WordPress Vulnerability Report — May 29, 2024

Since last week, 119 new vulnerabilities emerged in the WordPress ecosystem including 1 in themes and 118 in plugins. 32 of the vulnerable plugins remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah

Published:May 29, 2024

Filed Under:WordPress Vulnerability Report

Reading Time:23 min.

In this report, 119 vulnerabilities have been publicly disclosed. Security patches for 87 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 32 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 86 Patched / 32 Unpatched

2.1 Photo Gallery by 10Web – Mobile-Friendly Image Gallery
2.2 Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms
2.3 Business Card
2.4 KKProgressbar2 Free – advanced progress bars
2.5 KKProgressbar2 Free – advanced progress bars
2.6 KKProgressbar2 Free – advanced progress bars
2.7 WP Stacker
2.8 AdFoxly – Ad Manager, AdSense Ads & Ads.txt
2.9 ApplyOnline – Application Form Builder and Manager
2.10 Automatic Translator with Auto Translate
2.11 Button contact VR
2.12 Crafthemes Demo Import
2.13 Dextaz Ping
2.14 Easy Digital Downloads – Recent Purchases
2.15 Elegant Addons for elementor
2.16 Flattr
2.17 LuckyWP Table of Contents
2.18 LuckyWP Table of Contents
2.19 LuckyWP Table of Contents
2.20 Opal Estate Pro
2.21 PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode
2.22 Pet Manager
2.23 Sailthru Triggermail
2.24 Sailthru Triggermail
2.25 Praison SEO WordPress
2.26 Simple Popup Manager
2.27 Toolbar Extras for Elementor & More
2.28 Woocommerce – Recent Purchases
2.29 WP Backpack
2.30 WP Font Awesome Share Icons
2.31 WP Next Post Navi
2.32 WP Scraper
2.33 Elementor Website Builder – More than Just a Page Builder
2.34 Elementor Header & Footer Builder
2.35 Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation
2.36 WP Fastest Cache
2.37 Premium Addons for Elementor
2.38 Page Builder by SiteOrigin
2.39 Spectra – WordPress Gutenberg Blocks
2.40 Spectra – WordPress Gutenberg Blocks
2.41 WP Shortcodes Plugin — Shortcodes Ultimate
2.42 SiteOrigin Widgets Bundle
2.43 Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
2.44 WP Go Maps (formerly WP Google Maps)
2.45 Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
2.46 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
2.47 Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
2.48 Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
2.49 HT Mega – Absolute Addons For Elementor
2.50 HT Mega – Absolute Addons For Elementor
2.51 Social Icons Widget & Block by WPZOOM
2.52 The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
2.53 ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
2.54 ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
2.55 EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
2.56 LearnPress – WordPress LMS Plugin
2.57 Master Slider – Responsive Touch Slider
2.58 Brizy – Page Builder
2.59 Email Log
2.60 Media Library Assistant
2.61 Media Library Assistant
2.62 wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
2.63 YITH WooCommerce Ajax Search
2.64 Advanced iFrame
2.65 WP Table Builder – WordPress Table Plugin
2.66 Carousel Slider
2.67 Ditty – Responsive News Tickers, Sliders, and Lists
2.68 Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks
2.69 FV Flowplayer Video Player
2.70 Reviews and Rating – Google Reviews
2.71 Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider WordPress Plugin
2.72 ND Shortcodes
2.73 WP DSGVO Tools (GDPR)
2.74 ShareThis Share Buttons
2.75 WPZOOM Addons for Elementor (Templates, Widgets)
2.76 BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
2.77 Business Directory Plugin – Easy Listing Directories for WordPress
2.78 LA-Studio Element Kit for Elementor
2.79 WP Photo Album Plus
2.80 WP TripAdvisor Review Slider
2.81 WordPress + Microsoft Office 365 / Azure AD | LOGIN
2.82 140+ Widgets | Best Addons For Elementor – FREE
2.83 Videojs HTML5 Player
2.84 Awesome Contact Form7 for Elementor
2.85 Primary Addon for Elementor
2.86 Hash Elements
2.87 Survey Maker – Best WordPress Survey Plugin
2.88 Testimonial Carousel For Elementor
2.89 WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce
2.90 WPKoi Templates for Elementor
2.91 AI ChatBot for WordPress – WPBot
2.92 WP Ultimate Post Grid
2.93 PopupAlly
2.94 Move Addons for Elementor
2.95 YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress
2.96 Debug Log – Manger Tool
2.97 LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor
2.98 Event post
2.99 Fastly
2.100 Hash Form – Drag & Drop Form Builder
2.101 Hash Form – Drag & Drop Form Builder
2.102 Tainacan
2.103 Tainacan
2.104 Web Directory Free
2.105 WP-ViperGB
2.106 Atarim
2.107 Country State City Dropdown CF7
2.108 ElementsKit Pro
2.109 LayerSlider
2.110 Contact Form & Lead Form Elementor Builder
2.111 Memberpress
2.112 Memberpress
2.113 Pie Register (Add on) – Social Sites Login
2.114 NextScripts
2.115 NextScripts
2.116 NextScripts
2.117 Uber Menu
2.118 Userpro

3. WordPress Themes — 1 Patched / 0 Unpatched

3.1 Blocksy

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.5.3 was released on May 7, 2024, as a short-cycle maintenance release. This release features 12 bug fixes on Core and 9 bug fixes for the Block editor.

WordPress Plugins — 86 Patched / 32 Unpatched

Plugin:: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Plugin Slug:: photo-gallery
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-35628

Plugin:: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms
Plugin Slug:: cf7-constant-contact
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-35632

Plugin:: Business Card
Plugin Slug:: business-card-by-esterox-100
Installations: 10+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4529

Plugin:: KKProgressbar2 Free – advanced progress bars
Plugin Slug:: kkprogressbar
Installations: 10+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4535

Plugin:: KKProgressbar2 Free – advanced progress bars
Plugin Slug:: kkprogressbar
Installations: 10+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-4534

Plugin:: KKProgressbar2 Free – advanced progress bars
Plugin Slug:: kkprogressbar
Installations: 10+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-4533

Plugin:: WP Stacker
Plugin Slug:: wp-stacker
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-5003

Plugin:: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
Plugin Slug:: adfoxly
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-34802

Plugin:: ApplyOnline – Application Form Builder and Manager
Plugin Slug:: apply-online
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-2036

Plugin:: Automatic Translator with Auto Translate
Plugin Slug:: auto-translate
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0632

Plugin:: Button contact VR
Plugin Slug:: button-contact-vr
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-2220

Plugin:: Crafthemes Demo Import
Plugin Slug:: crafthemes-demo-import
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-34800

Plugin:: Dextaz Ping
Plugin Slug:: dextaz-ping
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-34792

Plugin:: Easy Digital Downloads – Recent Purchases
Plugin Slug:: edd-recent-purchases
Vulnerability:: Remote File Inclusion
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-35629

Plugin:: Elegant Addons for elementor
Plugin Slug:: elegant-addons-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3066

Plugin:: Flattr
Plugin Slug:: flattr
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3920

Plugin:: LuckyWP Table of Contents
Plugin Slug:: luckywp-table-of-contents
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6487

Plugin:: LuckyWP Table of Contents
Plugin Slug:: luckywp-table-of-contents
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-2953

Plugin:: LuckyWP Table of Contents
Plugin Slug:: luckywp-table-of-contents
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-2119

Plugin:: Opal Estate Pro
Plugin Slug:: opal-estate-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3666

Plugin:: PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode
Plugin Slug:: paypal-pay-buy-donation-and-cart-buttons-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3065

Plugin:: Pet Manager
Plugin Slug:: pet-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-3917

Plugin:: Sailthru Triggermail
Plugin Slug:: sailthru-triggermail
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4290

Plugin:: Sailthru Triggermail
Plugin Slug:: sailthru-triggermail
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-4289

Plugin:: Praison SEO WordPress
Plugin Slug:: seo-wordpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-34801

Plugin:: Simple Popup Manager
Plugin Slug:: simple-popup-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-34797

Plugin:: Toolbar Extras for Elementor & More
Plugin Slug:: toolbar-extras
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3611

Plugin:: Woocommerce – Recent Purchases
Plugin Slug:: woo-recent-purchases
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-35634

Plugin:: WP Backpack
Plugin Slug:: wp-backpack
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4756

Plugin:: WP Font Awesome Share Icons
Plugin Slug:: wp-font-awesome-share-icons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3198

Plugin:: WP Next Post Navi
Plugin Slug:: wp-next-post-navi
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-34793

Plugin:: WP Scraper
Plugin Slug:: wp-scraper
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-3663

Plugin:: Elementor Website Builder – More than Just a Page Builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.21.6
Severity Score:: Medium
CVE:: 2024-4619

Plugin:: Elementor Header & Footer Builder
Plugin Slug:: header-footer-elementor
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.26.1
Severity Score:: Medium
CVE:: 2024-2618

Plugin:: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation
Plugin Slug:: optinmonster
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.16.2
Severity Score:: Medium
CVE:: 2024-4045

Plugin:: WP Fastest Cache
Plugin Slug:: wp-fastest-cache
Installations: 1,000,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.2.7
Severity Score:: High
CVE:: 2024-4347

Plugin:: Premium Addons for Elementor
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.10.32
Severity Score:: Medium
CVE:: 2024-4378

Plugin:: Page Builder by SiteOrigin
Plugin Slug:: siteorigin-panels
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.29.16
Severity Score:: Medium
CVE:: 2024-4361

Plugin:: Spectra – WordPress Gutenberg Blocks
Plugin Slug:: ultimate-addons-for-gutenberg
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.13.1
Severity Score:: Medium
CVE:: 2024-4366

Plugin:: Spectra – WordPress Gutenberg Blocks
Plugin Slug:: ultimate-addons-for-gutenberg
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.12.9
Severity Score:: Medium
CVE:: 2024-1814

Plugin:: WP Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.1.6
Severity Score:: Medium
CVE:: 2024-4553

Plugin:: SiteOrigin Widgets Bundle
Plugin Slug:: so-widgets-bundle
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.61.0
Severity Score:: Medium
CVE:: 2024-4362

Plugin:: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
Plugin Slug:: fluentform
Installations: 400,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 5.1.16
Severity Score:: High
CVE:: 2024-4157

Plugin:: WP Go Maps (formerly WP Google Maps)
Plugin Slug:: wp-google-maps
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.0.37
Severity Score:: Medium
CVE:: 2024-3557

Plugin:: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Plugin Slug:: unlimited-elements-for-elementor
Installations: 200,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.108
Severity Score:: High
CVE:: 2024-4779

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15.9
Severity Score:: Medium
CVE:: 2024-2861

Plugin:: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 5.6.4
Severity Score:: Medium
CVE:: 2024-3927

Plugin:: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.2
Severity Score:: Medium
CVE:: 2024-3926

Plugin:: HT Mega – Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.3
Severity Score:: Medium
CVE:: 2024-4876

Plugin:: HT Mega – Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.3
Severity Score:: Medium
CVE:: 2024-4875

Plugin:: Social Icons Widget & Block by WPZOOM
Plugin Slug:: social-icons-widget-by-wpzoom
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.18
Severity Score:: Medium
CVE:: 2024-2189

Plugin:: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.5
Severity Score:: Medium
CVE:: 2024-3718

Plugin:: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
Plugin Slug:: woolentor-addons
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.9
Severity Score:: Medium
CVE:: 2024-3345

Plugin:: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
Plugin Slug:: woolentor-addons
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.9
Severity Score:: High
CVE:: 2024-4566

Plugin:: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
Plugin Slug:: embedpress
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.13
Severity Score:: Medium
CVE:: 2024-1803

Plugin:: LearnPress – WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.6.7
Severity Score:: Medium
CVE:: 2024-4971

Plugin:: Master Slider – Responsive Touch Slider
Plugin Slug:: master-slider
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.10
Severity Score:: Medium
CVE:: 2024-4470

Plugin:: Brizy – Page Builder
Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.44
Severity Score:: Medium
CVE:: 2024-3711

Plugin:: Email Log
Plugin Slug:: email-log
Installations: 80,000+
Vulnerability:: Other Vulnerability Type
Patched in Version:: 2.4.9
Severity Score:: High
CVE:: 2024-0867

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.16
Severity Score:: High
CVE:: 2024-3518

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.16
Severity Score:: High
CVE:: 2024-3519

Plugin:: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
Plugin Slug:: wpdatatables
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.2.14
Severity Score:: High
CVE:: 2024-4895

Plugin:: YITH WooCommerce Ajax Search
Plugin Slug:: yith-woocommerce-ajax-search
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.1
Severity Score:: High
CVE:: 2024-4455

Plugin:: Advanced iFrame
Plugin Slug:: advanced-iframe
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2024.4
Severity Score:: Medium
CVE:: 2024-4365

Plugin:: WP Table Builder – WordPress Table Plugin
Plugin Slug:: wp-table-builder
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.15
Severity Score:: Medium
CVE:: 2024-4700

Plugin:: Carousel Slider
Plugin Slug:: carousel-slider
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.11
Severity Score:: Medium
CVE:: 2024-4372

Plugin:: Ditty – Responsive News Tickers, Sliders, and Lists
Plugin Slug:: ditty-news-ticker
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.36
Severity Score:: Medium
CVE:: 2024-3939

Plugin:: Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks
Plugin Slug:: post-grid
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.81
Severity Score:: Medium
CVE:: 2024-3155

Plugin:: FV Flowplayer Video Player
Plugin Slug:: fv-wordpress-flowplayer
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.5.46.7212
Severity Score:: High
CVE:: 2024-35631

Plugin:: Reviews and Rating – Google Reviews
Plugin Slug:: g-business-reviews-rating
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3
Severity Score:: Medium
CVE:: 2024-5218

Plugin:: Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider WordPress Plugin
Plugin Slug:: logo-slider-wp
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.0
Severity Score:: Medium
CVE:: 2024-3288

Plugin:: ND Shortcodes
Plugin Slug:: nd-shortcodes
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.6
Severity Score:: Medium
CVE:: 2024-5220

Plugin:: WP DSGVO Tools (GDPR)
Plugin Slug:: shapepress-dsgvo
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.33
Severity Score:: Medium
CVE:: 2024-3201

Plugin:: ShareThis Share Buttons
Plugin Slug:: sharethis-share-buttons
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.1
Severity Score:: Medium
CVE:: 2024-3648

Plugin:: WPZOOM Addons for Elementor (Templates, Widgets)
Plugin Slug:: wpzoom-elementor-addons
Installations: 20,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.38
Severity Score:: Critical
CVE:: 2024-5147

Plugin:: BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
Plugin Slug:: bookingpress-appointment-booking
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.83
Severity Score:: Medium
CVE:: 2024-34799

Plugin:: Business Directory Plugin – Easy Listing Directories for WordPress
Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 6.4.3
Severity Score:: Critical
CVE:: 2024-4443

Plugin:: LA-Studio Element Kit for Elementor
Plugin Slug:: lastudio-element-kit
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.8
Severity Score:: Medium
CVE:: 2024-4431

Plugin:: WP Photo Album Plus
Plugin Slug:: wp-photo-album-plus
Installations: 10,000+
Vulnerability:: Content Injection
Patched in Version:: 8.7.00.004
Severity Score:: Medium
CVE:: 2024-4037

Plugin:: WP TripAdvisor Review Slider
Plugin Slug:: wp-tripadvisor-review-slider
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 12.7
Severity Score:: High
CVE:: 2024-35630

Plugin:: WordPress + Microsoft Office 365 / Azure AD | LOGIN
Plugin Slug:: wpo365-login
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 28.0
Severity Score:: Medium
CVE:: 2024-4706

Plugin:: 140+ Widgets | Best Addons For Elementor – FREE
Plugin Slug:: xpro-elementor-addons
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4.3.2
Severity Score:: High
CVE:: 2024-4471

Plugin:: Videojs HTML5 Player
Plugin Slug:: videojs-html5-player
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.12
Severity Score:: Medium
CVE:: 2024-5205

Plugin:: Awesome Contact Form7 for Elementor
Plugin Slug:: awesome-contact-form7-for-elementor
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0
Severity Score:: Medium
CVE:: 2024-4486

Plugin:: Primary Addon for Elementor
Plugin Slug:: primary-addon-for-elementor
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.6
Severity Score:: Medium
CVE:: 2024-5229

Plugin:: Hash Elements
Plugin Slug:: hash-elements
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.9
Severity Score:: Medium
CVE:: 2024-5177

Plugin:: Survey Maker – Best WordPress Survey Plugin
Plugin Slug:: survey-maker
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.9
Severity Score:: Medium
CVE:: 2024-4061

Plugin:: Testimonial Carousel For Elementor
Plugin Slug:: testimonials-carousel-elementor
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 10.2.1
Severity Score:: Medium
CVE:: 2024-4858

Plugin:: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce
Plugin Slug:: wp-cafe
Installations: 6,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.2.24
Severity Score:: High
CVE:: 2024-1855

Plugin:: WPKoi Templates for Elementor
Plugin Slug:: wpkoi-templates-for-elementor
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.11
Severity Score:: Medium
CVE:: 2024-4980

Plugin:: AI ChatBot for WordPress – WPBot
Plugin Slug:: chatbot
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.3.6
Severity Score:: Medium
CVE:: 2024-0452

Plugin:: WP Ultimate Post Grid
Plugin Slug:: wp-ultimate-post-grid
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.2
Severity Score:: Medium
CVE:: 2024-4043

Plugin:: PopupAlly
Plugin Slug:: popupally
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2024-34796

Plugin:: Move Addons for Elementor
Plugin Slug:: move-addons
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.2
Severity Score:: Medium
CVE:: 2024-4695

Plugin:: YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress
Plugin Slug:: youtube-showcase
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.0
Severity Score:: Medium
CVE:: 2024-3268

Plugin:: Debug Log – Manger Tool
Plugin Slug:: debug-log-config-tool
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.5
Severity Score:: Medium
CVE:: 2024-34798

Plugin:: LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor
Plugin Slug:: include-lottie-animation-for-elementor
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.10.10
Severity Score:: Medium
CVE:: 2024-5060

Plugin:: Event post
Plugin Slug:: event-post
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.9.5
Severity Score:: Medium
CVE:: 2024-1376

Plugin:: Fastly
Plugin Slug:: fastly
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.26
Severity Score:: Medium
CVE:: 2024-34803

Plugin:: Hash Form – Drag & Drop Form Builder
Plugin Slug:: hash-form
Installations: 1,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2024-5085

Plugin:: Hash Form – Drag & Drop Form Builder
Plugin Slug:: hash-form
Installations: 1,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.1.1
Severity Score:: Critical
CVE:: 2024-5084

Plugin:: Tainacan
Plugin Slug:: tainacan
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.21.4
Severity Score:: Medium
CVE:: 2024-34795

Plugin:: Tainacan
Plugin Slug:: tainacan
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.21.4
Severity Score:: High
CVE:: 2024-34794

Plugin:: Web Directory Free
Plugin Slug:: web-directory-free
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: 1.7.0
Severity Score:: Critical
CVE:: 2024-3552

Plugin:: WP-ViperGB
Plugin Slug:: wp-vipergb
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.6.2
Severity Score:: Medium
CVE:: 2024-4409

Plugin:: Atarim
Plugin Slug:: atarim-visual-collaboration
Vulnerability:: Other Vulnerability Type
Patched in Version:: 3.30
Severity Score:: High
CVE:: 2024-2038

Plugin:: Country State City Dropdown CF7
Plugin Slug:: country-state-city-auto-dropdown
Vulnerability:: SQL Injection
Patched in Version:: 2.7.3
Severity Score:: Critical
CVE:: 2024-3495

Plugin:: ElementsKit Pro
Plugin Slug:: elementskit
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2024-4452

Plugin:: LayerSlider
Plugin Slug:: layerslider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.11.1
Severity Score:: Medium
CVE:: 2024-4575

Plugin:: Contact Form & Lead Form Elementor Builder
Plugin Slug:: lead-form-builder
Vulnerability:: Content Injection
Patched in Version:: 1.9.2
Severity Score:: Medium
CVE:: 2024-4261

Plugin:: Memberpress
Plugin Slug:: memberpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.11.30
Severity Score:: Medium
CVE:: 2024-5025

Plugin:: Memberpress
Plugin Slug:: memberpress
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.11.30
Severity Score:: Medium
CVE:: 2024-5031

Plugin:: Pie Register (Add on) – Social Sites Login
Plugin Slug:: pie-register-social-site
Vulnerability:: Broken Authentication
Patched in Version:: 1.7.8
Severity Score:: Critical
CVE:: 2024-4544

Plugin:: NextScripts
Plugin Slug:: social-networks-auto-poster-facebook-twitter-g
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.4.4
Severity Score:: High
CVE:: 2024-2088

Plugin:: NextScripts
Plugin Slug:: social-networks-auto-poster-facebook-twitter-g
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.4.4
Severity Score:: Medium
CVE:: 2024-1446

Plugin:: NextScripts
Plugin Slug:: social-networks-auto-poster-facebook-twitter-g
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.4
Severity Score:: High
CVE:: 2024-1762

Plugin:: Uber Menu
Plugin Slug:: ubermenu
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.3
Severity Score:: Medium
CVE:: 2024-4710

Plugin:: Userpro
Plugin Slug:: userpro
Vulnerability:: Privilege Escalation
Patched in Version:: 5.1.9
Severity Score:: Critical
CVE:: 2024-35700

WordPress Themes — 1 Patched / 0 Unpatched

Theme:: Blocksy
Theme Slug:: blocksy
Downloads: 3,232,407
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.47
Severity Score:: Medium
CVE:: 2024-4943

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 86 Patched / 32 Unpatched

WordPress Themes — 1 Patched / 0 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts