WordPress Vulnerability Report � June 19, 2024

In this report, 87 vulnerabilities have been publicly disclosed. Security patches for 73 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 14 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.6 Beta 3 was released on June 18, 2024. The target release date for WordPress 6.6 is July 16, 2024. Your help testing Beta and RC versions over the next four weeks is vital to making sure the final release is everything it should be: stable, powerful, and intuitive.

WordPress Plugins � 71 Patched / 14 Unpatched

Plugin:: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3925

Plugin:: Advanced Contact form 7 DB
Plugin Slug:: advanced-cf7-db
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4319

Plugin:: Custom Field Suite
Plugin Slug:: custom-field-suite
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3559

Plugin:: Elespare � News, Magazine and Blog Elements & Blog Addons for Elementor with Header Footer Builder. One Click Import: No Coding Required!
Plugin Slug:: elespare
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4615

Plugin:: Shariff for WordPress
Plugin Slug:: shariff-sharing
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-2695

Plugin:: Scheduling Plugin � Online Booking for WordPress
Plugin Slug:: calendar-booking
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1634

Plugin:: Canto
Plugin Slug:: canto
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-4936

Plugin:: Collapse-O-Matic
Plugin Slug:: jquery-collapse-o-matic
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4095

Plugin:: Master Slider
Plugin Slug:: master-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4375

Plugin:: PDF Viewer for Elementor
Plugin Slug:: pdf-viewer-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0845

Plugin:: Schema App Structured Data
Plugin Slug:: schema-app-structured-data-for-schemaorg
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0892

Plugin:: Where I Was, Where I Will Be
Plugin Slug:: where-i-was-where-i-will-be
Vulnerability:: Remote File Inclusion
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-5577

Plugin:: Video Gallery
Plugin Slug:: yotuwp-easy-youtube-embed
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4551

Plugin:: Video Gallery
Plugin Slug:: yotuwp-easy-youtube-embed
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-4258

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations: 7,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.9.3
Severity Score:: High

Plugin:: Essential Addons for Elementor � Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.24
Severity Score:: Medium
CVE:: 2024-5189

Plugin:: Elementor Header & Footer Builder
Plugin Slug:: header-footer-elementor
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.36
Severity Score:: Medium
CVE:: 2024-5757

Plugin:: WPS Hide Login
Plugin Slug:: wps-hide-login
Installations: 1,000,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.9.16
Severity Score:: Medium
CVE:: 2024-2473

Plugin:: Premium Addons for Elementor
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.10.34
Severity Score:: Medium
CVE:: 2024-5553

Plugin:: Ocean Extra
Plugin Slug:: ocean-extra
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.9
Severity Score:: Medium
CVE:: 2024-5531

Plugin:: SiteOrigin Widgets Bundle
Plugin Slug:: so-widgets-bundle
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.62.0
Severity Score:: Medium
CVE:: 2024-5090

Plugin:: Gutenberg Blocks with AI by Kadence WP � Page Builder Features
Plugin Slug:: kadence-blocks
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.39
Severity Score:: Medium
CVE:: 2024-4863

Plugin:: MetForm � Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Plugin Slug:: metform
Installations: 300,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.8.9
Severity Score:: Medium
CVE:: 2024-4266

Plugin:: WP Go Maps (formerly WP Google Maps)
Plugin Slug:: wp-google-maps
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.0.39
Severity Score:: Medium
CVE:: 2024-5994

Plugin:: WP Go Maps (formerly WP Google Maps)
Plugin Slug:: wp-google-maps
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.0.39
Severity Score:: Medium

Plugin:: Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button � Chaty
Plugin Slug:: chaty
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.3
Severity Score:: Medium
CVE:: 2024-4149

Plugin:: Jeg Elementor Kit
Plugin Slug:: jeg-elementor-kit
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.6
Severity Score:: Medium
CVE:: 2024-4479

Plugin:: Popup Builder � Create highly converting, mobile friendly marketing popups.
Plugin Slug:: popup-builder
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.2
Severity Score:: Medium
CVE:: 2023-6696

Plugin:: Popup Builder � Create highly converting, mobile friendly marketing popups.
Plugin Slug:: popup-builder
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.2
Severity Score:: Medium
CVE:: 2024-2544

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.90
Severity Score:: Medium
CVE:: 2024-2098

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.87
Severity Score:: Medium
CVE:: 2024-1766

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.94
Severity Score:: Medium
CVE:: 2024-5266

Plugin:: FooGallery � Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Plugin Slug:: foogallery
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.16
Severity Score:: Medium
CVE:: 2024-2122

Plugin:: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
Plugin Slug:: powerpack-lite-for-elementor
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.21
Severity Score:: Medium
CVE:: 2024-5787

Plugin:: Social Sharing Plugin � Sassy Social Share
Plugin Slug:: sassy-social-share
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.63
Severity Score:: Medium
CVE:: 2024-4924

Plugin:: Search & Replace
Plugin Slug:: search-and-replace
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.2.2
Severity Score:: High
CVE:: 2024-4145

Plugin:: ShopLentor � WooCommerce Builder for Elementor & Gutenberg +12 Modules � All in One Solution (formerly WooLentor)
Plugin Slug:: woolentor-addons
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.1
Severity Score:: Medium
CVE:: 2024-5530

Plugin:: Email Subscribers by Icegram Express � Email Marketing, Newsletters, Automation for WordPress & WooCommerce
Plugin Slug:: email-subscribers
Installations: 90,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.7.23
Severity Score:: High
CVE:: 2024-4845

Plugin:: Events Manager � Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.8
Severity Score:: Medium
CVE:: 2024-3492

Plugin:: Simple Sitemap � Create a Responsive HTML Sitemap
Plugin Slug:: simple-sitemap
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.5.14
Severity Score:: Medium
CVE:: 2023-6492

Plugin:: Folders � Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Plugin Slug:: folders
Installations: 80,000+
Vulnerability:: Path Traversal
Patched in Version:: 3.0.1
Severity Score:: Medium
CVE:: 2024-2023

Plugin:: WordPress Online Booking and Scheduling Plugin � Bookly
Plugin Slug:: bookly-responsive-appointment-booking-tool
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 23.3
Severity Score:: Medium
CVE:: 2024-5584

Plugin:: Woody code snippets � Insert Header Footer Code, AdSense Ads
Plugin Slug:: insert-php
Installations: 70,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.5.1
Severity Score:: Critical
CVE:: 2024-3105

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 7.4.2
Severity Score:: High
CVE:: 2024-3549

Plugin:: Divi Torque Lite � Divi Theme and Extra Theme
Plugin Slug:: addons-for-divi
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.0
Severity Score:: Medium
CVE:: 2024-5892

Plugin:: Custom Field Template
Plugin Slug:: custom-field-template
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.2
Severity Score:: Medium
CVE:: 2024-0627

Plugin:: Custom Field Template
Plugin Slug:: custom-field-template
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.6.2
Severity Score:: Medium
CVE:: 2023-6748

Plugin:: Custom Field Template
Plugin Slug:: custom-field-template
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.2
Severity Score:: Medium
CVE:: 2023-6745

Plugin:: Custom Field Template
Plugin Slug:: custom-field-template
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.2
Severity Score:: Medium
CVE:: 2024-0653

Plugin:: Greenshift � animation and page builder blocks
Plugin Slug:: greenshift-animation-and-page-builder-blocks
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.9.4
Severity Score:: Medium
CVE:: 2024-35765

Plugin:: Stratum � Elementor Widgets
Plugin Slug:: stratum
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.2
Severity Score:: Medium
CVE:: 2024-5611

Plugin:: Serious Slider
Plugin Slug:: cryout-serious-slider
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.5
Severity Score:: Medium
CVE:: 2024-35762

Plugin:: Futurio Extra
Plugin Slug:: futurio-extra
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.6
Severity Score:: Medium
CVE:: 2024-5646

Plugin:: Business Directory Plugin � Easy Listing Directories for WordPress
Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: CSV Injection
Patched in Version:: 6.4.4
Severity Score:: Medium
CVE:: 2023-5527

Plugin:: Restaurant Menu � Food Ordering System � Table Reservation
Plugin Slug:: menu-ordering-reservations
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.1
Severity Score:: Medium
CVE:: 2024-1399

Plugin:: CoDesigner � The Most Compact and User-Friendly Elementor WooCommerce Builder
Plugin Slug:: woolementor
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.5
Severity Score:: Critical
CVE:: 2024-4371

Plugin:: CoDesigner � The Most Compact and User-Friendly Elementor WooCommerce Builder
Plugin Slug:: woolementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5
Severity Score:: Medium
CVE:: 2024-4564

Plugin:: WordPress Header Builder Plugin � Pearl
Plugin Slug:: pearl-header-builder
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.8
Severity Score:: Medium
CVE:: 2024-5468

Plugin:: Events Addon for Elementor
Plugin Slug:: events-addon-for-elementor
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.7
Severity Score:: Medium
CVE:: 2024-4669

Plugin:: Themify Builder
Plugin Slug:: themify-builder
Installations: 7,000+
Vulnerability:: Open Redirection
Patched in Version:: 7.5.8
Severity Score:: Medium
CVE:: 2024-3032

Plugin:: Dashboard Widgets Suite
Plugin Slug:: dashboard-widgets-suite
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.4
Severity Score:: High
CVE:: 2024-0979

Plugin:: WP Job Portal � A Complete Job Board
Plugin Slug:: wp-job-portal
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.4
Severity Score:: Medium
CVE:: 2024-35760

Plugin:: WP Job Portal � A Complete Job Board
Plugin Slug:: wp-job-portal
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.4
Severity Score:: Medium
CVE:: 2024-35759

Plugin:: InstaWP Connect � 1-click WP Staging & Migration
Plugin Slug:: instawp-connect
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.1.0.39
Severity Score:: Critical
CVE:: 2024-4898

Plugin:: Tickera � WordPress Event Ticketing
Plugin Slug:: tickera-event-ticketing-system
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.2.9
Severity Score:: Medium
CVE:: 2024-5860

Plugin:: Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug:: meeting-scheduler-by-vcita
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.1
Severity Score:: Medium
CVE:: 2024-35761

Plugin:: Church Admin
Plugin Slug:: church-admin
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.5
Severity Score:: Medium
CVE:: 2024-35764

Plugin:: Easy Age Verify
Plugin Slug:: easy-age-verify
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.3
Severity Score:: Medium
CVE:: 2024-35757

Plugin:: AI Infographic Maker
Plugin Slug:: infographic-and-list-builder-ilist
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.5
Severity Score:: Medium
CVE:: 2024-5858

Plugin:: WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin
Plugin Slug:: timetics
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.22
Severity Score:: High
CVE:: 2024-1094