WordPress Vulnerability Report � July 10, 2024

In this report, 182 vulnerabilities have been publicly disclosed. Security patches for 123 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 59 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.5.5 is now available! This release features three security fixes. Because this is a security release, it is recommended that you update your sites immediately. This minor release also includes 3 bug fixes in Core.

WordPress 6.6 RC3�is ready for download and testing! The target release date for WordPress 6.6 is July 16, 2024. Your help testing RC versions is vital to ensuring the final release is everything it should be: stable, powerful, and intuitive.

WordPress Plugins � 103 Patched / 56 Unpatched

Plugin:: Social Media Share Buttons & Social Sharing Icons
Plugin Slug:: ultimate-social-media-icons
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37552

Plugin:: Meks Easy Ads Widget
Plugin Slug:: meks-easy-ads-widget
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37548

Plugin:: WPJAM Basic
Plugin Slug:: wpjam-basic
Installations: 5,000+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Ultimate WordPress Auction Plugin
Plugin Slug:: ultimate-auction
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37543

Plugin:: CC & BCC for Woocommerce Order Emails
Plugin Slug:: cc-bcc-for-woocommerce-order-emails
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37522

Plugin:: nicen-localize-image
Plugin Slug:: nicen-localize-image
Installations: 1,000+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer)
Plugin Slug:: stepbyteservice-openstreetmap
Installations: 1,000+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Tooltip for Gravity Forms
Plugin Slug:: tooltip-for-gravity-forms
Installations: 1,000+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: WPFavicon
Plugin Slug:: wpfavicon
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37558

Plugin:: Leaky Paywall
Plugin Slug:: leaky-paywall
Installations: 800+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37540

Plugin:: Quiz | Survey | Exam | Questionnaire | Feedback � Best Survey Plugin for WordPress
Plugin Slug:: totalsurvey
Installations: 600+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Taager
Plugin Slug:: taager
Installations: 500+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Weight Tracker
Plugin Slug:: weight-loss-tracker
Installations: 500+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Rating Widget: Post Rating, 5 Star Rating, Reviews, Thumbs Up & Down, Reaction
Plugin Slug:: totalrating
Installations: 300+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Link To Bible
Plugin Slug:: link-to-bible
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37538

Plugin:: Amelia Shortcode Extended
Plugin Slug:: theidealweb-amelia-shortcode-extended
Installations: 200+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: WS Theme Addons
Plugin Slug:: ws-theme-addons
Installations: 200+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Canvas-Nest.js
Plugin Slug:: canvas-nestjs
Installations: 100+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Logic Hop � Dynamic Content Personalization for WordPress
Plugin Slug:: logic-hop
Installations: 100+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Meal Tracker
Plugin Slug:: meal-tracker
Installations: 100+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Contact Form by TotalForm � Next-gen Form Builder for WordPress
Plugin Slug:: totalform
Installations: 70+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: WS Contact Form
Plugin Slug:: ws-contact-form
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37537

Plugin:: Easy Speedup by PageCDN
Plugin Slug:: pagecdn
Installations: 30+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: WebSitter Pro
Plugin Slug:: triagetrak
Installations: 30+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Magic Conversation For Gravity Forms
Plugin Slug:: magic-conversation-for-gravity-forms
Installations: 10+
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Field Day
Plugin Slug:: activityhub
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Livemesh Addons for Elementor
Plugin Slug:: addons-for-elementor
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37547

Plugin:: Livemesh Addons for Elementor
Plugin Slug:: addons-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3638

Plugin:: ADDRESSYA
Plugin Slug:: addressya-for-woocommerce
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: alfred24 Click & Collect
Plugin Slug:: alfred-click-collect
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Alfred Easy Shipping
Plugin Slug:: alfred-easy-shipping
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: CommandBar for WP Admin
Plugin Slug:: commandbar-for-wp-admin
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Digital River Global Commerce
Plugin Slug:: digital-river-global-commerce
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Easy Custom Code (LESS/CSS/JS) � Live editing
Plugin Slug:: easy-custom-code
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37536

Plugin:: Floating Social Buttons
Plugin Slug:: floating-social-buttons
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6405

Plugin:: Floating Social Media Links
Plugin Slug:: floating-social-media-links
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37545

Plugin:: Responsive Image Gallery, Gallery Album
Plugin Slug:: gallery-album
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37542

Plugin:: Ideaplus
Plugin Slug:: ideaplus
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Image Hover Effects – Caption Hover with Carousel
Plugin Slug:: image-hover-effects-with-carousel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37546

Plugin:: Jobs.af
Plugin Slug:: jobs-af
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Login Logo Editor
Plugin Slug:: login-logo-editor-by-oizuled
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37523

Plugin:: Mine Video Player
Plugin Slug:: mine-video
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Get Better Reviews for WooCommerce
Plugin Slug:: more-better-reviews-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37544

Plugin:: Save as PDF plugin by Pdfcrowd
Plugin Slug:: save-as-pdf-by-pdfcrowd
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37549

Plugin:: Simple Social Share
Plugin Slug:: simple-social-share
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37551

Plugin:: Simply Show Hooks
Plugin Slug:: simply-show-hooks
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: sitetweet
Plugin Slug:: sitetweet-tweets-user-behaviors-on-your-site-on-twitter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-5767

Plugin:: Elementor Addons, Widgets and Enhancements � Stax
Plugin Slug:: stax-addons-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37541

Plugin:: Template Kit � Export
Plugin Slug:: template-kit-export
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37550

Plugin:: Testimonials Widget
Plugin Slug:: testimonials-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37553

Plugin:: UltraAddons Elementor Lite
Plugin Slug:: ultraaddons-elementor-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37554

Plugin:: Viva Payments
Plugin Slug:: viva-payments-simple-checkout
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: WordPress Notification Bar
Plugin Slug:: wordpress-notification-bar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37556

Plugin:: wp-code-highlightjs
Plugin Slug:: wp-code-highlightjs
Vulnerability:: Backdoor
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: WP Cookie Law Info
Plugin Slug:: wp-cookie-law-info
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37557

Plugin:: WP To Do
Plugin Slug:: wp-todo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37539

Plugin:: Elementor Header & Footer Builder
Plugin Slug:: header-footer-elementor
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.36
Severity Score:: Medium
CVE:: 2024-33933

Plugin:: Rank Math SEO � AI SEO Tools to Dominate SEO Rankings
Plugin Slug:: seo-by-rank-math
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.219
Severity Score:: Medium
CVE:: 2024-4627

Plugin:: Ninja Forms � The Contact Form Builder That Grows With You
Plugin Slug:: ninja-forms
Installations: 800,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.5
Severity Score:: Medium
CVE:: 2024-37934

Plugin:: Spectra � WordPress Gutenberg Blocks
Plugin Slug:: ultimate-addons-for-gutenberg
Installations: 800,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.13.8
Severity Score:: Medium
CVE:: 2024-37517

Plugin:: Premium Addons for Elementor
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Denial of Service Attack
Patched in Version:: 4.10.36
Severity Score:: Low
CVE:: 2024-6434

Plugin:: Premium Addons for Elementor
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.10.36
Severity Score:: Medium
CVE:: 2024-6340

Plugin:: The Events Calendar
Plugin Slug:: the-events-calendar
Installations: 700,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.5.1.5
Severity Score:: Medium
CVE:: 2024-37518

Plugin:: Ocean Extra
Plugin Slug:: ocean-extra
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2024-37489

Plugin:: Gutenberg
Plugin Slug:: gutenberg
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 18.6.1
Severity Score:: Medium
CVE:: 2024-37492

Plugin:: Beaver Builder � WordPress Page Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.3
Severity Score:: Medium
CVE:: 2024-37500

Plugin:: The Plus Addons for Elementor � Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.2
Severity Score:: Medium
CVE:: 2024-4482

Plugin:: Nested Pages
Plugin Slug:: wp-nested-pages
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.2.8
Severity Score:: High
CVE:: 2024-5943

Plugin:: Featured Image from URL (FIFU)
Plugin Slug:: featured-image-from-url
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.8.3
Severity Score:: Medium
CVE:: 2024-37516

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.6.8.2
Severity Score:: Medium
CVE:: 2024-6088

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.6.8.2
Severity Score:: Medium
CVE:: 2024-6099

Plugin:: Paid Memberships Pro � Content Restriction, User Registration, & Paid Subscriptions
Plugin Slug:: paid-memberships-pro
Installations: 90,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.0.6
Severity Score:: High
CVE:: 2024-37486

Plugin:: The Post Grid � Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Plugin Slug:: the-post-grid
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.7.5
Severity Score:: Medium
CVE:: 2024-37483

Plugin:: The Post Grid � Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Plugin Slug:: the-post-grid
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.7.5
Severity Score:: Medium
CVE:: 2024-37482

Plugin:: The Post Grid � Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Plugin Slug:: the-post-grid
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.7.5
Severity Score:: Medium
CVE:: 2024-37481

Plugin:: The Post Grid � Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Plugin Slug:: the-post-grid
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.7.2
Severity Score:: Medium
CVE:: 2024-1427

Plugin:: Booking for Appointments and Events Calendar � Amelia
Plugin Slug:: ameliabooking
Installations: 70,000+
Vulnerability:: Backdoor
Patched in Version:: 1.1.9
Severity Score:: Medium

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.18
Severity Score:: High
CVE:: 2024-5544

Plugin:: Form Maker by 10Web � Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.15.26
Severity Score:: Medium
CVE:: 2024-6130

Plugin:: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
Plugin Slug:: sina-extension-for-elementor
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.6
Severity Score:: Medium
CVE:: 2024-5260

Plugin:: Ultimate Blocks � WordPress Blocks Plugin
Plugin Slug:: ultimate-blocks
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.0
Severity Score:: Medium
CVE:: 2024-37457

Plugin:: Pixel Manager for WooCommerce � Track Google Analytics, Google Ads, TikTok and more
Plugin Slug:: woocommerce-google-adwords-conversion-tracking-tag
Installations: 50,000+
Vulnerability:: Backdoor
Patched in Version:: 1.43.4
Severity Score:: Medium

Plugin:: Quiz and Survey Master (QSM) � Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.0.2
Severity Score:: Medium
CVE:: 2024-4934

Plugin:: WP Lightbox 2
Plugin Slug:: wp-lightbox-2
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.6.7
Severity Score:: Medium
CVE:: 2024-6263

Plugin:: Apollo13 Framework Extensions
Plugin Slug:: apollo13-framework-extensions
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.4
Severity Score:: Medium
CVE:: 2024-37480

Plugin:: Void Contact Form 7 Widget For Elementor Page Builder
Plugin Slug:: cf7-widget-elementor
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.1
Severity Score:: Medium
CVE:: 2024-5419

Plugin:: Cost Calculator Builder
Plugin Slug:: cost-calculator-builder
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.13
Severity Score:: Medium
CVE:: 2024-6011

Plugin:: Cost Calculator Builder
Plugin Slug:: cost-calculator-builder
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.13
Severity Score:: Medium
CVE:: 2024-6012

Plugin:: Easy Google Maps
Plugin Slug:: google-maps-easy
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.11.16
Severity Score:: Medium
CVE:: 2024-5219

Plugin:: Rife Elementor Extensions & Templates
Plugin Slug:: rife-elementor-extensions
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.2
Severity Score:: Medium
CVE:: 2024-5504

Plugin:: weForms � Easy Drag & Drop Contact Form Builder For WordPress
Plugin Slug:: weforms
Installations: 20,000+
Vulnerability:: Backdoor
Patched in Version:: 1.6.24
Severity Score:: Medium

Plugin:: WP User Frontend � Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission Plugin
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Backdoor
Patched in Version:: 4.0.8
Severity Score:: Medium

Plugin:: Donation Forms by Charitable � Donations Plugin & Fundraising Platform for WordPress
Plugin Slug:: charitable
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.1.8
Severity Score:: Medium
CVE:: 2024-37510

Plugin:: Donation Forms by Charitable � Donations Plugin & Fundraising Platform for WordPress
Plugin Slug:: charitable
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.1.8
Severity Score:: Medium
CVE:: 2024-37506

Plugin:: AI Power: Complete AI Pack � Powered by GPT-4
Plugin Slug:: gpt3-ai-content-generator
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.67
Severity Score:: Medium
CVE:: 2024-37465

Plugin:: LA-Studio Element Kit for Elementor
Plugin Slug:: lastudio-element-kit
Installations: 10,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.9
Severity Score:: High
CVE:: 2024-37479

Plugin:: Mega Elements � Addons for Elementor
Plugin Slug:: mega-elements-addons-for-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2024-37466

Plugin:: Simple Newsletter Plugin � Noptin
Plugin Slug:: newsletter-optin-box
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.3
Severity Score:: Medium
CVE:: 2024-37456

Plugin:: NEX-Forms � Ultimate Form Builder � Contact forms and much more
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.6.1
Severity Score:: Medium
CVE:: 2024-37512

Plugin:: Swift Performance Lite
Plugin Slug:: swift-performance-lite
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.3.6.21
Severity Score:: Medium
CVE:: 2024-37511

Plugin:: Product Customer List for WooCommerce
Plugin Slug:: wc-product-customer-list
Installations: 10,000+
Vulnerability:: Backdoor
Patched in Version:: 3.1.7
Severity Score:: Medium

Plugin:: Word Balloon
Plugin Slug:: word-balloon
Installations: 10,000+
Vulnerability:: Backdoor
Patched in Version:: 4.22.2
Severity Score:: Medium

Plugin:: Event Manager, Events Calendar, Tickets, Registrations � Eventin
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.0
Severity Score:: Medium
CVE:: 2024-37507

Plugin:: Motors � Car Dealer, Classifieds & Listing
Plugin Slug:: motors-car-dealership-classified-listings
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.11
Severity Score:: Medium
CVE:: 2024-5545

Plugin:: Tablesome � Responsive Table, Woocommerce Automation, Email Log, Form Automation � Contact Form 7, Elementor, WPForms, Forminator
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.34
Severity Score:: Medium
CVE:: 2024-37498

Plugin:: WordPress Sentry
Plugin Slug:: wp-sentry-integration
Installations: 9,000+
Vulnerability:: Backdoor
Patched in Version:: 7.9.0
Severity Score:: Medium

Plugin:: YITH WooCommerce Affiliates
Plugin Slug:: yith-woocommerce-affiliates
Installations: 8,000+
Vulnerability:: Backdoor
Patched in Version:: 3.8.1
Severity Score:: Medium

Plugin:: Youzify � BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Plugin Slug:: youzify
Installations: 8,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.2.6
Severity Score:: High
CVE:: 2024-37494

Plugin:: Create by Mediavine
Plugin Slug:: mediavine-create
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.8
Severity Score:: Medium
CVE:: 2024-37495

Plugin:: ProfileGrid � User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.8.8
Severity Score:: Medium
CVE:: 2024-37453

Plugin:: Ultimate Bootstrap Elements for Elementor
Plugin Slug:: ultimate-bootstrap-elements-for-elementor
Installations: 6,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.4.3
Severity Score:: High
CVE:: 2024-37462

Plugin:: WPCafe � Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce
Plugin Slug:: wp-cafe
Installations: 6,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.2.28
Severity Score:: High
CVE:: 2024-37513

Plugin:: Beaver Builder Addons by WPZOOM
Plugin Slug:: wpzoom-addons-for-beaver-builder
Installations: 6,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.6
Severity Score:: Medium
CVE:: 2024-37464

Plugin:: Snippet Shortcodes
Plugin Slug:: shortcode-variables
Installations: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.1.5
Severity Score:: Medium
CVE:: 2024-4543

Plugin:: AWSM Team � Team Showcase Plugin
Plugin Slug:: awsm-team
Installations: 4,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.2
Severity Score:: Medium
CVE:: 2024-37454

Plugin:: bbPress Notify (No-Spam)
Plugin Slug:: bbpress-notify-nospam
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.18.4
Severity Score:: High
CVE:: 2024-37485

Plugin:: Popup Builder � On Page Load Popup, Exit Popup, Login Popup, On Click, Sticky Bar, Anti-AdBlock � FireBox
Plugin Slug:: firebox
Installations: 4,000+
Vulnerability:: Backdoor
Patched in Version:: 2.1.16
Severity Score:: Medium

Plugin:: Advanced Classifieds & Directory Pro
Plugin Slug:: advanced-classifieds-and-directory-pro
Installations: 3,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.2.1
Severity Score:: High
CVE:: 2024-37501

Plugin:: FileBird Document Library
Plugin Slug:: filebird-document-library
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.0.8.1
Severity Score:: Medium
CVE:: 2024-37504

Plugin:: HelloAsso
Plugin Slug:: helloasso
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.10
Severity Score:: Medium
CVE:: 2024-37488

Plugin:: IMGspider � ????????
Plugin Slug:: imgspider
Installations: 3,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.3.11
Severity Score:: Critical
CVE:: 2024-6319

Plugin:: ShopBuilder � Elementor WooCommerce Builder Addons
Plugin Slug:: shopbuilder
Installations: 3,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.1.13
Severity Score:: Medium
CVE:: 2024-37520

Plugin:: CRM Perks Forms � WordPress Form Builder
Plugin Slug:: crm-perks-forms
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2024-37463

Plugin:: EazyDocs � Most Powerful Knowledge base, wiki, Documentation Builder Plugin
Plugin Slug:: eazydocs
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.0
Severity Score:: Medium
CVE:: 2024-3999

Plugin:: MakeCommerce for WooCommerce
Plugin Slug:: makecommerce
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.2
Severity Score:: High
CVE:: 2024-37509

Plugin:: Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug:: meeting-scheduler-by-vcita
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.4.3
Severity Score:: Medium
CVE:: 2024-37499

Plugin:: One Click Order Re-Order
Plugin Slug:: one-click-order-reorder
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.10
Severity Score:: Medium
CVE:: 2024-5641

Plugin:: Premium Blocks � Gutenberg Blocks for WordPress
Plugin Slug:: premium-blocks-for-gutenberg
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.28
Severity Score:: Medium
CVE:: 2024-37519

Plugin:: YAHMAN Add-ons
Plugin Slug:: yahman-add-ons
Installations: 2,000+
Vulnerability:: Backdoor
Patched in Version:: 0.9.29
Severity Score:: Medium

Plugin:: Church Admin
Plugin Slug:: church-admin
Installations: 1,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.4.7
Severity Score:: Critical
CVE:: 2024-37418

Plugin:: IdeaPush
Plugin Slug:: ideapush
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.66
Severity Score:: High
CVE:: 2024-37461

Plugin:: Newspack Newsletters
Plugin Slug:: newspack-newsletters
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.13.3
Severity Score:: Medium
CVE:: 2024-37475

Plugin:: Post Meta Data Manager
Plugin Slug:: post-meta-data-manager
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2024-6264

Plugin:: SuperSaaS � online appointment scheduling
Plugin Slug:: supersaas-appointment-scheduling
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.10
Severity Score:: Medium
CVE:: 2024-37460

Plugin:: Zephyr Project Manager
Plugin Slug:: zephyr-project-manager
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.3.99
Severity Score:: High
CVE:: 2024-37484

Plugin:: Comment Reply Email
Plugin Slug:: comment-reply-email
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2024-35773

Plugin:: ShipAny WooCommerce: Ship, Label, Tracking
Plugin Slug:: shipany
Installations: 100+
Vulnerability:: Backdoor
Patched in Version:: 1.1.53
Severity Score:: Medium

Plugin:: Integration for Luminate and Gravity Forms
Plugin Slug:: integration-for-luminate-and-gravity-forms
Installations: 70+
Vulnerability:: Backdoor
Patched in Version:: 1.3.4
Severity Score:: Medium

Plugin:: Qualified Electronic Signatures by eID Easy
Plugin Slug:: eid-easy-qualified-electonic-signature
Installations: 20+
Vulnerability:: Backdoor
Patched in Version:: 3.3.1
Severity Score:: Medium

Plugin:: BLAZE Retail Widget
Plugin Slug:: blaze-widget
Vulnerability:: Backdoor
Patched in Version:: 2.5.4
Severity Score:: Medium

Plugin:: Contact Form 7 Multi-Step Addon
Plugin Slug:: contact-form-7-multi-step-addon
Vulnerability:: Backdoor
Patched in Version:: 1.0.7
Severity Score:: Medium

Plugin:: XPlainer – WooCommerce Product FAQ
Plugin Slug:: faq-for-woocommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.4
Severity Score:: Medium
CVE:: 2024-37515

Plugin:: JetThemeCore
Plugin Slug:: jet-theme-core
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.2.1
Severity Score:: High
CVE:: 2024-37497

Plugin:: Modern Events Calendar
Plugin Slug:: modern-events-calendar
Vulnerability:: Arbitrary File Upload
Patched in Version:: 7.12.0
Severity Score:: High
CVE:: 2024-5441

Plugin:: Modern Events Calendar Lite
Plugin Slug:: modern-events-calendar-lite
Vulnerability:: Arbitrary File Upload
Patched in Version:: 7.12.0
Severity Score:: High
CVE:: 2024-5441

Plugin:: Newspack Ads
Plugin Slug:: newspack-ads
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.47.2
Severity Score:: Medium
CVE:: 2024-37474

Plugin:: Newspack Content Converter
Plugin Slug:: newspack-content-converter
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.0
Severity Score:: Medium
CVE:: 2024-37477

Plugin:: Newspack Campaigns
Plugin Slug:: newspack-popups
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.31.2
Severity Score:: Medium
CVE:: 2024-37476

Plugin:: PayPlus Payment Gateway
Plugin Slug:: payplus-payment-gateway
Vulnerability:: SQL Injection
Patched in Version:: 6.6.9
Severity Score:: Critical
CVE:: 2024-6205

Plugin:: PayPlus Payment Gateway
Plugin Slug:: payplus-payment-gateway
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.6.9
Severity Score:: High
CVE:: 2024-37459

Plugin:: Social Warfare
Plugin Slug:: social-warfare
Vulnerability:: Backdoor
Patched in Version:: 4.4.7.3
Severity Score:: Medium

Plugin:: Ultimate Addons for Elementor
Plugin Slug:: ultimate-elementor
Vulnerability:: Privilege Escalation
Patched in Version:: 1.36.32
Severity Score:: High
CVE:: 2024-37455

Plugin:: Woffice Core
Plugin Slug:: woffice-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.9
Severity Score:: High
CVE:: 2024-37471

Plugin:: Woffice Core
Plugin Slug:: woffice-core
Vulnerability:: Broken Access Control
Patched in Version:: 5.4.9
Severity Score:: High
CVE:: 2024-37470

Plugin:: WooCommerce Social Login
Plugin Slug:: woo-social-login
Vulnerability:: PHP Object Injection
Patched in Version:: 2.7.0
Severity Score:: Medium
CVE:: 2024-37502

Plugin:: CopySafe Web Protection
Plugin Slug:: wp-copysafe-web
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.15
Severity Score:: Medium
CVE:: 2024-37514

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.6
Severity Score:: High
CVE:: 2024-37487

Plugin:: WPQA – Builder forms Addon
Plugin Slug:: wpqa
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.1.1
Severity Score:: Medium
CVE:: 2024-2376

Plugin:: WPQA – Builder forms Addon
Plugin Slug:: wpqa
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.1
Severity Score:: Medium
CVE:: 2024-2375

WordPress Themes � 20 Patched / 3 Unpatched

Theme:: zBench
Theme Slug:: zbench
Downloads: 588,387
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-37521

Theme:: Boot Store
Theme Slug:: boot-store
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5938

Theme:: counterpoint
Theme Slug:: counterpoint
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-37559

Theme:: Ashe
Theme Slug:: ashe
Downloads: 1,959,473
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.234
Severity Score:: Medium
CVE:: 2024-37478

Theme:: Bakes And Cakes
Theme Slug:: bakes-and-cakes
Downloads: 154,588
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2024-37496

Theme:: Bard
Theme Slug:: bard
Downloads: 912,192
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.211
Severity Score:: Medium
CVE:: 2024-37490

Theme:: Blocksy
Theme Slug:: blocksy
Downloads: 3,364,636
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.23
Severity Score:: Medium
CVE:: 2024-37469

Theme:: Business One Page
Theme Slug:: business-one-page
Downloads: 211,071
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2024-37505

Theme:: Construction Landing Page
Theme Slug:: construction-landing-page
Downloads: 284,784
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.6
Severity Score:: Medium
CVE:: 2024-37508

Theme:: Hestia
Theme Slug:: hestia
Downloads: 4,067,479
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.3
Severity Score:: Medium
CVE:: 2024-37467

Theme:: Highlight
Theme Slug:: highlight
Downloads: 435,892
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.30
Severity Score:: Medium
CVE:: 2024-37458

Theme:: Lawyer Landing Page
Theme Slug:: lawyer-landing-page
Downloads: 128,839
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.5
Severity Score:: Medium
CVE:: 2024-37503

Theme:: Metro Magazine
Theme Slug:: metro-magazine
Downloads: 260,020
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.8
Severity Score:: Medium
CVE:: 2024-37496

Theme:: Newsmatic
Theme Slug:: newsmatic
Downloads: 217,113
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2024-37468

Theme:: Posterity
Theme Slug:: posterity
Downloads: 95,124
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.4
Severity Score:: Medium
CVE:: 2024-37493

Theme:: Rara Business
Theme Slug:: rara-business
Downloads: 201,763
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.6
Severity Score:: Medium
CVE:: 2024-37937

Theme:: Rife Free
Theme Slug:: rife-free
Downloads: 696,099
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.19
Severity Score:: Medium
CVE:: 2024-37491

Theme:: Trendy News
Theme Slug:: trendy-news
Downloads: 24,718
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.16
Severity Score:: Medium
CVE:: 2024-37473

Theme:: Basil
Theme Slug:: basil
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.5
Severity Score:: Medium
CVE:: 2024-39310

Theme:: BookYourTravel
Theme Slug:: bookyourtravel
Vulnerability:: Privilege Escalation
Patched in Version:: 8.18.19
Severity Score:: High
CVE:: 2024-37952

Theme:: Himer
Theme Slug:: himer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2024-2234

Theme:: Himer
Theme Slug:: himer
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2024-2233

Theme:: Woffice
Theme Slug:: woffice
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.9
Severity Score:: High
CVE:: 2024-37472