book-landing-page
Downloads: 128,701
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.4
Severity Score:: Medium
CVE:: 2024-37230

Theme:: Chic Lite
Theme Slug:: chic-lite
Downloads: 216,515
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.4
Severity Score:: Medium
CVE:: 2024-37104

Theme:: Customizr
Theme Slug:: customizr
Downloads: 4,188,035
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.4.22
Severity Score:: Medium
CVE:: 2024-35771

Theme:: Digital Newspaper
Theme Slug:: digital-newspaper
Downloads: 47,141
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2024-37198

Theme:: Education Zone
Theme Slug:: education-zone
Downloads: 444,963
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.5
Severity Score:: Medium
CVE:: 2024-37103

Theme:: Excellent
Theme Slug:: excellent
Downloads: 116,583
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2024-35763

Theme:: Hueman
Theme Slug:: hueman
Downloads: 3,005,399
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.7.25
Severity Score:: Medium
CVE:: 2024-35772

Theme:: Interface
Theme Slug:: interface
Downloads: 429,855
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.1
Severity Score:: Medium
CVE:: 2024-35758

Theme:: Materialis
Theme Slug:: materialis
Downloads: 255,867
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.30
Severity Score:: Medium
CVE:: 2023-3204

Theme:: Vandana Lite
Theme Slug:: vandana-lite
Downloads: 117,403
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2024-37243

Theme:: Vilva
Theme Slug:: vilva
Downloads: 441,200
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2024-37102

Theme:: Divi
Theme Slug:: divi
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.25.2
Severity Score:: Medium
CVE:: 2024-5533

Theme:: Enfold
Theme Slug:: enfold
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.10
Severity Score:: High
CVE:: 2024-37199

Theme:: Flatsome
Theme Slug:: flatsome
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.19.0
Severity Score:: Medium
CVE:: 2024-5346

Theme:: Flatsome
Theme Slug:: flatsome
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.19.0
Severity Score:: Medium
CVE:: 2024-5156