WordPress Vulnerability Report — February 14, 2024

Since last week, 146 new vulnerabilities emerged in the WordPress ecosystem, including 3 in themes and 143 in plugins. 28 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Feb 14, 2024

Filed Under:WordPress Vulnerability Report

Reading Time:28 min.

In this report, 146 vulnerabilities have been publicly disclosed. Security patches for 118 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 28 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the reasons why WordPress websites get hacked. (See our Annual Vulnerability Report for 2022.) Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 117 Patched / 26 Unpatched

2.1 Malware Scanner
2.2 Multi Step Form
2.3 Comments Like Dislike
2.4 PJ News Ticker
2.5 TinyMCE and TinyMCE Advanced Professsional Formats and Styles
2.6 WP Contact Form
2.7 Before After Image Slider WP
2.8 Content Cards
2.9 MyWaze
2.10 PB oEmbed HTML5 Audio – with Cache Support
2.11 Canto
2.12 Buttons Shortcode and Widget
2.13 Coupon Referral Program
2.14 GigPress
2.15 Honeypot for WP Comment
2.16 Honeypot for WP Comment
2.17 MoveTo
2.18 MoveTo
2.19 MoveTo
2.20 MoveTo
2.21 Payment Forms for Paystack
2.22 SMTP Mail
2.23 VK Poster Group
2.24 Pexels: Free Stock Photos
2.25 Basic Log Viewer
2.26 Easy Forms for Mailchimp
2.27 Elementor Website Builder – More than Just a Page Builder
2.28 Elementor Website Builder – More than Just a Page Builder
2.29 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
2.30 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
2.31 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
2.32 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
2.33 All-In-One Security (AIOS) – Security and Firewall
2.34 Broken Link Checker
2.35 Meta Box – WordPress Custom Fields Framework
2.36 WP Shortcodes Plugin — Shortcodes Ultimate
2.37 SiteOrigin Widgets Bundle
2.38 SiteOrigin Widgets Bundle
2.39 Admin Menu Editor
2.40 Royal Elementor Addons and Templates
2.41 Royal Elementor Addons and Templates
2.42 Royal Elementor Addons and Templates
2.43 Royal Elementor Addons and Templates
2.44 Backuply – Backup, Restore, Migrate and Clone
2.45 InfiniteWP Client
2.46 Popup Builder – Create highly converting, mobile friendly marketing popups.
2.47 AMP for WP – Accelerated Mobile Pages
2.48 Elementor Addon Elements
2.49 Advanced Database Cleaner
2.50 Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider)
2.51 Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode)
2.52 Custom Twitter Feeds – A Tweets Widget or X Feed Widget
2.53 Insert PHP Code Snippet
2.54 Login Lockdown – Protect Login Form
2.55 Minimal Coming Soon – Coming Soon Page
2.56 PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
2.57 Defender Security – Malware Scanner, Login Security & Firewall
2.58 Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
2.59 Matomo Analytics – Ethical Stats. Powerful Insights.
2.60 Elementor Addons by Livemesh
2.61 Elementor Addons by Livemesh
2.62 WP Booking Calendar
2.63 Customer Reviews for WooCommerce
2.64 Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline)
2.65 RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
2.66 AI Engine
2.67 Bold Page Builder
2.68 Bold Page Builder
2.69 Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)
2.70 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
2.71 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
2.72 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
2.73 Internal Link Juicer: SEO Auto Linker for WordPress
2.74 MapPress Maps for WordPress
2.75 MapPress Maps for WordPress
2.76 Shariff Wrapper
2.77 Booster for WooCommerce
2.78 WP Recipe Maker
2.79 Shield Security – Smart Bot Blocking & Intrusion Prevention Security
2.80 Starbox – the Author Box for Humans
2.81 Starbox – the Author Box for Humans
2.82 WP 404 Auto Redirect to Similar Post
2.83 WP Editor
2.84 Apollo13 Framework Extensions
2.85 Gutenberg Block Editor Toolkit – EditorsKit
2.86 PPWP – Password Protect Pages
2.87 All 404 Pages Redirect to Homepage
2.88 Maspik – Spam Blacklist
2.89 Quiz Maker
2.90 Quiz Maker
2.91 NextMove Lite – Thank You Page for WooCommerce
2.92 Awesome Support – WordPress HelpDesk & Support Plugin
2.93 Passster – Password Protect Pages and Content
2.94 Directorist – WordPress Business Directory Plugin with Classified Ads Listings
2.95 Link Library
2.96 Link Library
2.97 NEX-Forms – Ultimate Form Builder – Contact forms and much more
2.98 Smart Manager – WooCommerce Bulk Edit Products, Orders, Coupons, Any WordPress Post Type (Advanced)
2.99 Wonder Slider Lite
2.100 Woocommerce Vietnam Checkout
2.101 Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
2.102 Product Labels For Woocommerce (Sale Badges)
2.103 Analytics Insights – Google Analytics Dashboard for WordPress
2.104 WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
2.105 Themify Builder
2.106 Podlove Podcast Publisher
2.107 Podlove Podcast Publisher
2.108 Contact Form 7 Connector
2.109 Advanced Forms for ACF
2.110 Paytium: Mollie payment forms & donations
2.111 Podlove Subscribe button
2.112 SKT Page Builder
2.113 Doofinder WP & WooCommerce Search
2.114 EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin (easy docs, knowledgebase)
2.115 ImageRecycle pdf & image compression
2.116 ImageRecycle pdf & image compression
2.117 ImageRecycle pdf & image compression
2.118 ImageRecycle pdf & image compression
2.119 ImageRecycle pdf & image compression
2.120 ImageRecycle pdf & image compression
2.121 ImageRecycle pdf & image compression
2.122 ImageRecycle pdf & image compression
2.123 ImageRecycle pdf & image compression
2.124 ImageRecycle pdf & image compression
2.125 Simple Page Access Restriction
2.126 Anonymous Restricted Content
2.127 Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
2.128 Polls CP
2.129 Polls CP
2.130 GD Rating System
2.131 Frontend File Manager Plugin
2.132 TNC PDF viewer
2.133 Sunshine Photo Cart: Free Client Galleries for Photographers
2.134 WP Club Manager – WordPress Sports Club Plugin
2.135 Ultimate Reviews
2.136 Portugal CTT Tracking for WooCommerce
2.137 Web3 – Crypto wallet Login & NFT token gating
2.138 LearnDash LMS
2.139 LearnDash LMS
2.140 LearnDash LMS
2.141 WP Media folder
2.142 WP Media folder
2.143 WP Media folder

3. WordPress Themes — 1 Patched / 2 Unpatched

3.1 Brooklyn
3.2 Brooklyn
3.3 Blocksy

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.

The next major release will be version 6.5, planned for March 26, 2024.

WordPress Plugins — 117 Patched / 26 Unpatched

Plugin:: Malware Scanner
Plugin Slug:: miniorange-malware-protection
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-25902

Plugin:: Multi Step Form
Plugin Slug:: multi-step-form
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25905

Plugin:: Comments Like Dislike
Plugin Slug:: comments-like-dislike
Installations: 9,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25906

Plugin:: PJ News Ticker
Plugin Slug:: pj-news-ticker
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25094

Plugin:: TinyMCE and TinyMCE Advanced Professsional Formats and Styles
Plugin Slug:: tinymce-and-tinymce-advanced-professsional-formats-and-styles
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25904

Plugin:: WP Contact Form
Plugin Slug:: wp-contact-form
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-24929

Plugin:: Before After Image Slider WP
Plugin Slug:: before-after-image-slider
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-24931

Plugin:: Content Cards
Plugin Slug:: content-cards
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-24928

Plugin:: MyWaze
Plugin Slug:: my-waze
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25594

Plugin:: PB oEmbed HTML5 Audio – with Cache Support
Plugin Slug:: pb-oembed-html5-audio-with-cache-support
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25098

Plugin:: Canto
Plugin Slug:: canto
Installations: 100+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-25096

Plugin:: Buttons Shortcode and Widget
Plugin Slug:: buttons-shortcode-and-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-24930

Plugin:: Coupon Referral Program
Plugin Slug:: coupon-referral-program
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-25100

Plugin:: GigPress
Plugin Slug:: gigpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-7233

Plugin:: Honeypot for WP Comment
Plugin Slug:: honeypot-for-wp-comment
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-24933

Plugin:: Honeypot for WP Comment
Plugin Slug:: honeypot-for-wp-comment
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1350

Plugin:: MoveTo
Plugin Slug:: moveto
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-25913

Plugin:: MoveTo
Plugin Slug:: moveto
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-25912

Plugin:: MoveTo
Plugin Slug:: moveto
Vulnerability:: Denial of Service Attack
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-25911

Plugin:: MoveTo
Plugin Slug:: moveto
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-25910

Plugin:: Payment Forms for Paystack
Plugin Slug:: payment-forms-for-paystack
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5665

Plugin:: SMTP Mail
Plugin Slug:: smtp-mail
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25914

Plugin:: VK Poster Group
Plugin Slug:: vk-poster-group
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-24932

Plugin:: Pexels: Free Stock Photos
Plugin Slug:: wp-pexels-free-stock-photos
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-25915

Plugin:: Basic Log Viewer
Plugin Slug:: wpsimpletools-log-viewer
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-24935

Plugin:: Easy Forms for Mailchimp
Plugin Slug:: yikes-inc-easy-mailchimp-extender
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-25095

Plugin:: Elementor Website Builder – More than Just a Page Builder
Plugin Slug:: elementor
Installations: 5,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.19.0
Severity Score:: Medium
CVE:: 2024-0506

Plugin:: Elementor Website Builder – More than Just a Page Builder
Plugin Slug:: elementor
Installations: 5,000,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.19.1
Severity Score:: High
CVE:: 2024-24934

Plugin:: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.9
Severity Score:: Medium
CVE:: 2024-1171

Plugin:: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.9
Severity Score:: Medium
CVE:: 2024-1172

Plugin:: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.9
Severity Score:: Medium
CVE:: 2024-1276

Plugin:: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.9
Severity Score:: Medium
CVE:: 2024-1236

Plugin:: All-In-One Security (AIOS) – Security and Firewall
Plugin Slug:: all-in-one-wp-security-and-firewall
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.6
Severity Score:: High
CVE:: 2024-1037

Plugin:: Broken Link Checker
Plugin Slug:: broken-link-checker
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.4
Severity Score:: Medium
CVE:: 2024-25592

Plugin:: Meta Box – WordPress Custom Fields Framework
Plugin Slug:: meta-box
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.3
Severity Score:: Medium
CVE:: 2023-6526

Plugin:: WP Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.0.2
Severity Score:: Medium
CVE:: 2024-0792

Plugin:: SiteOrigin Widgets Bundle
Plugin Slug:: so-widgets-bundle
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.58.3
Severity Score:: Medium
CVE:: 2024-1070

Plugin:: SiteOrigin Widgets Bundle
Plugin Slug:: so-widgets-bundle
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.58.4
Severity Score:: Medium
CVE:: 2024-1058

Plugin:: Admin Menu Editor
Plugin Slug:: admin-menu-editor
Installations: 400,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.12.1
Severity Score:: Medium
CVE:: 2024-24876

Plugin:: Royal Elementor Addons and Templates
Plugin Slug:: royal-elementor-addons
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.88
Severity Score:: Medium
CVE:: 2024-0442

Plugin:: Royal Elementor Addons and Templates
Plugin Slug:: royal-elementor-addons
Installations: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.88
Severity Score:: Medium
CVE:: 2024-0512

Plugin:: Royal Elementor Addons and Templates
Plugin Slug:: royal-elementor-addons
Installations: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.88
Severity Score:: Medium
CVE:: 2024-0511

Plugin:: Royal Elementor Addons and Templates
Plugin Slug:: royal-elementor-addons
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.81
Severity Score:: Medium
CVE:: 2023-5922

Plugin:: Backuply – Backup, Restore, Migrate and Clone
Plugin Slug:: backuply
Installations: 200,000+
Vulnerability:: Denial of Service Attack
Patched in Version:: 1.2.6
Severity Score:: High
CVE:: 2024-0842

Plugin:: InfiniteWP Client
Plugin Slug:: iwp-client
Installations: 200,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.12.3.1
Severity Score:: Medium
CVE:: 2023-6565

Plugin:: Popup Builder – Create highly converting, mobile friendly marketing popups.
Plugin Slug:: popup-builder
Installations: 200,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 4.2.6
Severity Score:: Medium
CVE:: 2023-6294

Plugin:: AMP for WP – Accelerated Mobile Pages
Plugin Slug:: accelerated-mobile-pages
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.93.2
Severity Score:: Medium
CVE:: 2024-1043

Plugin:: Elementor Addon Elements
Plugin Slug:: addon-elements-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.12.12
Severity Score:: Medium
CVE:: 2024-0834

Plugin:: Advanced Database Cleaner
Plugin Slug:: advanced-database-cleaner
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.1.4
Severity Score:: Medium
CVE:: 2024-0668

Plugin:: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider)
Plugin Slug:: bdthemes-prime-slider-lite
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.11.11
Severity Score:: Medium
CVE:: 2024-24883

Plugin:: Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode)
Plugin Slug:: content-views-query-and-display-post-page
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.3
Severity Score:: Medium
CVE:: 2024-0612

Plugin:: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Plugin Slug:: custom-twitter-feeds
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2024-0379

Plugin:: Insert PHP Code Snippet
Plugin Slug:: insert-php-code-snippet
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.5
Severity Score:: Medium
CVE:: 2024-0658

Plugin:: Login Lockdown – Protect Login Form
Plugin Slug:: login-lockdown
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.09
Severity Score:: Medium
CVE:: 2024-1340

Plugin:: Minimal Coming Soon – Coming Soon Page
Plugin Slug:: minimal-coming-soon-maintenance-mode
Installations: 100,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.38
Severity Score:: Low
CVE:: 2024-1075

Plugin:: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
Plugin Slug:: powerpack-lite-for-elementor
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.15
Severity Score:: Medium
CVE:: 2024-1055

Plugin:: Defender Security – Malware Scanner, Login Security & Firewall
Plugin Slug:: defender-security
Installations: 90,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 4.4.2
Severity Score:: Medium
CVE:: 2024-25595

Plugin:: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Plugin Slug:: paid-memberships-pro
Installations: 90,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.12.9
Severity Score:: Medium

Plugin:: Matomo Analytics – Ethical Stats. Powerful Insights.
Plugin Slug:: matomo
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.1
Severity Score:: High
CVE:: 2023-6923

Plugin:: Elementor Addons by Livemesh
Plugin Slug:: addons-for-elementor
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.3.1
Severity Score:: Medium
CVE:: 2024-25598

Plugin:: Elementor Addons by Livemesh
Plugin Slug:: addons-for-elementor
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.3.3
Severity Score:: Medium
CVE:: 2024-1235

Plugin:: WP Booking Calendar
Plugin Slug:: booking
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.9.1
Severity Score:: Critical
CVE:: 2024-1207

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.39.0
Severity Score:: Medium
CVE:: 2024-1044

Plugin:: Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline)
Plugin Slug:: timeline-widget-addon-for-elementor
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.4
Severity Score:: Medium
CVE:: 2024-0977

Plugin:: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
Plugin Slug:: wp-rss-aggregator
Installations: 60,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 4.23.6
Severity Score:: Low
CVE:: 2024-0628

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 50,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.1.5
Severity Score:: Medium
CVE:: 2024-0699

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.1
Severity Score:: Medium
CVE:: 2024-1160

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.1
Severity Score:: Medium
CVE:: 2024-1157

Plugin:: Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)
Plugin Slug:: easy-digital-downloads
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.7
Severity Score:: Medium
CVE:: 2024-0659

Plugin:: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Plugin Slug:: feedzy-rss-feeds
Installations: 50,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.4.3
Severity Score:: High
CVE:: 2024-1317

Plugin:: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Plugin Slug:: feedzy-rss-feeds
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4.3
Severity Score:: Medium
CVE:: 2024-1318

Plugin:: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Plugin Slug:: feedzy-rss-feeds
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4.2
Severity Score:: Medium
CVE:: 2024-1092

Plugin:: Internal Link Juicer: SEO Auto Linker for WordPress
Plugin Slug:: internal-links
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.23.5
Severity Score:: Medium
CVE:: 2024-0657

Plugin:: MapPress Maps for WordPress
Plugin Slug:: mappress-google-maps-for-wordpress
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.88.16
Severity Score:: Medium
CVE:: 2024-0421

Plugin:: MapPress Maps for WordPress
Plugin Slug:: mappress-google-maps-for-wordpress
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.88.15
Severity Score:: Medium
CVE:: 2024-0420

Plugin:: Shariff Wrapper
Plugin Slug:: shariff
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.10
Severity Score:: Medium
CVE:: 2024-1106

Plugin:: Booster for WooCommerce
Plugin Slug:: woocommerce-jetpack
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.1.7
Severity Score:: Medium
CVE:: 2024-1054

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 9.2.0
Severity Score:: High
CVE:: 2024-1206

Plugin:: Shield Security – Smart Bot Blocking & Intrusion Prevention Security
Plugin Slug:: wp-simple-firewall
Installations: 50,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 18.5.10
Severity Score:: High
CVE:: 2023-6989

Plugin:: Starbox – the Author Box for Humans
Plugin Slug:: starbox
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.0
Severity Score:: Medium
CVE:: 2024-0256

Plugin:: Starbox – the Author Box for Humans
Plugin Slug:: starbox
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.0
Severity Score:: Medium
CVE:: 2023-6806

Plugin:: WP 404 Auto Redirect to Similar Post
Plugin Slug:: wp-404-auto-redirect-to-similar-post
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.4
Severity Score:: High
CVE:: 2024-0509

Plugin:: WP Editor
Plugin Slug:: wp-editor
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2024-25591

Plugin:: Apollo13 Framework Extensions
Plugin Slug:: apollo13-framework-extensions
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.3
Severity Score:: Medium
CVE:: 2024-24880

Plugin:: Gutenberg Block Editor Toolkit – EditorsKit
Plugin Slug:: block-options
Installations: 30,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.40.4
Severity Score:: High
CVE:: 2023-6635

Plugin:: PPWP – Password Protect Pages
Plugin Slug:: password-protect-page
Installations: 30,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.9.0
Severity Score:: Medium
CVE:: 2024-0620

Plugin:: All 404 Pages Redirect to Homepage
Plugin Slug:: all-404-pages-redirect-to-homepage
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0
Severity Score:: Medium
CVE:: 2024-24889

Plugin:: Maspik – Spam Blacklist
Plugin Slug:: contact-forms-anti-spam
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.10.7
Severity Score:: Medium
CVE:: 2024-25101

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.5.2.5
Severity Score:: Medium
CVE:: 2024-1078

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.5.2.5
Severity Score:: Medium
CVE:: 2024-1079

Plugin:: NextMove Lite – Thank You Page for WooCommerce
Plugin Slug:: woo-thank-you-page-nextmove-lite
Installations: 20,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.18.0
Severity Score:: High
CVE:: 2024-25092

Plugin:: Awesome Support – WordPress HelpDesk & Support Plugin
Plugin Slug:: awesome-support
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 6.1.8
Severity Score:: High
CVE:: 2024-0594

Plugin:: Passster – Password Protect Pages and Content
Plugin Slug:: content-protector
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.6.3
Severity Score:: Medium
CVE:: 2024-0616

Plugin:: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
Plugin Slug:: directorist
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.8.5
Severity Score:: Medium
CVE:: 2024-1322

Plugin:: Link Library
Plugin Slug:: link-library
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.6
Severity Score:: High
CVE:: 2024-24879

Plugin:: Link Library
Plugin Slug:: link-library
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 7.6
Severity Score:: Medium
CVE:: 2024-24875

Plugin:: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5.6
Severity Score:: Medium
CVE:: 2024-25593

Plugin:: Smart Manager – WooCommerce Bulk Edit Products, Orders, Coupons, Any WordPress Post Type (Advanced)
Plugin Slug:: smart-manager-for-wp-e-commerce
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 8.28.0
Severity Score:: High
CVE:: 2024-0566

Plugin:: Wonder Slider Lite
Plugin Slug:: wonderplugin-slider-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.0
Severity Score:: High
CVE:: 2024-24877

Plugin:: Woocommerce Vietnam Checkout
Plugin Slug:: woo-vietnam-checkout
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.8
Severity Score:: Medium
CVE:: 2024-24885

Plugin:: Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.51
Severity Score:: Medium
CVE:: 2024-1122

Plugin:: Product Labels For Woocommerce (Sale Badges)
Plugin Slug:: aco-product-labels-for-woocommerce
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.4
Severity Score:: Medium
CVE:: 2024-24886

Plugin:: Analytics Insights – Google Analytics Dashboard for WordPress
Plugin Slug:: analytics-insights
Installations: 9,000+
Vulnerability:: Open Redirection
Patched in Version:: 6.3
Severity Score:: Medium
CVE:: 2024-0250

Plugin:: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Plugin Slug:: wp-sms
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.5.3
Severity Score:: High
CVE:: 2024-24881

Plugin:: Themify Builder
Plugin Slug:: themify-builder
Installations: 7,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 7.0.6
Severity Score:: Medium
CVE:: 2024-24872

Plugin:: Podlove Podcast Publisher
Plugin Slug:: podlove-podcasting-plugin-for-wordpress
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.12
Severity Score:: Medium
CVE:: 2024-1109

Plugin:: Podlove Podcast Publisher
Plugin Slug:: podlove-podcasting-plugin-for-wordpress
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.12
Severity Score:: Medium
CVE:: 2024-1110

Plugin:: Contact Form 7 Connector
Plugin Slug:: ari-cf7-connector
Installations: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2024-24884

Plugin:: Advanced Forms for ACF
Plugin Slug:: advanced-forms
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.3.3
Severity Score:: Medium
CVE:: 2024-1121

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.3
Severity Score:: Medium
CVE:: 2024-25099

Plugin:: Podlove Subscribe button
Plugin Slug:: podlove-subscribe-button
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.3.11
Severity Score:: High
CVE:: 2024-1118

Plugin:: SKT Page Builder
Plugin Slug:: skt-builder
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2
Severity Score:: Medium
CVE:: 2024-1337

Plugin:: Doofinder WP & WooCommerce Search
Plugin Slug:: doofinder-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.9
Severity Score:: Medium
CVE:: 2024-25596

Plugin:: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin (easy docs, knowledgebase)
Plugin Slug:: eazydocs
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.0
Severity Score:: Medium
CVE:: 2024-0248

Plugin:: ImageRecycle pdf & image compression
Plugin Slug:: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2024-1089

Plugin:: ImageRecycle pdf & image compression
Plugin Slug:: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2024-1339

Plugin:: ImageRecycle pdf & image compression
Plugin Slug:: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2024-1091

Plugin:: ImageRecycle pdf & image compression
Plugin Slug:: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2024-1338

Plugin:: ImageRecycle pdf & image compression
Plugin Slug:: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2024-1090

Plugin:: ImageRecycle pdf & image compression
Plugin Slug:: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2024-1336

Plugin:: ImageRecycle pdf & image compression
Plugin Slug:: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2024-0984

Plugin:: ImageRecycle pdf & image compression
Plugin Slug:: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2024-1335

Plugin:: ImageRecycle pdf & image compression
Plugin Slug:: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2024-1334

Plugin:: ImageRecycle pdf & image compression
Plugin Slug:: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2024-0983

Plugin:: Simple Page Access Restriction
Plugin Slug:: simple-page-access-restriction
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.23
Severity Score:: Medium
CVE:: 2024-0965

Plugin:: Anonymous Restricted Content
Plugin Slug:: anonymous-restricted-content
Installations: 1,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.6.3
Severity Score:: Medium
CVE:: 2024-0909

Plugin:: Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 21.2.9
Severity Score:: Medium
CVE:: 2024-24887

Plugin:: Polls CP
Plugin Slug:: cp-polls
Installations: 1,000+
Vulnerability:: Content Injection
Patched in Version:: 1.0.72
Severity Score:: Medium
CVE:: 2024-24874

Plugin:: Polls CP
Plugin Slug:: cp-polls
Installations: 1,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.0.72
Severity Score:: Medium
CVE:: 2024-24873

Plugin:: GD Rating System
Plugin Slug:: gd-rating-system
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.1
Severity Score:: High
CVE:: 2024-25093

Plugin:: Frontend File Manager Plugin
Plugin Slug:: nmedia-user-file-uploader
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 22.8
Severity Score:: Medium
CVE:: 2024-25903

Plugin:: TNC PDF viewer
Plugin Slug:: pdf-viewer-by-themencode
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.0
Severity Score:: Medium
CVE:: 2024-25097

Plugin:: Sunshine Photo Cart: Free Client Galleries for Photographers
Plugin Slug:: sunshine-photo-cart
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.1
Severity Score:: Medium
CVE:: 2024-1294

Plugin:: WP Club Manager – WordPress Sports Club Plugin
Plugin Slug:: wp-club-manager
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.11
Severity Score:: Medium
CVE:: 2024-1177

Plugin:: Ultimate Reviews
Plugin Slug:: ultimate-reviews
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.9
Severity Score:: High
CVE:: 2024-25597

Plugin:: Portugal CTT Tracking for WooCommerce
Plugin Slug:: portugal-ctt-tracking-woocommerce
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2024-24878

Plugin:: Web3 – Crypto wallet Login & NFT token gating
Plugin Slug:: web3-authentication
Installations: 200+
Vulnerability:: Broken Authentication
Patched in Version:: 3.0.0
Severity Score:: Critical
CVE:: 2023-6036

Plugin:: LearnDash LMS
Plugin Slug:: sfwd-lms
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.10.3
Severity Score:: Medium
CVE:: 2024-1208

Plugin:: LearnDash LMS
Plugin Slug:: sfwd-lms
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.10.2
Severity Score:: Medium
CVE:: 2024-1210

Plugin:: LearnDash LMS
Plugin Slug:: sfwd-lms
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.10.2
Severity Score:: Medium
CVE:: 2024-1209

Plugin:: WP Media folder
Plugin Slug:: wp-media-folder
Vulnerability:: Arbitrary File Upload
Patched in Version:: 5.7.3
Severity Score:: Critical
CVE:: 2024-25909

Plugin:: WP Media folder
Plugin Slug:: wp-media-folder
Vulnerability:: Settings Change
Patched in Version:: 5.7.3
Severity Score:: Medium
CVE:: 2024-25908

Plugin:: WP Media folder
Plugin Slug:: wp-media-folder
Vulnerability:: Settings Change
Patched in Version:: 5.7.3
Severity Score:: Medium
CVE:: 2024-25907

WordPress Themes — 1 Patched / 2 Unpatched

Theme:: Brooklyn
Theme Slug:: brooklyn
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-24927

Theme:: Brooklyn
Theme Slug:: brooklyn
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-24926

Theme:: Blocksy
Theme Slug:: blocksy
Downloads: 2,812,211
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.20
Severity Score:: Medium
CVE:: 2024-24871

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 117 Patched / 26 Unpatched