WordPress Vulnerability Report � July 24, 2024

In this report, 93 vulnerabilities have been publicly disclosed. Security patches for 72 of these plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 21 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.6.1 is now available! This minor release features�7 bug fixes in Core�and�9 bug fixes for the Block Editor. You can review a summary of the maintenance updates in this release by reading the�Release Candidate announcement.

WordPress Plugins � 72 Patched / 15 Unpatched

Plugin:: Timetable and Event Schedule by MotoPress
Plugin Slug:: mp-timetable
Installations: 30,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-39630

Plugin:: Smartsupp � live chat, chatbots, AI and lead generation
Plugin Slug:: smartsupp-live-chat
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-38790

Plugin:: Pretty Simple Popup Builder
Plugin Slug:: pretty-simple-popup-builder
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-39626

Plugin:: Booking Ultra Pro
Plugin Slug:: booking-ultra-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6175

Plugin:: Easy Testimonials
Plugin Slug:: easy-testimonials
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-2337

Plugin:: Keydatas
Plugin Slug:: keydatas
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-6220

Plugin:: Light Poll
Plugin Slug:: light-poll
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6720

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-39621

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-39620

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-39619

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-38795

Plugin:: RegLevel
Plugin Slug:: reglevel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6705

Plugin:: SVG Support
Plugin Slug:: svg-support
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6708

Plugin:: Telegram Bot & Channel
Plugin Slug:: telegram-bot
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-38789

Plugin:: Timeline Event History
Plugin Slug:: timeline-event-history
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-5726

Plugin:: WP Mail SMTP by WPForms � The Most Popular SMTP and Email Log Plugin
Plugin Slug:: wp-mail-smtp
Installations: 3,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.1.0
Severity Score:: Low
CVE:: 2024-6694

Plugin:: ElementsKit Elementor addons
Plugin Slug:: elementskit-lite
Installations: 1,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2024-6455

Plugin:: Redux Framework
Plugin Slug:: redux-framework
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.18
Severity Score:: High
CVE:: 2024-6828

Plugin:: Security Optimizer � The All-In-One Protection Plugin
Plugin Slug:: sg-security
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.1
Severity Score:: Medium
CVE:: 2024-38774

Plugin:: WPS Hide Login
Plugin Slug:: wps-hide-login
Installations: 1,000,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.9.16.4
Severity Score:: Medium
CVE:: 2024-6289

Plugin:: Photo Gallery, Sliders, Proofing and Themes � NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.59.4
Severity Score:: Medium
CVE:: 2024-39627

Plugin:: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.6
Severity Score:: Medium
CVE:: 2024-5555

Plugin:: Conditional Fields for Contact Form 7
Plugin Slug:: cf7-conditional-fields
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.14
Severity Score:: Medium
CVE:: 2024-5804

Plugin:: GiveWP � Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.14.0
Severity Score:: Medium
CVE:: 2024-5977

Plugin:: Schema & Structured Data for WP & AMP
Plugin Slug:: schema-and-structured-data-for-wp
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.34.1
Severity Score:: Medium
CVE:: 2024-5582

Plugin:: CTX Feed � WooCommerce Product Feed Manager Plugin
Plugin Slug:: webappick-product-feed-for-woocommerce
Installations: 100,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 6.5.7
Severity Score:: High
CVE:: 2024-38775

Plugin:: Mercado Pago payments for WooCommerce
Plugin Slug:: woocommerce-mercadopago
Installations: 100,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 7.6.2
Severity Score:: Medium
CVE:: 2024-3934

Plugin:: HUSKY � Products Filter Professional for WooCommerce
Plugin Slug:: woocommerce-products-filter
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.3.6.1
Severity Score:: Critical
CVE:: 2024-6457

Plugin:: Email Subscribers by Icegram Express � Email Marketing, Newsletters, Automation for WordPress & WooCommerce
Plugin Slug:: email-subscribers
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.7.27
Severity Score:: Medium
CVE:: 2024-5703

Plugin:: Brizy � Page Builder
Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.4.45
Severity Score:: Critical
CVE:: 2024-3242

Plugin:: Brizy � Page Builder
Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.45
Severity Score:: High
CVE:: 2024-1937

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 70,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.4.8
Severity Score:: Medium
CVE:: 2024-38791

Plugin:: Premium Portfolio Features for Phlox theme
Plugin Slug:: auxin-portfolio
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.3
Severity Score:: Medium
CVE:: 2024-3587

Plugin:: Getwid � Gutenberg Blocks
Plugin Slug:: getwid
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.11
Severity Score:: Medium
CVE:: 2024-6491

Plugin:: Image Hover Effects � Elementor Addon
Plugin Slug:: image-hover-effects-addon-for-elementor
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.4
Severity Score:: Medium
CVE:: 2024-4780

Plugin:: RSS Aggregator � RSS Import, News Feeds, Feed to Post, and Autoblogging
Plugin Slug:: wp-rss-aggregator
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.23.12
Severity Score:: Medium
CVE:: 2024-6621

Plugin:: Gutenverse � Gutenberg Blocks � Page Builder for Site Editor
Plugin Slug:: gutenverse
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.3
Severity Score:: Medium
CVE:: 2024-38785

Plugin:: FV Flowplayer Video Player
Plugin Slug:: fv-wordpress-flowplayer
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 7.5.47.7212
Severity Score:: High
CVE:: 2024-6338

Plugin:: Icegram Engage � Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Plugin Slug:: icegram
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.25
Severity Score:: Medium
CVE:: 2024-39625

Plugin:: WP Event Manager � Events Calendar, Registrations, Sell Tickets with WooCommerce
Plugin Slug:: wp-event-manager
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.44
Severity Score:: Medium
CVE:: 2024-2691

Plugin:: WordPress File Upload
Plugin Slug:: wp-file-upload
Installations: 20,000+
Vulnerability:: Directory Traversal
Patched in Version:: 4.24.8
Severity Score:: Medium
CVE:: 2024-5852

Plugin:: Appointment Booking Calendar Plugin and Online Scheduling Plugin � BookingPress
Plugin Slug:: bookingpress-appointment-booking
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.6
Severity Score:: Critical
CVE:: 2024-6660

Plugin:: Appointment Booking Calendar Plugin and Online Scheduling Plugin � BookingPress
Plugin Slug:: bookingpress-appointment-booking
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.6
Severity Score:: High
CVE:: 2024-6467

Plugin:: BSK PDF Manager
Plugin Slug:: bsk-pdf-manager
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.1
Severity Score:: Medium
CVE:: 2024-38767

Plugin:: CM Popup Plugin for WordPress � Popup Maker
Plugin Slug:: cm-pop-up-banners
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.6
Severity Score:: Medium
CVE:: 2024-5004

Plugin:: Language Translate Widget for WP � ConveyThis
Plugin Slug:: conveythis-translate
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 235
Severity Score:: Medium
CVE:: 2024-38792

Plugin:: JetWidgets for Elementor and WooCommerce
Plugin Slug:: jetwoo-widgets-for-elementor
Installations: 10,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.8
Severity Score:: Medium
CVE:: 2024-38772

Plugin:: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)
Plugin Slug:: leaflet-maps-marker
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.12.10
Severity Score:: Medium
CVE:: 2024-38782

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.3.24
Severity Score:: High
CVE:: 2024-5973

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.4.07
Severity Score:: High
CVE:: 2024-38788

Plugin:: Event Manager, Events Calendar, Tickets, Registrations � Eventin
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.5
Severity Score:: Medium
CVE:: 2024-6033

Plugin:: SchedulePress � Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher
Plugin Slug:: wp-scheduled-posts
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.1.4
Severity Score:: Medium
CVE:: 2024-6557

Plugin:: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin
Plugin Slug:: xcloner-backup-and-restore
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.7.4
Severity Score:: Medium
CVE:: 2024-6559

Plugin:: Arconix FAQ
Plugin Slug:: arconix-faq
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.5
Severity Score:: Medium
CVE:: 2024-38783

Plugin:: HTML Forms � Simple WordPress Forms Plugin
Plugin Slug:: html-forms
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.33
Severity Score:: Medium
CVE:: 2024-6243

Plugin:: YITH Essential Kit for WooCommerce #1
Plugin Slug:: yith-essential-kit-for-woocommerce-1
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.35.0
Severity Score:: Medium
CVE:: 2024-6799

Plugin:: Arconix Shortcodes
Plugin Slug:: arconix-shortcodes
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.12
Severity Score:: Medium
CVE:: 2024-38769

Plugin:: AI ChatBot for WordPress � WPBot
Plugin Slug:: chatbot
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.8
Severity Score:: Medium
CVE:: 2024-6669

Plugin:: WP QuickLaTeX
Plugin Slug:: wp-quicklatex
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.8
Severity Score:: Medium
CVE:: 2024-5529

Plugin:: Livemesh Addons for Beaver Builder
Plugin Slug:: addons-for-beaver-builder
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7
Severity Score:: Medium
CVE:: 2024-38784

Plugin:: Cooked � Recipe Management
Plugin Slug:: cooked
Installations: 4,000+
Vulnerability:: Content Injection
Patched in Version:: 1.8.0
Severity Score:: Medium

Plugin:: Cooked � Recipe Management
Plugin Slug:: cooked
Installations: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.8.0
Severity Score:: Medium

Plugin:: AForms � Form Builder for Price Calculator & Cost Estimation
Plugin Slug:: aforms-form-builder-for-price-calculator-cost-estimation
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.7
Severity Score:: Medium
CVE:: 2024-6565

Plugin:: Insert or Embed Articulate Content into WordPress
Plugin Slug:: insert-or-embed-articulate-content-into-wordpress
Installations: 3,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.3000000024
Severity Score:: Critical
CVE:: 2024-5630

Plugin:: Addonify � Quick View For WooCommerce
Plugin Slug:: addonify-quick-view
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.2.17
Severity Score:: Medium
CVE:: 2024-6560

Plugin:: Visual Website Collaboration, Feedback & Project Management � Atarim
Plugin Slug:: atarim-visual-collaboration
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.1
Severity Score:: Medium
CVE:: 2024-38771

Plugin:: Glossary
Plugin Slug:: glossary-by-codeat
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.27
Severity Score:: Medium
CVE:: 2024-6570

Plugin:: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)
Plugin Slug:: the-pack-addon
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.0.8.7
Severity Score:: Medium
CVE:: 2024-38768