WordPress Vulnerability Report � January 17, 2024

In this report, 77 new vulnerabilities have been publicly disclosed. Security patches for 61 of these plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 16 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Free Online Training Event! Register Now!

January 24, 2024 @ 1:00 PM – 2:00 PM (CST)

Not all WordPress threats and vulnerabilities are �created equal.� Some require more immediate attention and pose a greater risk than others. Even with preventive tools in place, such as Solid Security Pro with Patchstack, you need to understand how to assess and respond to threats and vulnerabilities.

This livestream will help you understand what needs your attention first, how to use Security tools like Solid Security Pro to view, rank, and respond to threats, and how to harden your site moving forward.

Can’t make the live event? Go ahead and register, and we’ll email you the replay. See webinar time in your time zone.

WordPress Core

WordPress 6.4.2 was released on December 6, 2023, as a short-cycle maintenance and security release with seven bug fixes and one security patch for a potential Remote Code Execution (RCE) vulnerability that is not directly exploitable in most situations. However, combined with certain vulnerabilities in third-party plugins on a multisite network, this vulnerability could be exploited and pose a high-severity risk. The 6.4.1 update will prevent PHP object injections from being chained into a potential RCE, according to details published by Patchstack.

WordPress Plugins � 61 Patched / 16 Unpatched

WordPress Themes � 0 Patched / 0 Unpatched