WordPress Vulnerability Report — September 11, 2024

Since last week, 64 new vulnerabilities emerged in the WordPress ecosystem including 64 plugins. 19 of the vulnerable plugins remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah

Published:Sep 11, 2024

Filed Under:WordPress Vulnerability Report

Reading Time:13 min.

In this report, 64 vulnerabilities have been publicly disclosed. Security patches for 45 of these plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 19 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 45 Patched / 19 Unpatched

2.1 Form Vibes – Database Manager for Forms
2.2 Flaming Forms
2.3 Flaming Forms
2.4 Pocket Widget
2.5 Amelia
2.6 AZIndex
2.7 AZIndex
2.8 Cab fare calculator
2.9 Geo Controller
2.10 Chatbot Support AI
2.11 Cost Calculator Builder Pro
2.12 DN Popup
2.13 Dynamic Featured Image
2.14 ForumWP
2.15 RD Station
2.16 Preloader Plus – WordPress Loading Screen Plugin
2.17 S.A.F
2.18 Slider comparison image before and after
2.19 Viral Signup
2.20 LiteSpeed Cache
2.21 Ninja Forms – The Contact Form Builder That Grows With You
2.22 Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
2.23 Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
2.24 PixelYourSite – Your smart PIXEL (TAG) & API Manager
2.25 Customizer Export/Import
2.26 Ivory Search – WordPress Search Plugin
2.27 Big File Uploads – Increase Maximum File Upload Size
2.28 Tutor LMS – eLearning and online course solution
2.29 WP ULike – The Ultimate Engagement Toolkit for Websites
2.30 Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor
2.31 Content Blocks (Custom Post Widget)
2.32 Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
2.33 Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
2.34 Secure Copy Content Protection and Content Locking
2.35 LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
2.36 Sensei LMS – Online Courses, Quizzes, & Learning
2.37 WP Job Portal – A Complete Recruitment System for Company or Job Board website
2.38 MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
2.39 EventON
2.40 Pinpoint Booking System – #1 WordPress Booking Plugin
2.41 EventPrime – Events Calendar, Bookings and Tickets
2.42 Remember Me Controls
2.43 Newsletters
2.44 Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App
2.45 Affiliate Super Assistent
2.46 Attributes for Blocks
2.47 Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin
2.48 Share This Image
2.49 WP-Recall – Registration, Profile, Commerce & More
2.50 WPCOM Member
2.51 Advanced Sermons
2.52 Nova Blocks by Pixelgrade
2.53 Revision Manager TMC
2.54 Sign-up Sheets
2.55 WP AdCenter – Ad Manager & Adsense Ads
2.56 The Ultimate WordPress Toolkit – WP Extended
2.57 The Ultimate WordPress Toolkit – WP Extended
2.58 The Ultimate WordPress Toolkit – WP Extended
2.59 The Ultimate WordPress Toolkit – WP Extended
2.60 The Ultimate WordPress Toolkit – WP Extended
2.61 The Ultimate WordPress Toolkit – WP Extended
2.62 Frontend Dashboard
2.63 Ninja Forms File Uploads Extension
2.64 PixelYourSite PRO

3. WordPress Themes — 0 Patched / 0 Unpatched

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.6.2 is now available! This minor release includes 15 bug fixes in Core and 11 in the Block Editor, addressing issues like unexpected CSS specificity changes in certain themes.

WordPress Plugins — 45 Patched / 19 Unpatched

Plugin:: Form Vibes – Database Manager for Forms
Plugin Slug:: form-vibes
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5309

Plugin:: Flaming Forms
Plugin Slug:: flaming-forms
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-7692

Plugin:: Flaming Forms
Plugin Slug:: flaming-forms
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-7691

Plugin:: Pocket Widget
Plugin Slug:: pocket-widget
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-7918

Plugin:: Amelia
Plugin Slug:: ameliabooking
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6332

Plugin:: AZIndex
Plugin Slug:: azindex
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-7688

Plugin:: AZIndex
Plugin Slug:: azindex
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-7687

Plugin:: Cab fare calculator
Plugin Slug:: cab-fare-calculator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2022-3556

Plugin:: Geo Controller
Plugin Slug:: cf-geoplugin
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-7380

Plugin:: Chatbot Support AI
Plugin Slug:: chatbot-support-ai
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6722

Plugin:: Cost Calculator Builder Pro
Plugin Slug:: cost-calculator-builder-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6010

Plugin:: DN Popup
Plugin Slug:: dn-popup
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-7690

Plugin:: Dynamic Featured Image
Plugin Slug:: dynamic-featured-image
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6929

Plugin:: ForumWP
Plugin Slug:: forumwp
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-8428

Plugin:: RD Station
Plugin Slug:: integracao-rd-station
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6894

Plugin:: Preloader Plus – WordPress Loading Screen Plugin
Plugin Slug:: preloader-plus
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6849

Plugin:: S.A.F
Plugin Slug:: security-antivirus-firewall
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2022-4529

Plugin:: Slider comparison image before and after
Plugin Slug:: slider-comparison-image-before-and-after
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-8543

Plugin:: Viral Signup
Plugin Slug:: viral-signup
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-6926

Plugin:: LiteSpeed Cache
Plugin Slug:: litespeed-cache
Installations: 6,000,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.5.0.1
Severity Score:: Critical
CVE:: 2024-44000

Plugin:: Ninja Forms – The Contact Form Builder That Grows With You
Plugin Slug:: ninja-forms
Installations: 800,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.11
Severity Score:: High

Plugin:: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Plugin Slug:: popup-maker
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.19.1
Severity Score:: Medium
CVE:: 2024-5561

Plugin:: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
Plugin Slug:: fluentform
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1.19
Severity Score:: Medium
CVE:: 2024-5053

Plugin:: PixelYourSite – Your smart PIXEL (TAG) & API Manager
Plugin Slug:: pixelyoursite
Installations: 400,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 9.7.2
Severity Score:: Medium
CVE:: 2024-7870

Plugin:: Customizer Export/Import
Plugin Slug:: customizer-export-import
Installations: 200,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.9.7.1
Severity Score:: Medium
CVE:: 2024-7620

Plugin:: Ivory Search – WordPress Search Plugin
Plugin Slug:: add-search-to-menu
Installations: 100,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.5.7
Severity Score:: Medium
CVE:: 2024-6835

Plugin:: Big File Uploads – Increase Maximum File Upload Size
Plugin Slug:: tuxedo-big-file-uploads
Installations: 100,000+
Vulnerability:: Full Path Disclosure (FPD)
Patched in Version:: 2.1.3
Severity Score:: Medium
CVE:: 2024-8538

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.7.5
Severity Score:: Medium
CVE:: 2023-2919

Plugin:: WP ULike – The Ultimate Engagement Toolkit for Websites
Plugin Slug:: wp-ulike
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.7.2.1
Severity Score:: Medium
CVE:: 2024-6792

Plugin:: Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor
Plugin Slug:: master-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.6.5
Severity Score:: Medium
CVE:: 2024-6282

Plugin:: Content Blocks (Custom Post Widget)
Plugin Slug:: custom-post-widget
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.6
Severity Score:: Medium
CVE:: 2024-44051

Plugin:: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Plugin Slug:: file-manager
Installations: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 6.5.6
Severity Score:: Critical
CVE:: 2024-7770

Plugin:: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Plugin Slug:: file-manager
Installations: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 6.5.6
Severity Score:: High
CVE:: 2024-7627

Plugin:: Secure Copy Content Protection and Content Locking
Plugin Slug:: secure-copy-content-protection
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.7
Severity Score:: Medium
CVE:: 2024-6888

Plugin:: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Plugin Slug:: lifterlms
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 7.7.6
Severity Score:: High
CVE:: 2024-7349

Plugin:: Sensei LMS – Online Courses, Quizzes, & Learning
Plugin Slug:: sensei-lms
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.24.2
Severity Score:: Medium
CVE:: 2024-7786

Plugin:: WP Job Portal – A Complete Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.7
Severity Score:: Critical
CVE:: 2024-7950

Plugin:: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Plugin Slug:: dc-woocommerce-multi-vendor
Installations: 5,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 4.2.1
Severity Score:: High
CVE:: 2024-8289

Plugin:: EventON
Plugin Slug:: eventon-lite
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.17
Severity Score:: Medium
CVE:: 2024-6910

Plugin:: Pinpoint Booking System – #1 WordPress Booking Plugin
Plugin Slug:: booking-system
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.9.9.5.1
Severity Score:: High
CVE:: 2024-7112

Plugin:: EventPrime – Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.4.4
Severity Score:: Medium
CVE:: 2024-8369

Plugin:: Remember Me Controls
Plugin Slug:: remember-me-controls
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.1
Severity Score:: Medium
CVE:: 2024-7415

Plugin:: Newsletters
Plugin Slug:: newsletters-lite
Installations: 3,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 4.9.9.3
Severity Score:: High
CVE:: 2024-8247

Plugin:: Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App
Plugin Slug:: peepso-core
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.6.0
Severity Score:: Medium
CVE:: 2024-7618

Plugin:: Affiliate Super Assistent
Plugin Slug:: amazonsimpleadmin
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.4
Severity Score:: Medium
CVE:: 2024-8478

Plugin:: Attributes for Blocks
Plugin Slug:: attributes-for-blocks
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.7
Severity Score:: Medium
CVE:: 2024-8318

Plugin:: Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin
Plugin Slug:: frontend-post-submission-manager-lite
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2024-8427

Plugin:: Share This Image
Plugin Slug:: share-this-image
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.03
Severity Score:: Medium
CVE:: 2024-8363

Plugin:: WP-Recall – Registration, Profile, Commerce & More
Plugin Slug:: wp-recall
Installations: 2,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 16.26.9
Severity Score:: Critical
CVE:: 2024-8292

Plugin:: WPCOM Member
Plugin Slug:: wpcom-member
Installations: 2,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.5.3
Severity Score:: Critical
CVE:: 2024-7493

Plugin:: Advanced Sermons
Plugin Slug:: advanced-sermons
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4
Severity Score:: Medium
CVE:: 2024-7599

Plugin:: Nova Blocks by Pixelgrade
Plugin Slug:: nova-blocks
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.8
Severity Score:: Medium
CVE:: 2024-8241

Plugin:: Revision Manager TMC
Plugin Slug:: revision-manager-tmc
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.20
Severity Score:: Medium
CVE:: 2024-7622

Plugin:: Sign-up Sheets
Plugin Slug:: sign-up-sheets
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.13
Severity Score:: High
CVE:: 2024-6020

Plugin:: WP AdCenter – Ad Manager & Adsense Ads
Plugin Slug:: wpadcenter
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.7
Severity Score:: Medium
CVE:: 2024-8317

Plugin:: The Ultimate WordPress Toolkit – WP Extended
Plugin Slug:: wpextended
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.9
Severity Score:: High
CVE:: 2024-8119

Plugin:: The Ultimate WordPress Toolkit – WP Extended
Plugin Slug:: wpextended
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.0.9
Severity Score:: Medium
CVE:: 2024-8106

Plugin:: The Ultimate WordPress Toolkit – WP Extended
Plugin Slug:: wpextended
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.9
Severity Score:: High
CVE:: 2024-8102

Plugin:: The Ultimate WordPress Toolkit – WP Extended
Plugin Slug:: wpextended
Installations: 1,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.0.9
Severity Score:: Medium
CVE:: 2024-8123

Plugin:: The Ultimate WordPress Toolkit – WP Extended
Plugin Slug:: wpextended
Installations: 1,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.0.9
Severity Score:: High
CVE:: 2024-8104

Plugin:: The Ultimate WordPress Toolkit – WP Extended
Plugin Slug:: wpextended
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.9
Severity Score:: Medium
CVE:: 2024-8121

Plugin:: Frontend Dashboard
Plugin Slug:: frontend-dashboard
Installations: 900+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 2.2.5
Severity Score:: High
CVE:: 2024-8268

Plugin:: Ninja Forms File Uploads Extension
Plugin Slug:: ninja-forms-uploads
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.18
Severity Score:: High
CVE:: 2024-1596

Plugin:: PixelYourSite PRO
Plugin Slug:: pixelyoursite-pro
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 10.4.3
Severity Score:: Medium
CVE:: 2024-7870

WordPress Themes — 0 Patched / 0 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 45 Patched / 19 Unpatched

WordPress Themes — 0 Patched / 0 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 22, 2026

WordPress Vulnerability Report — April 15, 2026

WordPress Vulnerability Report — April 8, 2026

WordPress Vulnerability Report — April 1, 2026