WordPress Vulnerability Report � July 31, 2024

In this report, 80 vulnerabilities have been publicly disclosed. Security patches for 55 of these plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 25 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.6.1 is now available! This minor release features 7 bug fixes in Core and 9 bug fixes for the Block Editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement.

WordPress Plugins � 55 Patched / 20 Unpatched

Plugin:: Timetable and Event Schedule by MotoPress
Plugin Slug:: mp-timetable
Installations: 30,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-39630

Plugin:: Pretty Simple Popup Builder
Plugin Slug:: pretty-simple-popup-builder
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-39626

Plugin:: Add Admin CSS
Plugin Slug:: add-admin-css
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6547

Plugin:: Add Admin JavaScript
Plugin Slug:: add-admin-javascript
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6548

Plugin:: Admin Post Navigation
Plugin Slug:: admin-post-navigation
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6549

Plugin:: Admin Trim Interface
Plugin Slug:: admin-trim-interface
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6545

Plugin:: Aramex Shipping WooCommerce
Plugin Slug:: aramex-shipping-woocommerce
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6566

Plugin:: Flipbox Builder
Plugin Slug:: flipbox-builder
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-6152

Plugin:: IgnitionDeck
Plugin Slug:: ignitiondeck
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4410

Plugin:: Intelligence
Plugin Slug:: intelligence
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6573

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-39621

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-39620

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-39619

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-38795

Plugin:: Master Currency WP
Plugin Slug:: mastercurrency-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6634

Plugin:: Media.net Ads Manager
Plugin Slug:: media-net-ads-manager
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-6431

Plugin:: One Click Close Comments
Plugin Slug:: one-click-close-comments
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6546

Plugin:: ParityPress
Plugin Slug:: paritypress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6661

Plugin:: Tutor LMS � Migration Tool
Plugin Slug:: tutor-lms-migration-tool
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1798

Plugin:: Ultimate Auction
Plugin Slug:: ultimate-auction
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6591

Plugin:: LiteSpeed Cache
Plugin Slug:: litespeed-cache
Installations: 5,000,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.3
Severity Score:: High
CVE:: 2024-3246

Plugin:: Redux Framework
Plugin Slug:: redux-framework
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.18
Severity Score:: High
CVE:: 2024-6828

Plugin:: Ninja Forms � The Contact Form Builder That Grows With You
Plugin Slug:: ninja-forms
Installations: 800,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.8.7
Severity Score:: Medium
CVE:: 2024-39628

Plugin:: Photo Gallery, Sliders, Proofing and Themes � NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.59.4
Severity Score:: Medium
CVE:: 2024-39627

Plugin:: Page Builder Gutenberg Blocks � CoBlocks
Plugin Slug:: coblocks
Installations: 400,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 3.1.12
Severity Score:: Medium
CVE:: 2024-4260

Plugin:: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
Plugin Slug:: fluentform
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.20
Severity Score:: Medium
CVE:: 2024-6520

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.11.3
Severity Score:: Medium
CVE:: 2024-6627

Plugin:: Royal Elementor Addons and Templates
Plugin Slug:: royal-elementor-addons
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.981
Severity Score:: Medium
CVE:: 2024-5818

Plugin:: AMP for WP � Accelerated Mobile Pages
Plugin Slug:: accelerated-mobile-pages
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.97
Severity Score:: Medium
CVE:: 2024-6896

Plugin:: Hide My WP Ghost � Security & Firewall
Plugin Slug:: hide-my-wp
Installations: 100,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 5.2.02
Severity Score:: Low
CVE:: 2024-6420

Plugin:: Inline Related Posts
Plugin Slug:: intelly-related-posts
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.0
Severity Score:: Medium
CVE:: 2024-6487

Plugin:: Email Encoder � Protect Email Addresses and Phone Numbers
Plugin Slug:: email-encoder-bundle
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2024-4483

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 90,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.2.6.9
Severity Score:: High
CVE:: 2024-6589

Plugin:: WP ULike � Most Advanced Marketing Toolkit
Plugin Slug:: wp-ulike
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.7.1
Severity Score:: Medium
CVE:: 2024-6094

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 70,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.4.8
Severity Score:: Medium
CVE:: 2024-38791

Plugin:: aThemes Starter Sites
Plugin Slug:: athemes-starter-sites
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.54
Severity Score:: Medium
CVE:: 2024-6897

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.3
Severity Score:: Medium
CVE:: 2024-7100

Plugin:: WP Booking Calendar
Plugin Slug:: booking
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 10.2.2
Severity Score:: Medium
CVE:: 2024-6930

Plugin:: User Profile Builder � Beautiful User Registration Forms, User Profiles & User Role Editor
Plugin Slug:: profile-builder
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.11.8
Severity Score:: Medium
CVE:: 2024-6366

Plugin:: Better Find and Replace
Plugin Slug:: real-time-auto-find-and-replace
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.2
Severity Score:: High
CVE:: 2024-39636

Plugin:: Photo Gallery, Images, Slider in Rbs Image Gallery
Plugin Slug:: robo-gallery
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.20
Severity Score:: Medium
CVE:: 2024-3896

Plugin:: Piotnet Addons For Elementor
Plugin Slug:: piotnet-addons-for-elementor
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.4.30
Severity Score:: Medium
CVE:: 2024-5614

Plugin:: WP Meteor Website Speed Optimization Addon
Plugin Slug:: wp-meteor
Installations: 30,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.4.4
Severity Score:: Medium
CVE:: 2024-6553

Plugin:: All-in-One Video Gallery
Plugin Slug:: all-in-one-video-gallery
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.3
Severity Score:: Medium
CVE:: 2024-6629

Plugin:: Funnel Builder for WordPress by FunnelKit � Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells
Plugin Slug:: funnel-builder
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.7
Severity Score:: Medium
CVE:: 2024-6836

Plugin:: Icegram Engage � Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Plugin Slug:: icegram
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.25
Severity Score:: Medium
CVE:: 2024-39625

Plugin:: CM Popup Plugin for WordPress � Popup Maker
Plugin Slug:: cm-pop-up-banners
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.6
Severity Score:: Medium
CVE:: 2024-5004

Plugin:: Language Translate Widget for WP � ConveyThis
Plugin Slug:: conveythis-translate
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 235
Severity Score:: Medium
CVE:: 2024-38792

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.3.24
Severity Score:: High
CVE:: 2024-5973