WordPress Vulnerability Report

WordPress Vulnerability Report — December 11, 2024

This last week, 231 new plugin and theme vulnerabilities emerged in the WordPress ecosystem. 97 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah

Published:Dec 11, 2024

Filed Under:WordPress Vulnerability Report

Reading Time:42 min.

In this report, 231 vulnerabilities have been publicly disclosed. Security patches for 134 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 97 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.7.1 is available! This minor release features 16 bug fixes throughout Core and the Block Editor.

No new core vulnerabilities were disclosed this week.

WordPress Plugins — 128 Patched / 94 Unpatched

140+ Widgets | Xpro Addons For Elementor – FREE

Plugin:
140+ Widgets | Xpro Addons For Elementor – FREE
Plugin Slug:
xpro-elementor-addons
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54253
The vulnerability has not been patched. You should deactivate the plugin.

Login Widget With Shortcode

Plugin:
Login Widget With Shortcode
Plugin Slug:
login-sidebar-widget
Installations
8,000+
Vulnerability:
Open Redirection
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54255
The vulnerability has not been patched. You should deactivate the plugin.

Pinpoint Booking System – #1 WordPress Booking Plugin

Plugin:
Pinpoint Booking System – #1 WordPress Booking Plugin
Plugin Slug:
booking-system
Installations
4,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54252
The vulnerability has not been patched. You should deactivate the plugin.

Minimum and Maximum Quantity for WooCommerce

Plugin:
Minimum and Maximum Quantity for WooCommerce
Plugin Slug:
min-and-max-quantity-for-woocommerce
Installations
3,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54227
The vulnerability has not been patched. You should deactivate the plugin.

Message Filter for Contact Form 7

Plugin:
Message Filter for Contact Form 7
Plugin Slug:
cf7-message-filter
Installations
2,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12027
The vulnerability has not been patched. You should deactivate the plugin.

News Kit Elementor Addons

Plugin:
News Kit Elementor Addons
Plugin Slug:
news-kit-elementor-addons
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54260
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Page Builder – Zion Builder

Plugin:
WordPress Page Builder – Zion Builder
Plugin Slug:
zionbuilder
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54213
The vulnerability has not been patched. You should deactivate the plugin.

ForumWP – Forum & Discussion Board

Plugin:
ForumWP – Forum & Discussion Board
Plugin Slug:
forumwp
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-10879
The vulnerability has not been patched. You should deactivate the plugin.

Friends

Plugin:
Friends
Plugin Slug:
friends
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12028
The vulnerability has not been patched. You should deactivate the plugin.

DELUCKS SEO

Plugin:
DELUCKS SEO
Plugin Slug:
delucks-seo
Installations
600+
Vulnerability:
Arbitrary File Download
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54259
The vulnerability has not been patched. You should deactivate the plugin.

RRAddons for Elementor

Plugin:
RRAddons for Elementor
Plugin Slug:
rrdevs-for-elementor
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54232
The vulnerability has not been patched. You should deactivate the plugin.

Import Export For WooCommerce

Plugin:
Import Export For WooCommerce
Plugin Slug:
import-export-for-woocommerce
Installations
200+
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-54262
The vulnerability has not been patched. You should deactivate the plugin.

Shiptimize for WooCommerce

Plugin:
Shiptimize for WooCommerce
Plugin Slug:
shiptimize-for-woocommerce
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54235
The vulnerability has not been patched. You should deactivate the plugin.

Limit Login Attempts (Spam Protection)

Plugin:
Limit Login Attempts (Spam Protection)
Plugin Slug:
wp-limit-failed-login-attempts
Installations
200+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-54234
The vulnerability has not been patched. You should deactivate the plugin.

Comfino Payment Gateway

Plugin:
Comfino Payment Gateway
Plugin Slug:
comfino-payment-gateway
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11329
The vulnerability has not been patched. You should deactivate the plugin.

Designer – Addons for Elementor

Plugin:
Designer – Addons for Elementor
Plugin Slug:
designer
Installations
100+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54225
The vulnerability has not been patched. You should deactivate the plugin.

Prodigy Commerce

Plugin:
Prodigy Commerce
Plugin Slug:
prodigy-commerce
Installations
100+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54251
The vulnerability has not been patched. You should deactivate the plugin.

Clients

Plugin:
Clients
Plugin Slug:
clients
Installations
80+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54245
The vulnerability has not been patched. You should deactivate the plugin.

Simple Notification

Plugin:
Simple Notification
Plugin Slug:
simple-notification
Installations
50+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54242
The vulnerability has not been patched. You should deactivate the plugin.

Ni WooCommerce Order Export

Plugin:
Ni WooCommerce Order Export
Plugin Slug:
ni-woocommerce-order-export
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54231
The vulnerability has not been patched. You should deactivate the plugin.

Awesome Shortcodes

Plugin:
Awesome Shortcodes
Plugin Slug:
awesome-shortcodes
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54209
The vulnerability has not been patched. You should deactivate the plugin.

Blaze Online eParcel for WooCommerce

Plugin:
Blaze Online eParcel for WooCommerce
Plugin Slug:
blaze-online-eparcel-for-woocommerce
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54240
The vulnerability has not been patched. You should deactivate the plugin.

Board Document Manager from CHUHPL

Plugin:
Board Document Manager from CHUHPL
Plugin Slug:
board-document-manager-from-chuhpl
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54238
The vulnerability has not been patched. You should deactivate the plugin.

Easy Replace

Plugin:
Easy Replace
Plugin Slug:
easy-replace
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54244
The vulnerability has not been patched. You should deactivate the plugin.

Ni CRM Lead

Plugin:
Ni CRM Lead
Plugin Slug:
ni-crm-lead
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54237
The vulnerability has not been patched. You should deactivate the plugin.

Ni CRM Lead

Plugin:
Ni CRM Lead
Plugin Slug:
ni-crm-lead
Installations
10+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54258
The vulnerability has not been patched. You should deactivate the plugin.

Ni WooCommerce Bulk Product Editor

Plugin:
Ni WooCommerce Bulk Product Editor
Plugin Slug:
ni-woocommerce-product-editor
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54236
The vulnerability has not been patched. You should deactivate the plugin.

TAX SERVICE Electronic HDM

Plugin:
TAX SERVICE Electronic HDM
Plugin Slug:
virtual-hdm-for-taxservice-am
Installations
10+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-54261
The vulnerability has not been patched. You should deactivate the plugin.

ABCBiz Addons and Templates for Elementor

Plugin:
ABCBiz Addons and Templates for Elementor
Plugin Slug:
abcbiz-addons
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54247
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Control Manager for WordPress by ItalyStrap

Plugin:
Advanced Control Manager for WordPress by ItalyStrap
Plugin Slug:
advanced-control-manager
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54233
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Options Editor

Plugin:
Advanced Options Editor
Plugin Slug:
advanced-options-editor
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54249
The vulnerability has not been patched. You should deactivate the plugin.

AI Quiz

Plugin:
AI Quiz
Plugin Slug:
ai-quiz
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11323
The vulnerability has not been patched. You should deactivate the plugin.

AIO Contact

Plugin:
AIO Contact
Plugin Slug:
aio-contact
Vulnerability:
Settings Change
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54218
The vulnerability has not been patched. You should deactivate the plugin.

AIO Contact

Plugin:
AIO Contact
Plugin Slug:
aio-contact
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54219
The vulnerability has not been patched. You should deactivate the plugin.

Pulsating Chat Button

Plugin:
Pulsating Chat Button
Plugin Slug:
amin-chat-button
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11813
The vulnerability has not been patched. You should deactivate the plugin.

ARForms

Plugin:
ARForms
Plugin Slug:
arforms
Vulnerability:
Path Traversal
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54216
The vulnerability has not been patched. You should deactivate the plugin.

ARForms

Plugin:
ARForms
Plugin Slug:
arforms
Vulnerability:
Settings Change
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54217
The vulnerability has not been patched. You should deactivate the plugin.

Authors List

Plugin:
Authors List
Plugin Slug:
authors-list
Vulnerability:
Arbitrary Code Execution
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-10952
The vulnerability has not been patched. You should deactivate the plugin.

Beautiful Taxonomy Filters

Plugin:
Beautiful Taxonomy Filters
Plugin Slug:
beautiful-taxonomy-filters
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-12270
The vulnerability has not been patched. You should deactivate the plugin.

Block Controller

Plugin:
Block Controller
Plugin Slug:
block-controller
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54208
The vulnerability has not been patched. You should deactivate the plugin.

BP Profile Shortcodes Extra

Plugin:
BP Profile Shortcodes Extra
Plugin Slug:
bp-profile-shortcodes-extra
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11732
The vulnerability has not been patched. You should deactivate the plugin.

Mollie for Contact Form 7

Plugin:
Mollie for Contact Form 7
Plugin Slug:
cf7-mollie
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12165
The vulnerability has not been patched. You should deactivate the plugin.

Charity Addon for Elementor

Plugin:
Charity Addon for Elementor
Plugin Slug:
charity-addon-for-elementor
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12062
The vulnerability has not been patched. You should deactivate the plugin.

Clickbank Storefront

Plugin:
Clickbank Storefront
Plugin Slug:
clickbank-storefront
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11336
The vulnerability has not been patched. You should deactivate the plugin.

SMS for Lead Capture Forms

Plugin:
SMS for Lead Capture Forms
Plugin Slug:
clicksend-lead-capture-form
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11353
The vulnerability has not been patched. You should deactivate the plugin.

CLUEVO LMS, E-Learning Platform

Plugin:
CLUEVO LMS, E-Learning Platform
Plugin Slug:
cluevo-lms
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11444
The vulnerability has not been patched. You should deactivate the plugin.

Cookielay

Plugin:
Cookielay
Plugin Slug:
cookielay
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-10320
The vulnerability has not been patched. You should deactivate the plugin.

Country Blocker

Plugin:
Country Blocker
Plugin Slug:
country-blocker
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54226
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Element Bucket Addons for Elementor

Plugin:
Advanced Element Bucket Addons for Elementor
Plugin Slug:
cs-element-bucket
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54210
The vulnerability has not been patched. You should deactivate the plugin.

Easy Blocks pro

Plugin:
Easy Blocks pro
Plugin Slug:
easy-blocks-pro
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54256
The vulnerability has not been patched. You should deactivate the plugin.

Easy Code Snippets

Plugin:
Easy Code Snippets
Plugin Slug:
easy-code-snippets
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11464
The vulnerability has not been patched. You should deactivate the plugin.

Easy Social Feed Premium

Plugin:
Easy Social Feed Premium
Plugin Slug:
easy-facebook-likebox-premium
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has not been patched. You should deactivate the plugin.

Echoza

Plugin:
Echoza
Plugin Slug:
echoza
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54243
The vulnerability has not been patched. You should deactivate the plugin.

eewee admin custom

Plugin:
eewee admin custom
Plugin Slug:
eewee-admincustom
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54248
The vulnerability has not been patched. You should deactivate the plugin.

Eleblog – Elementor Blog And Magazine Addons

Plugin:
Eleblog – Elementor Blog And Magazine Addons
Plugin Slug:
ele-blog
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-10663
The vulnerability has not been patched. You should deactivate the plugin.

FAQs

Plugin:
FAQs
Plugin Slug:
faqs
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54246
The vulnerability has not been patched. You should deactivate the plugin.

FAT Services Booking

Plugin:
FAT Services Booking
Plugin Slug:
fat-services-booking
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54220
The vulnerability has not been patched. You should deactivate the plugin.

FAT Services Booking

Plugin:
FAT Services Booking
Plugin Slug:
fat-services-booking
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-54221
The vulnerability has not been patched. You should deactivate the plugin.

Folder Gallery

Plugin:
Folder Gallery
Plugin Slug:
folder-gallery
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11823
The vulnerability has not been patched. You should deactivate the plugin.

Funnelforms Free

Plugin:
Funnelforms Free
Plugin Slug:
funnelforms-free
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-10587
The vulnerability has not been patched. You should deactivate the plugin.

Gold Addons for Elementor

Plugin:
Gold Addons for Elementor
Plugin Slug:
gold-addons-for-elementor
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12110
The vulnerability has not been patched. You should deactivate the plugin.

Library Management System

Plugin:
Library Management System
Plugin Slug:
library-management-system
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-8679
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form, Survey & Form Builder – MightyForms

Plugin:
Contact Form, Survey & Form Builder – MightyForms
Plugin Slug:
mightyforms
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11897
The vulnerability has not been patched. You should deactivate the plugin.

Gallery

Plugin:
Gallery
Plugin Slug:
multi-gallery
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11501
The vulnerability has not been patched. You should deactivate the plugin.

Login With OTP

Plugin:
Login With OTP
Plugin Slug:
otp-login
Vulnerability:
Broken Authentication
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11178
The vulnerability has not been patched. You should deactivate the plugin.

Posti Shipping

Plugin:
Posti Shipping
Plugin Slug:
posti-shipping
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-10832
The vulnerability has not been patched. You should deactivate the plugin.

Paloma Widget

Plugin:
Paloma Widget
Plugin Slug:
postman-widget
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54205
The vulnerability has not been patched. You should deactivate the plugin.

Responsive Videos

Plugin:
Responsive Videos
Plugin Slug:
responsive-youtube-videos
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11747
The vulnerability has not been patched. You should deactivate the plugin.

Revy

Plugin:
Revy
Plugin Slug:
revy
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-54215
The vulnerability has not been patched. You should deactivate the plugin.

Revy

Plugin:
Revy
Plugin Slug:
revy
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-54214
The vulnerability has not been patched. You should deactivate the plugin.

SG Helper

Plugin:
SG Helper
Plugin Slug:
sg-helper
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11093
The vulnerability has not been patched. You should deactivate the plugin.

Simple Ecommerce Shopping Cart

Plugin:
Simple Ecommerce Shopping Cart
Plugin Slug:
simple-e-commerce-shopping-cart
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12253
The vulnerability has not been patched. You should deactivate the plugin.

Simple Ecommerce Shopping Cart

Plugin:
Simple Ecommerce Shopping Cart
Plugin Slug:
simple-e-commerce-shopping-cart
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12128
The vulnerability has not been patched. You should deactivate the plugin.

Smart PopUp Blaster

Plugin:
Smart PopUp Blaster
Plugin Slug:
smart-popup-blaster
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11339
The vulnerability has not been patched. You should deactivate the plugin.

Smoove connector for Elementor forms

Plugin:
Smoove connector for Elementor forms
Plugin Slug:
smoove-elementor
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11367
The vulnerability has not been patched. You should deactivate the plugin.

Splash Sync

Plugin:
Splash Sync
Plugin Slug:
splash-connector
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11368
The vulnerability has not been patched. You should deactivate the plugin.

SV100 Companion

Plugin:
SV100 Companion
Plugin Slug:
sv100-companion
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-54229
The vulnerability has not been patched. You should deactivate the plugin.

TWChat

Plugin:
TWChat
Plugin Slug:
twchat
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11374
The vulnerability has not been patched. You should deactivate the plugin.

TwentyTwenty

Plugin:
TwentyTwenty
Plugin Slug:
twentytwenty
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11352
The vulnerability has not been patched. You should deactivate the plugin.

Shortcodes Blocks Creator Ultimate

Plugin:
Shortcodes Blocks Creator Ultimate
Plugin Slug:
ultimate-shortcodes-creator
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54264
The vulnerability has not been patched. You should deactivate the plugin.

Unlock Addons for Elementor

Plugin:
Unlock Addons for Elementor
Plugin Slug:
unlock-addons-for-elementor
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54230
The vulnerability has not been patched. You should deactivate the plugin.

Wot Elementor Widgets

Plugin:
Wot Elementor Widgets
Plugin Slug:
wot-elementor-widgets
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54228
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Auction Plugin

Plugin:
WordPress Auction Plugin
Plugin Slug:
wp-auctions
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-51615
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Auction Plugin

Plugin:
WordPress Auction Plugin
Plugin Slug:
wp-auctions
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-54207
The vulnerability has not been patched. You should deactivate the plugin.

WP Media Optimizer

Plugin:
WP Media Optimizer
Plugin Slug:
wp-media-optimizer-webp
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12060
The vulnerability has not been patched. You should deactivate the plugin.

Mini Program API

Plugin:
Mini Program API
Plugin Slug:
wp-mini-program
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11380
The vulnerability has not been patched. You should deactivate the plugin.

WP Private Content Plus

Plugin:
WP Private Content Plus
Plugin Slug:
wp-private-content-plus
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11292
The vulnerability has not been patched. You should deactivate the plugin.

WP System

Plugin:
WP System
Plugin Slug:
wp-system
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12003
The vulnerability has not been patched. You should deactivate the plugin.

Zooom

Plugin:
Zooom
Plugin Slug:
zooom
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11451
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce

Plugin:
WooCommerce
Plugin Slug:
woocommerce
Installations
8,000,000+
Vulnerability:
Broken Access Control
Patched in Version:
9.4.3
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 9.4.3.

Spectra – WordPress Gutenberg Blocks

Plugin:
Spectra – WordPress Gutenberg Blocks
Plugin Slug:
ultimate-addons-for-gutenberg
Installations
1,000,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.16.3
Severity Score:
Medium
CVE:
2024-10484
The vulnerability has been patched, so you should update to version 2.16.3.

Firelight Lightbox

Plugin:
Firelight Lightbox
Plugin Slug:
easy-fancybox
Installations
200,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.3.4
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has been patched, so you should update to version 2.3.4.

Beaver Builder – WordPress Page Builder

Plugin:
Beaver Builder – WordPress Page Builder
Plugin Slug:
beaver-builder-lite-version
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.8.4.4
Severity Score:
Medium
CVE:
2024-53797
The vulnerability has been patched, so you should update to version 2.8.4.4.

Colibri Page Builder

Plugin:
Colibri Page Builder
Plugin Slug:
colibri-page-builder
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.288
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has been patched, so you should update to version 1.0.288.

Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Plugin:
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel
Plugin Slug:
depicter
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.2.2
Severity Score:
Medium
CVE:
2024-4633
The vulnerability has been patched, so you should update to version 3.2.2.

Gallery Plugin for WordPress – Envira Photo Gallery

Plugin:
Gallery Plugin for WordPress – Envira Photo Gallery
Plugin Slug:
envira-gallery-lite
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.8.16
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has been patched, so you should update to version 1.8.16.

Advanced File Manager

Plugin:
Advanced File Manager
Plugin Slug:
file-manager-advanced
Installations
100,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
5.2.11
Severity Score:
High
CVE:
2024-11391
The vulnerability has been patched, so you should update to version 5.2.11.

FileOrganizer – Manage WordPress and Website Files

Plugin:
FileOrganizer – Manage WordPress and Website Files
Plugin Slug:
fileorganizer
Installations
100,000+
Vulnerability:
Path Traversal
Patched in Version:
1.1.5
Severity Score:
High
CVE:
2024-11010
The vulnerability has been patched, so you should update to version 1.1.5.

Responsive Lightbox & Gallery

Plugin:
Responsive Lightbox & Gallery
Plugin Slug:
responsive-lightbox
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.4.9
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has been patched, so you should update to version 2.4.9.

TI WooCommerce Wishlist

Plugin:
TI WooCommerce Wishlist
Plugin Slug:
ti-woocommerce-wishlist
Installations
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.9.2
Severity Score:
High
CVE:
2024-10567
The vulnerability has been patched, so you should update to version 2.9.2.

AnyWhere Elementor

Plugin:
AnyWhere Elementor
Plugin Slug:
anywhere-elementor
Installations
90,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.2.12
Severity Score:
Medium
CVE:
2024-10777
The vulnerability has been patched, so you should update to version 1.2.12.

WPC Smart Quick View for WooCommerce

Plugin:
WPC Smart Quick View for WooCommerce
Plugin Slug:
woo-smart-quick-view
Installations
80,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.1.2
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has been patched, so you should update to version 4.1.2.

WP Hide & Security Enhancer

Plugin:
WP Hide & Security Enhancer
Plugin Slug:
wp-hide-security-enhancer
Installations
70,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.5.2
Severity Score:
High
CVE:
2024-11585
The vulnerability has been patched, so you should update to version 2.5.2.

Getwid – Gutenberg Blocks

Plugin:
Getwid – Gutenberg Blocks
Plugin Slug:
getwid
Installations
60,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.12
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has been patched, so you should update to version 2.0.12.

If Menu – Visibility control for Menus

Plugin:
If Menu – Visibility control for Menus
Plugin Slug:
if-menu
Installations
60,000+
Vulnerability:
Broken Access Control
Patched in Version:
0.19.2
Severity Score:
Medium
CVE:
2024-7894
The vulnerability has been patched, so you should update to version 0.19.2.

Visual Portfolio, Photo Gallery & Post Grid

Plugin:
Visual Portfolio, Photo Gallery & Post Grid
Plugin Slug:
visual-portfolio
Installations
60,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.3.10
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has been patched, so you should update to version 3.3.10.

Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid

Plugin:
Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid
Plugin Slug:
wp-carousel-free
Installations
60,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.6.9
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has been patched, so you should update to version 2.6.9.

Bold Page Builder

Plugin:
Bold Page Builder
Plugin Slug:
bold-page-builder
Installations
50,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.2.2
Severity Score:
Medium
CVE:
2024-53801
The vulnerability has been patched, so you should update to version 5.2.2.

FancyBox for WordPress

Plugin:
FancyBox for WordPress
Plugin Slug:
fancybox-for-wordpress
Installations
40,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.3.5
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has been patched, so you should update to version 3.3.5.

Themesflat Addons For Elementor

Plugin:
Themesflat Addons For Elementor
Plugin Slug:
themesflat-addons-for-elementor
Installations
40,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.2.3
Severity Score:
Medium
CVE:
2024-53796
The vulnerability has been patched, so you should update to version 2.2.3.

Tutor LMS Elementor Addons

Plugin:
Tutor LMS Elementor Addons
Plugin Slug:
tutor-lms-elementor-addons
Installations
30,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.1.6
Severity Score:
Medium
CVE:
2024-53816
The vulnerability has been patched, so you should update to version 2.1.6.

WP Umbrella: Update Backup Restore & Monitoring

Plugin:
WP Umbrella: Update Backup Restore & Monitoring
Plugin Slug:
wp-health
Installations
30,000+
Vulnerability:
Local File Inclusion
Patched in Version:
2.17.1
Severity Score:
Critical
CVE:
2024-12209
The vulnerability has been patched, so you should update to version 2.17.1.

Maspik – Advanced Spam Protection

Plugin:
Maspik – Advanced Spam Protection
Plugin Slug:
contact-forms-anti-spam
Installations
20,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.2.8
Severity Score:
Medium
CVE:
2024-53806
The vulnerability has been patched, so you should update to version 2.2.8.

Futurio Extra

Plugin:
Futurio Extra
Plugin Slug:
futurio-extra
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.15
Severity Score:
Medium
CVE:
2024-53802
The vulnerability has been patched, so you should update to version 2.0.15.

FV Flowplayer Video Player

Plugin:
FV Flowplayer Video Player
Plugin Slug:
fv-wordpress-flowplayer
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
7.5.48.7212
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has been patched, so you should update to version 7.5.48.7212.

Product Labels For Woocommerce (Sale Badges)

Plugin:
Product Labels For Woocommerce (Sale Badges)
Plugin Slug:
aco-product-labels-for-woocommerce
Installations
10,000+
Vulnerability:
SQL Injection
Patched in Version:
1.5.9
Severity Score:
High
CVE:
2024-53817
The vulnerability has been patched, so you should update to version 1.5.9.

Video Gallery – YouTube Gallery and Vimeo Gallery

Plugin:
Video Gallery – YouTube Gallery and Vimeo Gallery
Plugin Slug:
gallery-videos
Installations
10,000+
Vulnerability:
SQL Injection
Patched in Version:
2.4.3
Severity Score:
High
CVE:
2024-10247
The vulnerability has been patched, so you should update to version 2.4.3.

Video Gallery – YouTube Gallery and Vimeo Gallery

Plugin:
Video Gallery – YouTube Gallery and Vimeo Gallery
Plugin Slug:
gallery-videos
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.4.2
Severity Score:
Medium
CVE:
2024-9769
The vulnerability has been patched, so you should update to version 2.4.2.

LA-Studio Element Kit for Elementor

Plugin:
LA-Studio Element Kit for Elementor
Plugin Slug:
lastudio-element-kit
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.4.5
Severity Score:
Medium
CVE:
2024-10787
The vulnerability has been patched, so you should update to version 1.4.5.

Simple Side Tab

Plugin:
Simple Side Tab
Plugin Slug:
simple-side-tab
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.2.0
Severity Score:
Medium
CVE:
2024-11183
The vulnerability has been patched, so you should update to version 2.2.0.

Swift Performance Lite

Plugin:
Swift Performance Lite
Plugin Slug:
swift-performance-lite
Installations
10,000+
Vulnerability:
Path Traversal
Patched in Version:
2.3.7.2
Severity Score:
High
CVE:
2024-10516
The vulnerability has been patched, so you should update to version 2.3.7.2.

Pojo Forms

Plugin:
Pojo Forms
Plugin Slug:
pojo-forms
Installations
7,000+
Vulnerability:
Arbitrary Code Execution
Patched in Version:
1.4.8
Severity Score:
Medium
CVE:
2024-10909
The vulnerability has been patched, so you should update to version 1.4.8.

Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Plugin:
Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Plugin Slug:
poll-maker
Installations
7,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
5.5.5
Severity Score:
Medium
CVE:
2024-12115
The vulnerability has been patched, so you should update to version 5.5.5.

All Bootstrap Blocks

Plugin:
All Bootstrap Blocks
Plugin Slug:
all-bootstrap-blocks
Installations
4,000+
Vulnerability:
Local File Inclusion
Patched in Version:
1.3.20
Severity Score:
High
CVE:
2024-53824
The vulnerability has been patched, so you should update to version 1.3.20.

Arkhe Blocks

Plugin:
Arkhe Blocks
Plugin Slug:
arkhe-blocks
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.27.1
Severity Score:
Medium
CVE:
2024-53794
The vulnerability has been patched, so you should update to version 2.27.1.

Pinpoint Booking System – #1 WordPress Booking Plugin

Plugin:
Pinpoint Booking System – #1 WordPress Booking Plugin
Plugin Slug:
booking-system
Installations
4,000+
Vulnerability:
SQL Injection
Patched in Version:
2.9.9.5.2
Severity Score:
High
CVE:
2024-53815
The vulnerability has been patched, so you should update to version 2.9.9.5.2.

ElementsReady Addons for Elementor

Plugin:
ElementsReady Addons for Elementor
Plugin Slug:
element-ready-lite
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
6.4.8
Severity Score:
Medium
CVE:
2024-54224
The vulnerability has been patched, so you should update to version 6.4.8.

WP Job Manager – Company Profiles

Plugin:
WP Job Manager – Company Profiles
Plugin Slug:
wp-job-manager-companies
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.8
Severity Score:
High
CVE:
2023-6978
The vulnerability has been patched, so you should update to version 1.8.

Accordion Slider

Plugin:
Accordion Slider
Plugin Slug:
accordion-slider
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.9.13
Severity Score:
Medium
CVE:
2024-5020
The vulnerability has been patched, so you should update to version 1.9.13.

Message Filter for Contact Form 7

Plugin:
Message Filter for Contact Form 7
Plugin Slug:
cf7-message-filter
Installations
2,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.6.3
Severity Score:
Medium
CVE:
2024-54254
The vulnerability has been patched, so you should update to version 1.6.3.

KiviCare – Clinic & Patient Management System (EHR)

Plugin:
KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug:
kivicare-clinic-management-system
Installations
2,000+
Vulnerability:
SQL Injection
Patched in Version:
3.6.5
Severity Score:
High
CVE:
2024-11730
The vulnerability has been patched, so you should update to version 3.6.5.

KiviCare – Clinic & Patient Management System (EHR)

Plugin:
KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug:
kivicare-clinic-management-system
Installations
2,000+
Vulnerability:
SQL Injection
Patched in Version:
3.6.5
Severity Score:
High
CVE:
2024-11729
The vulnerability has been patched, so you should update to version 3.6.5.

KiviCare – Clinic & Patient Management System (EHR)

Plugin:
KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug:
kivicare-clinic-management-system
Installations
2,000+
Vulnerability:
SQL Injection
Patched in Version:
3.6.5
Severity Score:
Critical
CVE:
2024-11728
The vulnerability has been patched, so you should update to version 3.6.5.

Online Booking & Scheduling Calendar for WordPress by vcita

Plugin:
Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug:
meeting-scheduler-by-vcita
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.5.2
Severity Score:
Medium
CVE:
2024-9872
The vulnerability has been patched, so you should update to version 4.5.2.

Plugin Check (PCP)

Plugin:
Plugin Check (PCP)
Plugin Slug:
plugin-check
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.3.1
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 1.3.1.

WPBITS Addons For Elementor Page Builder

Plugin:
WPBITS Addons For Elementor Page Builder
Plugin Slug:
wpbits-addons-for-elementor
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.6
Severity Score:
Medium
CVE:
2024-8962
The vulnerability has been patched, so you should update to version 1.6.

Captivate Sync

Plugin:
Captivate Sync
Plugin Slug:
captivatesync-trade
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.26
Severity Score:
Medium
CVE:
2024-53820
The vulnerability has been patched, so you should update to version 2.0.26.

Contact Form Builder by vcita

Plugin:
Contact Form Builder by vcita
Plugin Slug:
contact-form-with-a-meeting-scheduler-by-vcita
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.10.5
Severity Score:
Medium
CVE:
2024-10056
The vulnerability has been patched, so you should update to version 4.10.5.

Event Tickets with Ticket Scanner

Plugin:
Event Tickets with Ticket Scanner
Plugin Slug:
event-tickets-with-ticket-scanner
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.4.4
Severity Score:
Medium
CVE:
2024-9866
The vulnerability has been patched, so you should update to version 2.4.4.

????? ?? ???? – ???? ?? ????

Plugin:
????? ?? ???? – ???? ?? ????
Plugin Slug:
pgall-for-woocommerce
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.2.3
Severity Score:
High
CVE:
2024-11943
The vulnerability has been patched, so you should update to version 5.2.3.

SearchIQ – The Search Solution

Plugin:
SearchIQ – The Search Solution
Plugin Slug:
searchiq
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.7
Severity Score:
Medium
CVE:
2024-10885
The vulnerability has been patched, so you should update to version 4.7.

Simple Restrict

Plugin:
Simple Restrict
Plugin Slug:
simple-restrict
Installations
1,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
1.2.8
Severity Score:
Medium
CVE:
2024-11106
The vulnerability has been patched, so you should update to version 1.2.8.

Broadcast

Plugin:
Broadcast
Plugin Slug:
threewp-broadcast
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
51.02
Severity Score:
High
CVE:
2024-11379
The vulnerability has been patched, so you should update to version 51.02.

WPCasa

Plugin:
WPCasa
Plugin Slug:
wpcasa
Installations
1,000+
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
1.3.0
Severity Score:
Medium
CVE:
2024-53826
The vulnerability has been patched, so you should update to version 1.3.0.

Church Admin

Plugin:
Church Admin
Plugin Slug:
church-admin
Installations
900+
Vulnerability:
Broken Access Control
Patched in Version:
5.0.9
Severity Score:
Medium
CVE:
2024-53795
The vulnerability has been patched, so you should update to version 5.0.9.

3DPrint Lite

Plugin:
3DPrint Lite
Plugin Slug:
3dprint-lite
Installations
800+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.1
Severity Score:
Medium
CVE:
2024-10480
The vulnerability has been patched, so you should update to version 2.1.

Email Address Obfuscation

Plugin:
Email Address Obfuscation
Plugin Slug:
email-address-obfuscation
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.0
Severity Score:
Medium
CVE:
2024-11935
The vulnerability has been patched, so you should update to version 1.1.0.

Property Hive Mortgage Calculator

Plugin:
Property Hive Mortgage Calculator
Plugin Slug:
property-hive-mortgage-calculator
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.7
Severity Score:
Medium
CVE:
2024-11940
The vulnerability has been patched, so you should update to version 1.0.7.

Quran multilanguage Text & Audio

Plugin:
Quran multilanguage Text & Audio
Plugin Slug:
quran-text-multilanguage
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.3.22
Severity Score:
High
CVE:
2024-11973
The vulnerability has been patched, so you should update to version 2.3.22.

jAlbum Bridge

Plugin:
jAlbum Bridge
Plugin Slug:
jalbum-bridge
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.16
Severity Score:
Medium
CVE:
2024-11853
The vulnerability has been patched, so you should update to version 2.0.16.

My auctions allegro

Plugin:
My auctions allegro
Plugin Slug:
my-auctions-allegro-free-edition
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.6.18
Severity Score:
High
CVE:
2024-11707
The vulnerability has been patched, so you should update to version 3.6.18.

Additional Custom Order Status for WooCommerce

Plugin:
Additional Custom Order Status for WooCommerce
Plugin Slug:
order-status-for-woocommerce
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.6.1
Severity Score:
High
CVE:
2024-11814
The vulnerability has been patched, so you should update to version 1.6.1.

Accounting for WooCommerce

Plugin:
Accounting for WooCommerce
Plugin Slug:
accounting-for-woocommerce
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.6.7
Severity Score:
High
CVE:
2024-11324
The vulnerability has been patched, so you should update to version 1.6.7.

AWeber Forms by Optin Cat

Plugin:
AWeber Forms by Optin Cat
Plugin Slug:
aweber-wp
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.5.8
Severity Score:
High
CVE:
2024-11325
The vulnerability has been patched, so you should update to version 2.5.8.

iChart – Easy Charts and Graphs

Plugin:
iChart – Easy Charts and Graphs
Plugin Slug:
ichart
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.1.4
Severity Score:
Medium
CVE:
2024-11928
The vulnerability has been patched, so you should update to version 2.1.4.

???? ???

Plugin:
???? ???
Plugin Slug:
mshop-naver-talktalk
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.1
Severity Score:
Medium
CVE:
2024-11904
The vulnerability has been patched, so you should update to version 1.2.1.

Namaste! LMS

Plugin:
Namaste! LMS
Plugin Slug:
namaste-lms
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.6.5
Severity Score:
Medium
CVE:
2024-53809
The vulnerability has been patched, so you should update to version 2.6.5.

Flower Delivery by Florist One

Plugin:
Flower Delivery by Florist One
Plugin Slug:
flower-delivery-by-florist-one
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.9.1
Severity Score:
Medium
CVE:
2024-11769
The vulnerability has been patched, so you should update to version 3.9.1.

WIP WooCarousel Lite

Plugin:
WIP WooCarousel Lite
Plugin Slug:
wip-woocarousel-lite
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.7
Severity Score:
Medium
CVE:
2024-11779
The vulnerability has been patched, so you should update to version 1.1.7.

WP eCards

Plugin:
WP eCards
Plugin Slug:
wp-ecards-invites
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.3.905
Severity Score:
Medium
CVE:
2024-11903
The vulnerability has been patched, so you should update to version 1.3.905.

WP Mailster

Plugin:
WP Mailster
Plugin Slug:
wp-mailster
Installations
400+
Vulnerability:
Broken Access Control
Patched in Version:
1.8.17.0
Severity Score:
Medium
CVE:
2024-53803
The vulnerability has been patched, so you should update to version 1.8.17.0.

WP Mailster

Plugin:
WP Mailster
Plugin Slug:
wp-mailster
Installations
400+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
1.8.17.0
Severity Score:
High
CVE:
2024-53804
The vulnerability has been patched, so you should update to version 1.8.17.0.

WP Mailster

Plugin:
WP Mailster
Plugin Slug:
wp-mailster
Installations
400+
Vulnerability:
Broken Access Control
Patched in Version:
1.8.17.0
Severity Score:
High
CVE:
2024-53805
The vulnerability has been patched, so you should update to version 1.8.17.0.

WP Mailster

Plugin:
WP Mailster
Plugin Slug:
wp-mailster
Installations
400+
Vulnerability:
SQL Injection
Patched in Version:
1.8.17.0
Severity Score:
High
CVE:
2024-53807
The vulnerability has been patched, so you should update to version 1.8.17.0.

Simple User Registration

Plugin:
Simple User Registration
Plugin Slug:
wp-registration
Installations
400+
Vulnerability:
Broken Access Control
Patched in Version:
6.0
Severity Score:
Critical
CVE:
2024-53810
The vulnerability has been patched, so you should update to version 6.0.

Campaign Monitor Forms by Optin Cat

Plugin:
Campaign Monitor Forms by Optin Cat
Plugin Slug:
campaign-monitor-wp
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.5.8
Severity Score:
High
CVE:
2024-11326
The vulnerability has been patched, so you should update to version 2.5.8.

CardGate Payments for WooCommerce

Plugin:
CardGate Payments for WooCommerce
Plugin Slug:
cardgate
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.2.2
Severity Score:
High
CVE:
2024-12257
The vulnerability has been patched, so you should update to version 3.2.2.

Simple Redirection

Plugin:
Simple Redirection
Plugin Slug:
eelv-redirection
Installations
200+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.5.1
Severity Score:
Medium
CVE:
2024-11341
The vulnerability has been patched, so you should update to version 1.5.1.

Email Reminders

Plugin:
Email Reminders
Plugin Slug:
email-reminders
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.5
Severity Score:
Medium
CVE:
2024-11945
The vulnerability has been patched, so you should update to version 2.0.5.

Form Data Collector

Plugin:
Form Data Collector
Plugin Slug:
form-data-collector
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.2.4
Severity Score:
High
CVE:
2024-11461
The vulnerability has been patched, so you should update to version 2.2.4.

Next-Cart Store to WooCommerce Migration

Plugin:
Next-Cart Store to WooCommerce Migration
Plugin Slug:
nextcart-woocommerce-migration
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.9.4
Severity Score:
High
CVE:
2024-11687
The vulnerability has been patched, so you should update to version 3.9.4.

WP GeoNames

Plugin:
WP GeoNames
Plugin Slug:
wp-geonames
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.9
Severity Score:
High
CVE:
2024-53812
The vulnerability has been patched, so you should update to version 1.9.

B Testimonial – Testimonial plugin for WP

Plugin:
B Testimonial – Testimonial plugin for WP
Plugin Slug:
b-testimonial
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.3
Severity Score:
Medium
CVE:
2024-11880
The vulnerability has been patched, so you should update to version 1.2.3.

ONLYOFFICE Docs

Plugin:
ONLYOFFICE Docs
Plugin Slug:
onlyoffice
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.2.0
Severity Score:
Medium
CVE:
2024-11450
The vulnerability has been patched, so you should update to version 2.2.0.

Prodigy Commerce

Plugin:
Prodigy Commerce
Plugin Slug:
prodigy-commerce
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.9
Severity Score:
Medium
CVE:
2024-54250
The vulnerability has been patched, so you should update to version 3.0.9.

NPS computy

Plugin:
NPS computy
Plugin Slug:
nps-computy
Installations
90+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.8.1
Severity Score:
High
CVE:
2024-11807
The vulnerability has been patched, so you should update to version 2.8.1.

Verowa Connect

Plugin:
Verowa Connect
Plugin Slug:
verowa-connect
Installations
90+
Vulnerability:
SQL Injection
Patched in Version:
3.0.2
Severity Score:
Critical
CVE:
2024-11460
The vulnerability has been patched, so you should update to version 3.0.2.

Z-Downloads

Plugin:
Z-Downloads
Plugin Slug:
z-downloads
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.11.8
Severity Score:
Medium
CVE:
2024-54206
The vulnerability has been patched, so you should update to version 1.11.8.

BMLT Tabbed Map

Plugin:
BMLT Tabbed Map
Plugin Slug:
bmlt-tabbed-map
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.0
Severity Score:
Medium
CVE:
2024-11866
The vulnerability has been patched, so you should update to version 1.2.0.

Quick License Manager – WooCommerce Plugin

Plugin:
Quick License Manager – WooCommerce Plugin
Plugin Slug:
quick-license-manager
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.4.18
Severity Score:
High
CVE:
2024-11805
The vulnerability has been patched, so you should update to version 2.4.18.

FloristPress – Customize your Woo store for your Florist

Plugin:
FloristPress – Customize your Woo store for your Florist
Plugin Slug:
bakkbone-florist-companion
Installations
10+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
7.4.0
Severity Score:
Medium
CVE:
2024-53799
The vulnerability has been patched, so you should update to version 7.4.0.

FloristPress – Customize your Woo store for your Florist

Plugin:
FloristPress – Customize your Woo store for your Florist
Plugin Slug:
bakkbone-florist-companion
Installations
10+
Vulnerability:
Arbitrary Content Deletion
Patched in Version:
7.4.0
Severity Score:
Medium
CVE:
2024-53798
The vulnerability has been patched, so you should update to version 7.4.0.

CMSMasters Elementor Addon

Plugin:
CMSMasters Elementor Addon
Plugin Slug:
cmsmasters-elementor-addon
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.15.0
Severity Score:
Medium
CVE:
2024-9694
The vulnerability has been patched, so you should update to version 1.15.0.

Eyewear prescription form

Plugin:
Eyewear prescription form
Plugin Slug:
eyewear-prescription-form
Vulnerability:
Privilege Escalation
Patched in Version:
4.0.19
Severity Score:
Critical
CVE:
2024-54239
The vulnerability has been patched, so you should update to version 4.0.19.

FooGallery Premium

Plugin:
FooGallery Premium
Plugin Slug:
foogallery-premium
Vulnerability:
Directory Traversal
Patched in Version:
2.4.27
Severity Score:
High
CVE:
2023-6947
The vulnerability has been patched, so you should update to version 2.4.27.

Goodlayers Core

Plugin:
Goodlayers Core
Plugin Slug:
goodlayers-core
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.8
Severity Score:
High
CVE:
2024-11200
The vulnerability has been patched, so you should update to version 2.0.8.

Luna Web Radio Player

Plugin:
Luna Web Radio Player
Plugin Slug:
lu-radioplayer
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
6.24.11.15
Severity Score:
Medium
CVE:
2024-10881
The vulnerability has been patched, so you should update to version 6.24.11.15.

Pie Register Premium

Plugin:
Pie Register Premium
Plugin Slug:
pie-register-premium
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.8.3.3
Severity Score:
High
CVE:
2024-53821
The vulnerability has been patched, so you should update to version 3.8.3.3.

Pie Register Premium

Plugin:
Pie Register Premium
Plugin Slug:
pie-register-premium
Vulnerability:
Arbitrary File Upload
Patched in Version:
3.8.3.3
Severity Score:
Critical
CVE:
2024-53822
The vulnerability has been patched, so you should update to version 3.8.3.3.

Pie Register (Add on) – Social Sites Login

Plugin:
Pie Register (Add on) – Social Sites Login
Plugin Slug:
pie-register-social-site
Vulnerability:
Broken Authentication
Patched in Version:
1.8
Severity Score:
High
CVE:
2024-11293
The vulnerability has been patched, so you should update to version 1.8.

WordPress Themes — 6 Patched / 3 Unpatched

Gaga Lite

Theme:
Gaga Lite
Theme Slug:
gaga-lite
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52488
The vulnerability has not been patched. You should switch themes.

One Paze

Theme:
One Paze
Theme Slug:
one-paze
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52488
The vulnerability has not been patched. You should switch themes.

tydskrif

Theme:
tydskrif
Theme Slug:
tydskrif
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-54257
The vulnerability has not been patched. You should switch themes.

Blocksy

Theme:
Blocksy
Theme Slug:
blocksy
Downloads
3,976,858
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.78
Severity Score:
Medium
CVE:
2024-11420
The vulnerability has been patched, so you should update to version 2.0.78.

Flixita

Theme:
Flixita
Theme Slug:
flixita
Downloads
110,003
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.83
Severity Score:
High
CVE:
2024-10836
The vulnerability has been patched, so you should update to version 1.0.83.

NewsMunch

Theme:
NewsMunch
Theme Slug:
newsmunch
Downloads
60,837
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.36
Severity Score:
Medium
CVE:
2024-10848
The vulnerability has been patched, so you should update to version 1.0.36.

Pubnews

Theme:
Pubnews
Theme Slug:
pubnews
Downloads
12,310
Vulnerability:
Broken Access Control
Patched in Version:
1.0.8
Severity Score:
High
CVE:
2024-10578
The vulnerability has been patched, so you should update to version 1.0.8.

Soledad

Theme:
Soledad
Theme Slug:
soledad
Vulnerability:
Local File Inclusion
Patched in Version:
8.6.0
Severity Score:
High
CVE:
2024-11289
The vulnerability has been patched, so you should update to version 8.6.0.

Sweet Date

Theme:
Sweet Date
Theme Slug:
sweetdate
Vulnerability:
Privilege Escalation
Patched in Version:
3.8.0
Severity Score:
Critical
CVE:
2024-43222
The vulnerability has been patched, so you should update to version 3.8.0.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles