WordPress Vulnerability Report � September 25, 2024

In this report, 72 vulnerabilities have been publicly disclosed. Security patches for 48 of these plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 24 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.6.2 is available! This minor release includes 15 bug fixes in Core and 11 in the Block Editor, addressing issues like unexpected CSS specificity changes in certain themes.

WordPress Plugins � 46 Patched / 20 Unpatched

Plugin:: MC4WP: Mailchimp for WordPress
Plugin Slug:: mailchimp-for-wp
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-8850

Plugin:: WCFM Marketplace � Multivendor Marketplace for WooCommerce
Plugin Slug:: wc-multivendor-marketplace
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-44009

Plugin:: IMPress for IDX Broker
Plugin Slug:: idx-broker-platinum
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-44047

Plugin:: WPCargo Track & Trace
Plugin Slug:: wpcargo
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-44004

Plugin:: Product Carousel Slider & Grid Ultimate for WooCommerce
Plugin Slug:: woo-product-carousel-slider-and-grid-ultimate
Installations: 9,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-44048

Plugin:: Spice Starter Sites
Plugin Slug:: spice-starter-sites
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-44003

Plugin:: Gutenberg Blocks � Unlimited blocks For Gutenberg
Plugin Slug:: unlimited-blocks
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-44049

Plugin:: Team Showcase
Plugin Slug:: team
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-44002

Plugin:: Multipurpose Ticket Booking Manager (Bus/Train/Ferry/Boat/Shuttle) | WordPress Plugin
Plugin Slug:: bus-booking-manager
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-44037

Plugin:: Accordion Image Menu
Plugin Slug:: accordion-image-menu
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-8092

Plugin:: Thanh To�n Qu�t M� QR Code T? ??ng
Plugin Slug:: bck-tu-dong-xac-nhan-thanh-toan-chuyen-khoan-ngan-hang
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-8914

Plugin:: Kodex Posts likes
Plugin Slug:: kodex-posts-likes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-44036

Plugin:: Limit Login Attempts Plus
Plugin Slug:: limit-login-attempts-plus
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2022-4533

Plugin:: Logo Manager For Enamad
Plugin Slug:: logo-manager-for-enamad
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5170

Plugin:: Posts reminder
Plugin Slug:: posts-reminder
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-8093

Plugin:: WooCommerce Multiple Free Gift
Plugin Slug:: woocommerce-multiple-free-gift
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2022-3459

Plugin:: WP Category Dropdown
Plugin Slug:: wp-category-dropdown
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-8103

Plugin:: WP Custom Fields Search
Plugin Slug:: wp-custom-fields-search
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-8364

Plugin:: WP Easy Gallery
Plugin Slug:: wp-easy-gallery
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-8437

Plugin:: WP Easy Gallery
Plugin Slug:: wp-easy-gallery
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-8436

Plugin:: MC4WP: Mailchimp for WordPress
Plugin Slug:: mailchimp-for-wp
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.17
Severity Score:: Medium
CVE:: 2024-8680

Plugin:: W3 Total Cache
Plugin Slug:: w3-total-cache
Installations: 1,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.7.6
Severity Score:: Low
CVE:: 2023-5359

Plugin:: Backuply � Backup, Restore, Migrate and Clone
Plugin Slug:: backuply
Installations: 200,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.3.5
Severity Score:: High
CVE:: 2024-8669

Plugin:: Photo Gallery by 10Web � Mobile-Friendly Image Gallery
Plugin Slug:: photo-gallery
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.28
Severity Score:: Medium
CVE:: 2024-44043

Plugin:: WooCommerce Multilingual & Multicurrency with WPML
Plugin Slug:: woocommerce-multilingual
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.3.7
Severity Score:: Medium
CVE:: 2024-44006

Plugin:: FOX � Currency Switcher Professional for WooCommerce
Plugin Slug:: woocommerce-currency-switcher
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.2.2
Severity Score:: High
CVE:: 2024-8271

Plugin:: Easy Digital Downloads � eCommerce Payments and Subscriptions made easy
Plugin Slug:: easy-digital-downloads
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.3.4
Severity Score:: Medium
CVE:: 2022-2439

Plugin:: Pixel Cat � Conversion Pixel Manager
Plugin Slug:: facebook-conversion-pixel
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.6
Severity Score:: High
CVE:: 2024-8544

Plugin:: Koko Analytics
Plugin Slug:: koko-analytics
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.13
Severity Score:: High
CVE:: 2024-8662

Plugin:: Quiz and Survey Master (QSM) � Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.3
Severity Score:: Medium
CVE:: 2024-8758

Plugin:: Greenshift � animation and page builder blocks
Plugin Slug:: greenshift-animation-and-page-builder-blocks
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.4
Severity Score:: Medium
CVE:: 2024-44005

Plugin:: Themify � WooCommerce Product Filter
Plugin Slug:: themify-wc-product-filter
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.2
Severity Score:: Medium
CVE:: 2024-44046

Plugin:: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber � MailOptin
Plugin Slug:: mailoptin
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.70.4
Severity Score:: Medium
CVE:: 2024-8628

Plugin:: SKT Templates � 100% free Elementor & Gutenberg templates
Plugin Slug:: skt-templates
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.15
Severity Score:: High
CVE:: 2024-44007

Plugin:: WP Hardening (discontinued)
Plugin Slug:: wp-security-hardening
Installations: 20,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2024-6641

Plugin:: BA Book Everything
Plugin Slug:: ba-book-everything
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.21
Severity Score:: Medium
CVE:: 2024-8794

Plugin:: BA Book Everything
Plugin Slug:: ba-book-everything
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.6.21
Severity Score:: High
CVE:: 2024-8795

Plugin:: Charitable � Donation Plugin for WordPress � Fundraising with Recurring Donations & More
Plugin Slug:: charitable
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.8.1.15
Severity Score:: Critical
CVE:: 2024-8791

Plugin:: Gum Elementor Addon
Plugin Slug:: gum-elementor-addon
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.8
Severity Score:: Medium
CVE:: 2024-44035

Plugin:: Maintenance Redirect
Plugin Slug:: jf3-maintenance-mode
Installations: 10,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.1.0
Severity Score:: Low
CVE:: 2024-45453

Plugin:: WP Booking System � Booking Calendar
Plugin Slug:: wp-booking-system
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.19.9
Severity Score:: High
CVE:: 2024-8797

Plugin:: WP Datepicker
Plugin Slug:: wp-datepicker
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2024-44042

Plugin:: Affiliate Program Suite � SliceWP Affiliates
Plugin Slug:: slicewp
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.21
Severity Score:: High
CVE:: 2024-8714

Plugin:: Radio Player � Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Plugin Slug:: radio-player
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.79
Severity Score:: Medium
CVE:: 2024-8267