WordPress Vulnerability Report � September 18, 2024

In this report, 102 vulnerabilities have been publicly disclosed. Security patches for 70 of these plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 32 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.6.2 is available! This minor release includes�15 bug fixes in Core�and�11 in the Block Editor, addressing issues like unexpected CSS specificity changes in certain themes.

WordPress Plugins � 68 Patched / 23 Unpatched

Plugin:: WCFM Marketplace � Multivendor Marketplace for WooCommerce
Plugin Slug:: wc-multivendor-marketplace
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-44009

Plugin:: IMPress for IDX Broker
Plugin Slug:: idx-broker-platinum
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-44047

Plugin:: WPCargo Track & Trace
Plugin Slug:: wpcargo
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-44004

Plugin:: Product Carousel Slider & Grid Ultimate for WooCommerce
Plugin Slug:: woo-product-carousel-slider-and-grid-ultimate
Installations: 9,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-44048

Plugin:: Spice Starter Sites
Plugin Slug:: spice-starter-sites
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-44003

Plugin:: Gutenberg Blocks � Unlimited blocks For Gutenberg
Plugin Slug:: unlimited-blocks
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-44049

Plugin:: Team Showcase
Plugin Slug:: team
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-44002

Plugin:: Pocket Widget
Plugin Slug:: pocket-widget
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-7918

Plugin:: Adicon Server
Plugin Slug:: adicons
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-7766

Plugin:: AZIndex
Plugin Slug:: azindex
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-7688

Plugin:: AZIndex
Plugin Slug:: azindex
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-7687

Plugin:: Custom Post Limits
Plugin Slug:: custom-post-limits
Vulnerability:: Full Path Disclosure (FPD)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6544

Plugin:: Email Obfuscate Shortcode
Plugin Slug:: email-obfuscate-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-8747

Plugin:: Exit Notifier
Plugin Slug:: exit-notifier
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-8730

Plugin:: Cron Jobs
Plugin Slug:: leira-cron-jobs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-8731

Plugin:: Roles & Capabilities
Plugin Slug:: leira-roles
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-8732

Plugin:: Lucas String Replace
Plugin Slug:: lucas-string-replace
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-8734

Plugin:: MM-Breaking News
Plugin Slug:: mm-breaking-news
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-8056

Plugin:: MM-Breaking News
Plugin Slug:: mm-breaking-news
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-8054

Plugin:: Quick Code
Plugin Slug:: quick-code
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-7822

Plugin:: Slider comparison image before and after
Plugin Slug:: slider-comparison-image-before-and-after
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-8543

Plugin:: Visual Sound
Plugin Slug:: visual-sound
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-7859

Plugin:: WooCommerce Multiple Free Gift
Plugin Slug:: woocommerce-multiple-free-gift
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2022-3459

Plugin:: Elementor Website Builder � More than Just a Page Builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.24.0
Severity Score:: Medium
CVE:: 2024-5416

Plugin:: Essential Addons for Elementor � Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.0.4
Severity Score:: Medium
CVE:: 2024-8440

Plugin:: Popup Maker � Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Plugin Slug:: popup-maker
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.19.1
Severity Score:: Medium
CVE:: 2024-5561

Plugin:: Migration, Backup, Staging � WPvivid
Plugin Slug:: wpvivid-backuprestore
Installations: 500,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 0.9.106
Severity Score:: High
CVE:: 2024-7315

Plugin:: Backuply � Backup, Restore, Migrate and Clone
Plugin Slug:: backuply
Installations: 200,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.3.5
Severity Score:: High
CVE:: 2024-8669

Plugin:: Gallery Plugin for WordPress � Envira Photo Gallery
Plugin Slug:: envira-gallery-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.15
Severity Score:: Medium
CVE:: 2024-3899

Plugin:: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme � My Sticky Bar (formerly myStickymenu)
Plugin Slug:: mystickymenu
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.3
Severity Score:: Medium
CVE:: 2024-7133

Plugin:: WooCommerce Multilingual & Multicurrency with WPML
Plugin Slug:: woocommerce-multilingual
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.3.7
Severity Score:: Medium
CVE:: 2024-44006

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 90,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.2.7.1
Severity Score:: Critical
CVE:: 2024-8522

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 90,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.2.7.1
Severity Score:: Critical
CVE:: 2024-8529

Plugin:: Stream
Plugin Slug:: stream
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.0.2
Severity Score:: High
CVE:: 2024-7423

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.7.5
Severity Score:: Medium
CVE:: 2023-2919

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 80,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.4.8
Severity Score:: High
CVE:: 2024-6723

Plugin:: FOX � Currency Switcher Professional for WooCommerce
Plugin Slug:: woocommerce-currency-switcher
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.2.2
Severity Score:: High
CVE:: 2024-8271

Plugin:: Carousel Slider
Plugin Slug:: carousel-slider
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.4
Severity Score:: Medium
CVE:: 2024-6850

Plugin:: Post Grid and Gutenberg Blocks
Plugin Slug:: post-grid
Installations: 40,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.2.91
Severity Score:: High
CVE:: 2024-8253

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 40,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.6.7.43
Severity Score:: Critical
CVE:: 2024-7129

Plugin:: Starbox � the Author Box for Humans
Plugin Slug:: starbox
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.2
Severity Score:: Medium
CVE:: 2024-7955

Plugin:: Advanced WordPress Backgrounds
Plugin Slug:: advanced-backgrounds
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.12.4
Severity Score:: Medium
CVE:: 2024-8045

Plugin:: Greenshift � animation and page builder blocks
Plugin Slug:: greenshift-animation-and-page-builder-blocks
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.4
Severity Score:: Medium
CVE:: 2024-44005

Plugin:: Logo Slider � Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
Plugin Slug:: gs-logo-slider
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.9
Severity Score:: Medium
CVE:: 2024-7716

Plugin:: HTML5 Video Player � mp4 Video Player Plugin and Block
Plugin Slug:: html5-video-player
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.33
Severity Score:: Medium
CVE:: 2024-7727

Plugin:: HTML5 Video Player � mp4 Video Player Plugin and Block
Plugin Slug:: html5-video-player
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.35
Severity Score:: Medium
CVE:: 2024-7721

Plugin:: Master Addons � Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor
Plugin Slug:: master-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.6.5
Severity Score:: Medium
CVE:: 2024-6282

Plugin:: WP Editor
Plugin Slug:: wp-editor
Installations: 30,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.2.9.1
Severity Score:: High
CVE:: 2022-2446

Plugin:: Bit File Manager � 100% Free & Open Source File Manager and Code Editor for WordPress
Plugin Slug:: file-manager
Installations: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 6.5.6
Severity Score:: Critical
CVE:: 2024-7770

Plugin:: Giveaways and Contests by RafflePress � Get More Website Traffic, Email Subscribers, and Social Followers
Plugin Slug:: rafflepress
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.12.16
Severity Score:: Medium
CVE:: 2024-6887

Plugin:: SKT Templates � 100% free Elementor & Gutenberg templates
Plugin Slug:: skt-templates
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.15
Severity Score:: High
CVE:: 2024-44007

Plugin:: WP Meta SEO
Plugin Slug:: wp-meta-seo
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.14
Severity Score:: Medium
CVE:: 2024-45455

Plugin:: WP Meta SEO
Plugin Slug:: wp-meta-seo
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.14
Severity Score:: Medium
CVE:: 2024-45456

Plugin:: WP Simple Booking Calendar
Plugin Slug:: wp-simple-booking-calendar
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.11
Severity Score:: High
CVE:: 2024-8663

Plugin:: WP Test Email
Plugin Slug:: wp-test-email
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.8
Severity Score:: High
CVE:: 2024-8664

Plugin:: Classified Listing � Classified ads & Business Directory Plugin
Plugin Slug:: classified-listing
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.8
Severity Score:: Medium
CVE:: 2024-7888

Plugin:: CM Pop-Up Banners for WordPress
Plugin Slug:: cm-pop-up-banners
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.3
Severity Score:: Medium
CVE:: 2024-5799

Plugin:: Maintenance Redirect
Plugin Slug:: jf3-maintenance-mode
Installations: 10,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.1.0
Severity Score:: Low
CVE:: 2024-45453

Plugin:: Product Slider for WooCommerce by PickPlugins
Plugin Slug:: woocommerce-products-slider
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.13.51
Severity Score:: High
CVE:: 2024-45459

Plugin:: WP Booking System � Booking Calendar
Plugin Slug:: wp-booking-system
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.19.9
Severity Score:: High
CVE:: 2024-8797

Plugin:: WordPress Affiliates Plugin � SliceWP Affiliates
Plugin Slug:: slicewp
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.21
Severity Score:: High
CVE:: 2024-8714

Plugin:: YITH Custom Login
Plugin Slug:: yith-custom-login
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.4
Severity Score:: High
CVE:: 2024-8665

Plugin:: Easy Property Listings
Plugin Slug:: easy-property-listings
Installations: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.5.4
Severity Score:: Medium
CVE:: 2024-3163

Plugin:: WP Delicious � Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
Plugin Slug:: delicious-recipes
Installations: 5,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.7.0
Severity Score:: High
CVE:: 2024-7626

Plugin:: EventON
Plugin Slug:: eventon-lite
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.17
Severity Score:: Medium
CVE:: 2024-6910

Plugin:: Geo Mashup
Plugin Slug:: geo-mashup
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.13.13
Severity Score:: Medium
CVE:: 2024-44008

Plugin:: EventPrime � Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.4.4
Severity Score:: Medium
CVE:: 2024-8369

Plugin:: MStore API � Create Native Android & iOS Apps On The Cloud
Plugin Slug:: mstore-api
Installations: 4,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 4.15.4
Severity Score:: Medium
CVE:: 2024-8269

Plugin:: MStore API � Create Native Android & iOS Apps On The Cloud
Plugin Slug:: mstore-api
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.15.4
Severity Score:: Medium
CVE:: 2024-8242

Plugin:: Tag Groups is the Advanced Way to Display Your Taxonomy Terms
Plugin Slug:: tag-groups
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.0.4
Severity Score:: Medium
CVE:: 2024-43237

Plugin:: Waitlist Woocommerce ( Back in stock notifier )
Plugin Slug:: waitlist-woocommerce
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.6
Severity Score:: High
CVE:: 2024-8724

Plugin:: Community by PeepSo � Social Network, Membership, Registration, User Profiles, Premium � Mobile App
Plugin Slug:: peepso-core
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.6.0
Severity Score:: Medium
CVE:: 2024-7618

Plugin:: PropertyHive
Plugin Slug:: propertyhive
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.20
Severity Score:: High
CVE:: 2024-8490

Plugin:: Simple Spoiler
Plugin Slug:: simple-spoiler
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2024-8479

Plugin:: Spiffy Calendar
Plugin Slug:: spiffy-calendar
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.14
Severity Score:: Medium
CVE:: 2024-45457

Plugin:: Spiffy Calendar
Plugin Slug:: spiffy-calendar
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.14
Severity Score:: High
CVE:: 2024-45458

Plugin:: Affiliate Super Assistent
Plugin Slug:: amazonsimpleadmin
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.4
Severity Score:: Medium
CVE:: 2024-8478

Plugin:: amCharts: Charts and Maps
Plugin Slug:: amcharts-charts-and-maps
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.5
Severity Score:: High
CVE:: 2024-8622

Plugin:: Post Form � Registration Form � Profile Form for User Profiles � Frontend Content Forms for User Submissions (UGC)
Plugin Slug:: buddyforms
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.8.12
Severity Score:: High
CVE:: 2024-8246

Plugin:: Floating Contact Button
Plugin Slug:: floating-contact
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8
Severity Score:: Medium
CVE:: 2024-7891

Plugin:: Login with phone number
Plugin Slug:: login-with-phone-number
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.7.50
Severity Score:: High
CVE:: 2024-6482

Plugin:: Nova Blocks by Pixelgrade
Plugin Slug:: nova-blocks
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.8
Severity Score:: Medium
CVE:: 2024-8241

Plugin:: PDF Thumbnail Generator
Plugin Slug:: pdf-thumbnail-generator
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2024-8737

Plugin:: Share This Image
Plugin Slug:: share-this-image
Installations: 1,000+
Vulnerability:: Open Redirection
Patched in Version:: 2.04
Severity Score:: Medium
CVE:: 2024-8761

Plugin:: video carousel slider with lightbox
Plugin Slug:: wp-responsive-video-gallery-with-lightbox
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.0.7
Severity Score:: High
CVE:: 2019-25212

Plugin:: WPFactory Helper
Plugin Slug:: wpcodefactory-helper
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1
Severity Score:: High
CVE:: 2024-8656

Plugin:: Frontend Dashboard
Plugin Slug:: frontend-dashboard
Installations: 900+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 2.2.5
Severity Score:: High
CVE:: 2024-8268

Plugin:: Flipping Cards
Plugin Slug:: flipping-cards
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.31
Severity Score:: Medium
CVE:: 2024-45460

Plugin:: NinjaTeam Header Footer Custom Code
Plugin Slug:: header-footer-code
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2
Severity Score:: Medium
CVE:: 2024-6493

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.11.10
Severity Score:: Medium
CVE:: 2024-5628

Plugin:: WooCommerce Photo Reviews – Review Reminders – Review for Discounts
Plugin Slug:: woocommerce-photo-reviews
Vulnerability:: Broken Authentication
Patched in Version:: 1.3.14
Severity Score:: Critical
CVE:: 2024-8277