WordPress Vulnerability Report — August 7, 2024

Since last week, 108 new vulnerabilities emerged in the WordPress ecosystem including 107 plugins and 1 theme. 17 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah

Published:Aug 7, 2024

Filed Under:WordPress Vulnerability Report

Reading Time:21 min.

In this report, 108 vulnerabilities have been publicly disclosed. Security patches for 91 of these plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 17 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 91 Patched / 16 Unpatched

2.1 ?????? ?????? ??????
2.2 Blox Page Builder
2.3 Business Card
2.4 CZ Loan Management
2.5 Donation Block For PayPal
2.6 Ebook Store
2.7 Remote Content Shortcode
2.8 Responsive Tabs
2.9 Send email only on Reply to My Comment
2.10 Send email only on Reply to My Comment
2.11 SpiderContacts
2.12 Traffic Manager
2.13 WP Ajax Contact Form
2.14 WP Ajax Contact Form
2.15 WpStickyBar
2.16 WpStickyBar
2.17 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
2.18 SiteOrigin Widgets Bundle
2.19 Forminator – Contact Form, Payment Form & Custom Form Builder
2.20 Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
2.21 Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
2.22 Download Manager
2.23 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
2.24 Inline Related Posts
2.25 Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)
2.26 Email Encoder – Protect Email Addresses and Phone Numbers
2.27 Social Feed Gallery
2.28 LearnPress – WordPress LMS Plugin
2.29 LearnPress – WordPress LMS Plugin
2.30 WP Mobile Menu – The Mobile-Friendly Responsive Menu
2.31 Tutor LMS – eLearning and online course solution
2.32 Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
2.33 Comments – wpDiscuz
2.34 Blog2Social: Social Media Auto Post & Scheduler
2.35 File Manager Pro – Filester
2.36 JetFormBuilder — Dynamic Blocks Form Builder
2.37 Bold Page Builder
2.38 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
2.39 User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
2.40 Better Find and Replace
2.41 Ditty – Responsive News Tickers, Sliders, and Lists
2.42 Kubio AI Page Builder
2.43 Gutenberg Blocks, Page Builder – ComboBlocks
2.44 Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
2.45 WP-PostRatings
2.46 Slider by 10Web – Responsive Image Slider
2.47 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.48 WordPress File Upload
2.49 Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend
2.50 Custom 404 Pro
2.51 RegistrationMagic – User Registration Plugin with Custom Registration Forms
2.52 Horizontal scrolling announcements
2.53 Registrations for the Events Calendar – Event Registration Plugin
2.54 SportsPress – Sports Club & League Manager
2.55 Event Manager, Events Calendar, Tickets, Registrations – Eventin
2.56 HTML Forms – Simple WordPress Forms Plugin
2.57 Chatbot for WordPress by Collect.chat ??
2.58 Salon Booking System
2.59 Pinpoint Booking System – #1 WordPress Booking Plugin
2.60 Cooked – Recipe Management
2.61 TemplateSpare: Quick & Easy WordPress Site Builder – 475+ Ready-Made Demos for News, Blogs, eCommerce, and More. One-Click Import, No Coding Needed
2.62 VikRentCar Car Rental Management System
2.63 Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce
2.64 Sync Post With Other Site
2.65 Photo Engine (Media Organizer & Lightroom)
2.66 Message Filter for Contact Form 7
2.67 CRM Perks Forms – WordPress Form Builder
2.68 FundEngine – Donation and Crowdfunding Platform
2.69 Black Widgets For Elementor
2.70 Black Widgets For Elementor
2.71 Extensions for Elementor
2.72 WP Fast Total Search – The Power of Indexed Search
2.73 Sign-up Sheets
2.74 Tainacan
2.75 LiquidPoll – Polls, Surveys, NPS and Feedback Reviews
2.76 YayExtra – WooCommerce Extra Product Options
2.77 Filter & Grids
2.78 Filter & Grids
2.79 Zephyr Project Manager
2.80 Zephyr Project Manager
2.81 WANotifier – Send Message Notifications Using WhatsApp API
2.82 Web Directory Free
2.83 CTT Expresso para WooCommerce
2.84 News Element Elementor Blog Magazine
2.85 Lifetime free Drag & Drop Contact Form Builder for WordPress VForm
2.86 Community Events
2.87 Ultimate Classified Listings
2.88 Ultimate Classified Listings
2.89 Ultimate Classified Listings
2.90 Element Pack Pro
2.91 Breakdance
2.92 Breakdance
2.93 WPBakery Page Builder
2.94 WPBakery Page Builder
2.95 Paid Memberships Pro – Member Directory Add On
2.96 Pmpro Membership Maps
2.97 Swift Framework Page Builder
2.98 Spectra Pro
2.99 Superfly Menu
2.100 Tin Canny Reporting for LearnDash
2.101 WooCommerce Customers Manager
2.102 WooCommerce Customers Manager
2.103 WooCommerce PDF Vouchers
2.104 WooCommerce PDF Vouchers
2.105 WooCommerce PDF Vouchers
2.106 Affiliate Manager
2.107 WP eMember

3. WordPress Themes — 0 Patched / 1 Unpatched

3.1 Edubin

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.6.1 is available! This minor release features 7 bug fixes in Core and 9 bug fixes for the Block Editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement.

WordPress Plugins — 91 Patched / 16 Unpatched

Plugin:: ?????? ?????? ??????
Plugin Slug:: pardakht-delkhah
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6230

Plugin:: Blox Page Builder
Plugin Slug:: blox-page-builder
Installations: 500+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-6315

Plugin:: Business Card
Plugin Slug:: business-card-by-esterox-100
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-5807

Plugin:: CZ Loan Management
Plugin Slug:: cz-loan-management
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-5975

Plugin:: Donation Block For PayPal
Plugin Slug:: donations-block
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-6021

Plugin:: Ebook Store
Plugin Slug:: ebook-store
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6567

Plugin:: Remote Content Shortcode
Plugin Slug:: remote-content-shortcode
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-2090

Plugin:: Responsive Tabs
Plugin Slug:: responsive-tabs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-4096

Plugin:: Send email only on Reply to My Comment
Plugin Slug:: send-email-only-on-reply-to-my-comment
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-6224

Plugin:: Send email only on Reply to My Comment
Plugin Slug:: send-email-only-on-reply-to-my-comment
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-6223

Plugin:: SpiderContacts
Plugin Slug:: spider-contacts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-6272

Plugin:: Traffic Manager
Plugin Slug:: traffic-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-7485

Plugin:: WP Ajax Contact Form
Plugin Slug:: wp-ajax-contact-form
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-5809

Plugin:: WP Ajax Contact Form
Plugin Slug:: wp-ajax-contact-form
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5808

Plugin:: WpStickyBar
Plugin Slug:: wpstickybar-sticky-bar-sticky-header
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-6226

Plugin:: WpStickyBar
Plugin Slug:: wpstickybar-sticky-bar-sticky-header
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-5765

Plugin:: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.27
Severity Score:: Medium
CVE:: 2024-39649

Plugin:: SiteOrigin Widgets Bundle
Plugin Slug:: so-widgets-bundle
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.62.3
Severity Score:: Medium
CVE:: 2024-5901

Plugin:: Forminator – Contact Form, Payment Form & Custom Form Builder
Plugin Slug:: forminator
Installations: 500,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.29.2
Severity Score:: Medium
CVE:: 2024-7389

Plugin:: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Plugin Slug:: formidable
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.11.2
Severity Score:: Medium
CVE:: 2024-6725

Plugin:: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.12
Severity Score:: Medium
CVE:: 2024-39667

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.98
Severity Score:: Medium
CVE:: 2024-6208

Plugin:: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Plugin Slug:: essential-blocks
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.7.0
Severity Score:: Medium
CVE:: 2024-5595

Plugin:: Inline Related Posts
Plugin Slug:: intelly-related-posts
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.0
Severity Score:: Medium
CVE:: 2024-6487

Plugin:: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)
Plugin Slug:: mystickymenu
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.2
Severity Score:: Medium
CVE:: 2024-4090

Plugin:: Email Encoder – Protect Email Addresses and Phone Numbers
Plugin Slug:: email-encoder-bundle
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2024-4483

Plugin:: Social Feed Gallery
Plugin Slug:: insta-gallery
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4.0
Severity Score:: Medium
CVE:: 2024-39640

Plugin:: LearnPress – WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 90,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.2.6.9
Severity Score:: Medium
CVE:: 2024-39642

Plugin:: LearnPress – WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.2.6.9
Severity Score:: Medium
CVE:: 2024-39641

Plugin:: WP Mobile Menu – The Mobile-Friendly Responsive Menu
Plugin Slug:: mobile-menu
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.5
Severity Score:: Medium
CVE:: 2024-2508

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.7.3
Severity Score:: Medium
CVE:: 2024-39645

Plugin:: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Plugin Slug:: folders
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.4
Severity Score:: Medium
CVE:: 2024-7317

Plugin:: Comments – wpDiscuz
Plugin Slug:: wpdiscuz
Installations: 80,000+
Vulnerability:: Content Injection
Patched in Version:: 7.6.22
Severity Score:: Medium
CVE:: 2024-6704

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.5.5
Severity Score:: Medium
CVE:: 2024-7302

Plugin:: File Manager Pro – Filester
Plugin Slug:: filester
Installations: 60,000+
Vulnerability:: Settings Change
Patched in Version:: 1.8.3
Severity Score:: High
CVE:: 2024-7031

Plugin:: JetFormBuilder — Dynamic Blocks Form Builder
Plugin Slug:: jetformbuilder
Installations: 60,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.3.4.2
Severity Score:: High
CVE:: 2024-7291

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.3
Severity Score:: Medium
CVE:: 2024-7100

Plugin:: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Plugin Slug:: easy-digital-downloads
Installations: 50,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.3.1
Severity Score:: Critical
CVE:: 2024-5057

Plugin:: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Plugin Slug:: profile-builder
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.11.8
Severity Score:: Medium
CVE:: 2024-6366

Plugin:: Better Find and Replace
Plugin Slug:: real-time-auto-find-and-replace
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.2
Severity Score:: High
CVE:: 2024-39636

Plugin:: Ditty – Responsive News Tickers, Sliders, and Lists
Plugin Slug:: ditty-news-ticker
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.45
Severity Score:: Medium
CVE:: 2024-6710

Plugin:: Kubio AI Page Builder
Plugin Slug:: kubio
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.5
Severity Score:: Medium
CVE:: 2024-39661

Plugin:: Gutenberg Blocks, Page Builder – ComboBlocks
Plugin Slug:: post-grid
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.86
Severity Score:: Medium
CVE:: 2024-6346

Plugin:: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.0
Severity Score:: Medium
CVE:: 2024-6390

Plugin:: WP-PostRatings
Plugin Slug:: wp-postratings
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.91.2
Severity Score:: Medium
CVE:: 2024-39659

Plugin:: Slider by 10Web – Responsive Image Slider
Plugin Slug:: slider-wd
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.57
Severity Score:: Medium
CVE:: 2024-6408

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.2.12
Severity Score:: High
CVE:: 2024-6477

Plugin:: WordPress File Upload
Plugin Slug:: wp-file-upload
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.24.8
Severity Score:: Medium
CVE:: 2024-39639

Plugin:: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.0.8
Severity Score:: High
CVE:: 2024-38693

Plugin:: Custom 404 Pro
Plugin Slug:: custom-404-pro
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.11.2
Severity Score:: High
CVE:: 2024-39646

Plugin:: RegistrationMagic – User Registration Plugin with Custom Registration Forms
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.0.0.2
Severity Score:: Medium
CVE:: 2024-39643

Plugin:: Horizontal scrolling announcements
Plugin Slug:: horizontal-scrolling-announcements
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.5
Severity Score:: High
CVE:: 2023-5000

Plugin:: Registrations for the Events Calendar – Event Registration Plugin
Plugin Slug:: registrations-for-the-events-calendar
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.12.3
Severity Score:: High
CVE:: 2024-39638

Plugin:: SportsPress – Sports Club & League Manager
Plugin Slug:: sportspress
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.22
Severity Score:: Medium
CVE:: 2024-3986

Plugin:: Event Manager, Events Calendar, Tickets, Registrations – Eventin
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.6
Severity Score:: Medium
CVE:: 2024-39648

Plugin:: HTML Forms – Simple WordPress Forms Plugin
Plugin Slug:: html-forms
Installations: 9,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.34
Severity Score:: Medium
CVE:: 2024-6412

Plugin:: Chatbot for WordPress by Collect.chat ??
Plugin Slug:: collectchat
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.4
Severity Score:: Medium
CVE:: 2024-6498

Plugin:: Salon Booking System
Plugin Slug:: salon-booking-system
Installations: 5,000+
Vulnerability:: SQL Injection
Patched in Version:: 10.8
Severity Score:: High
CVE:: 2024-39658

Plugin:: Pinpoint Booking System – #1 WordPress Booking Plugin
Plugin Slug:: booking-system
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.9.4.8
Severity Score:: Medium
CVE:: 2024-3636

Plugin:: Cooked – Recipe Management
Plugin Slug:: cooked
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.1
Severity Score:: Medium
CVE:: 2024-41816

Plugin:: TemplateSpare: Quick & Easy WordPress Site Builder – 475+ Ready-Made Demos for News, Blogs, eCommerce, and More. One-Click Import, No Coding Needed
Plugin Slug:: templatespare
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.3
Severity Score:: Medium
CVE:: 2024-6872

Plugin:: VikRentCar Car Rental Management System
Plugin Slug:: vikrentcar
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.1
Severity Score:: Critical
CVE:: 2024-39653

Plugin:: Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce
Plugin Slug:: sender-net-automated-emails
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.6.19
Severity Score:: Medium
CVE:: 2024-39657

Plugin:: Sync Post With Other Site
Plugin Slug:: sync-post-with-other-site
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2024-6709

Plugin:: Photo Engine (Media Organizer & Lightroom)
Plugin Slug:: wplr-sync
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.3.2
Severity Score:: Medium
CVE:: 2024-39660

Plugin:: Message Filter for Contact Form 7
Plugin Slug:: cf7-message-filter
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.2
Severity Score:: High
CVE:: 2024-39647

Plugin:: CRM Perks Forms – WordPress Form Builder
Plugin Slug:: crm-perks-forms
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.4
Severity Score:: Critical
CVE:: 2024-7484

Plugin:: FundEngine – Donation and Crowdfunding Platform
Plugin Slug:: wp-fundraising-donation
Installations: 2,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.7.1
Severity Score:: High
CVE:: 2024-6698

Plugin:: Black Widgets For Elementor
Plugin Slug:: black-widgets
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.6
Severity Score:: Medium
CVE:: 2024-39662

Plugin:: Black Widgets For Elementor
Plugin Slug:: black-widgets
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.6
Severity Score:: Medium
CVE:: 2024-39644

Plugin:: Extensions for Elementor
Plugin Slug:: extensions-for-elementor
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.32
Severity Score:: Medium
CVE:: 2024-39668

Plugin:: WP Fast Total Search – The Power of Indexed Search
Plugin Slug:: fulltext-search
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.69.234
Severity Score:: High
CVE:: 2024-39663

Plugin:: Sign-up Sheets
Plugin Slug:: sign-up-sheets
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.13
Severity Score:: Medium
CVE:: 2024-39654

Plugin:: Tainacan
Plugin Slug:: tainacan
Installations: 1,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 0.21.8
Severity Score:: Medium
CVE:: 2024-7135

Plugin:: LiquidPoll – Polls, Surveys, NPS and Feedback Reviews
Plugin Slug:: wp-poll
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.78
Severity Score:: Medium
CVE:: 2024-39655

Plugin:: YayExtra – WooCommerce Extra Product Options
Plugin Slug:: yayextra
Installations: 1,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.8
Severity Score:: Critical
CVE:: 2024-7257

Plugin:: Filter & Grids
Plugin Slug:: ymc-smart-filter
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.3
Severity Score:: Medium
CVE:: 2024-39665

Plugin:: Filter & Grids
Plugin Slug:: ymc-smart-filter
Installations: 1,000+
Vulnerability:: Broken Authentication
Patched in Version:: 2.8.34
Severity Score:: High
CVE:: 2024-39664

Plugin:: Zephyr Project Manager
Plugin Slug:: zephyr-project-manager
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.101
Severity Score:: Medium
CVE:: 2024-7356

Plugin:: Zephyr Project Manager
Plugin Slug:: zephyr-project-manager
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.99
Severity Score:: Medium
CVE:: 2024-6536

Plugin:: WANotifier – Send Message Notifications Using WhatsApp API
Plugin Slug:: notifier
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.1
Severity Score:: Medium
CVE:: 2024-6165

Plugin:: Web Directory Free
Plugin Slug:: web-directory-free
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.2
Severity Score:: High
CVE:: 2024-3669

Plugin:: CTT Expresso para WooCommerce
Plugin Slug:: ctt-expresso-para-woocommerce
Installations: 100+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.2.13
Severity Score:: Medium
CVE:: 2024-6687

Plugin:: News Element Elementor Blog Magazine
Plugin Slug:: news-element
Installations: 100+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.0.6
Severity Score:: High
CVE:: 2024-6459

Plugin:: Lifetime free Drag & Drop Contact Form Builder for WordPress VForm
Plugin Slug:: v-form
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.6
Severity Score:: High
CVE:: 2024-6770

Plugin:: Community Events
Plugin Slug:: community-events
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.1
Severity Score:: Medium
CVE:: 2024-6270

Plugin:: Ultimate Classified Listings
Plugin Slug:: ultimate-classified-listings
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2024-6529

Plugin:: Ultimate Classified Listings
Plugin Slug:: ultimate-classified-listings
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2024-5883

Plugin:: Ultimate Classified Listings
Plugin Slug:: ultimate-classified-listings
Installations: 30+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2024-5882

Plugin:: Element Pack Pro
Plugin Slug:: bdthemes-element-pack
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.9.1
Severity Score:: Medium
CVE:: 2024-2455

Plugin:: Breakdance
Plugin Slug:: breakdance
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.0
Severity Score:: Medium
CVE:: 2024-5330

Plugin:: Breakdance
Plugin Slug:: breakdance
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.0
Severity Score:: Medium
CVE:: 2024-5331

Plugin:: WPBakery Page Builder
Plugin Slug:: js_composer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.8
Severity Score:: Medium
CVE:: 2024-5708

Plugin:: WPBakery Page Builder
Plugin Slug:: js_composer
Vulnerability:: Local File Inclusion
Patched in Version:: 7.8
Severity Score:: Medium
CVE:: 2024-5709

Plugin:: Paid Memberships Pro – Member Directory Add On
Plugin Slug:: pmpro-member-directory
Vulnerability:: SQL Injection
Patched in Version:: 1.2.6
Severity Score:: High
CVE:: 2024-1287

Plugin:: Pmpro Membership Maps
Plugin Slug:: pmpro-membership-maps
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 0.7
Severity Score:: Medium
CVE:: 2024-1286

Plugin:: Swift Framework Page Builder
Plugin Slug:: socialdriver-framework
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2024.04.30
Severity Score:: Medium
CVE:: 2024-2872

Plugin:: Spectra Pro
Plugin Slug:: spectra-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.5
Severity Score:: Medium
CVE:: 2024-3827

Plugin:: Superfly Menu
Plugin Slug:: superfly-menu
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.0.30
Severity Score:: High
CVE:: 2024-3238

Plugin:: Tin Canny Reporting for LearnDash
Plugin Slug:: tin-canny-learndash-reporting
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.0.8
Severity Score:: High
CVE:: 2024-39656

Plugin:: WooCommerce Customers Manager
Plugin Slug:: woocommerce-customers-manager
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 30.1
Severity Score:: Medium
CVE:: 2024-2843

Plugin:: WooCommerce Customers Manager
Plugin Slug:: woocommerce-customers-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 30.2
Severity Score:: Medium
CVE:: 2024-1747

Plugin:: WooCommerce PDF Vouchers
Plugin Slug:: woocommerce-pdf-vouchers
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.5
Severity Score:: High
CVE:: 2024-39652

Plugin:: WooCommerce PDF Vouchers
Plugin Slug:: woocommerce-pdf-vouchers
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 4.9.5
Severity Score:: High
CVE:: 2024-39651

Plugin:: WooCommerce PDF Vouchers
Plugin Slug:: woocommerce-pdf-vouchers
Vulnerability:: Multiple Vulnerabilities
Patched in Version:: 4.9.5
Severity Score:: High
CVE:: 2024-39650

Plugin:: Affiliate Manager
Plugin Slug:: wp-affiliate-platform
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.5.2
Severity Score:: Medium
CVE:: 2024-5285

Plugin:: WP eMember
Plugin Slug:: wp-eMember
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 10.7.0
Severity Score:: High
CVE:: 2024-5081

WordPress Themes — 0 Patched / 1 Unpatched

Theme:: Edubin
Theme Slug:: edubin
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-39637

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 91 Patched / 16 Unpatched

WordPress Themes — 0 Patched / 1 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 22, 2026

WordPress Vulnerability Report — April 15, 2026

WordPress Vulnerability Report — April 8, 2026

WordPress Vulnerability Report — April 1, 2026