WordPress Vulnerability Report — January 31, 2024
In this week's report, a total of 53 vulnerabilities have been publicly disclosed. There are security patches for 36 of these plugins and themes. Run those updates as soon as possible. Also, there are 17 plugin vulnerabilities with no patch available yet.
In this report, 53 vulnerabilities have been publicly disclosed. Security patches for 36 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.
Additionally, there are 17 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress Core
WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.
The next major release will be version 6.5, planned for March 26, 2024.
WordPress Plugins — 35 Patched / 17 Unpatched
aBitGone CommentSafe
- Plugin:
- aBitGone CommentSafe
- Plugin Slug:
- abitgone-commentsafe
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-7174
Add SVG Support for Media Uploader | inventivo
- Plugin:
- Add SVG Support for Media Uploader | inventivo
- Plugin Slug:
- add-svg-support-for-media-uploader-inventivo
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-7088
Advanced Schedule Posts
- Plugin:
- Advanced Schedule Posts
- Plugin Slug:
- advanced-schedule-posts
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-0249
Better Follow Button for Jetpack
- Plugin:
- Better Follow Button for Jetpack
- Plugin Slug:
- better-follow-button-for-jetpack
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-7168
enigma chart.js
- Plugin:
- enigma chart.js
- Plugin Slug:
- enigma-chartjs
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-6081
enigma chart.js
- Plugin:
- enigma chart.js
- Plugin Slug:
- enigma-chartjs
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-6082
(Simply) Guest Author Name
- Plugin:
- (Simply) Guest Author Name
- Plugin Slug:
- guest-author-name
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-0254
lasTunes
- Plugin:
- lasTunes
- Plugin Slug:
- lastunes
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-6499
illi Link Party!
- Plugin:
- illi Link Party!
- Plugin Slug:
- link-party
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-7231
illi Link Party!
- Plugin:
- illi Link Party!
- Plugin Slug:
- link-party
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-7228
illi Link Party!
- Plugin:
- illi Link Party!
- Plugin Slug:
- link-party
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-7229
Mang Board WP
- Plugin:
- Mang Board WP
- Plugin Slug:
- mangboard
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-22306
Splashscreen
- Plugin:
- Splashscreen
- Plugin Slug:
- splashscreen
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-6501
SVG Uploads Support
- Plugin:
- SVG Uploads Support
- Plugin Slug:
- svg-uploads-support
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-7086
Ultimate Noindex Nofollow Tool
- Plugin:
- Ultimate Noindex Nofollow Tool
- Plugin Slug:
- ultimate-noindex-nofollow-tool
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-7196
Marketing Twitter Bot
- Plugin:
- Marketing Twitter Bot
- Plugin Slug:
- wordpress-twitterbot
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-7197
WP-Reply Notify
- Plugin:
- WP-Reply Notify
- Plugin Slug:
- wp-reply-notify
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-7195
Better Search Replace
- Plugin:
- Better Search Replace
- Plugin Slug:
- better-search-replace
- Installations
- 1,000,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.4.5
- Severity Score:
- Critical
- CVE:
- 2023-6933
File Manager
- Plugin:
- File Manager
- Plugin Slug:
- wp-file-manager
- Installations
- 1,000,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 7.2.2
- Severity Score:
- High
- CVE:
- 2024-0761
WP Go Maps (formerly WP Google Maps)
- Plugin Slug:
- wp-google-maps
- Installations
- 400,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 9.0.29
- Severity Score:
- High
- CVE:
- 2023-6697
Migration, Backup, Staging – WPvivid
- Plugin Slug:
- wpvivid-backuprestore
- Installations
- 400,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 0.9.95
- Severity Score:
- Medium
- CVE:
- 2023-4637
Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
- Plugin:
- Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
- Plugin Slug:
- formidable
- Installations
- 300,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 6.8
- Severity Score:
- Medium
- CVE:
- 2024-0660
Backuply – Backup, Restore, Migrate and Clone
- Plugin Slug:
- backuply
- Installations
- 200,000+
- Vulnerability:
- Directory Traversal
- Patched in Version:
- 1.2.4
- Severity Score:
- Medium
- CVE:
- 2024-0697
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
- Plugin Slug:
- photo-gallery
- Installations
- 200,000+
- Vulnerability:
- Directory Traversal
- Patched in Version:
- 1.8.20
- Severity Score:
- Critical
- CVE:
- 2024-0221
AMP for WP – Accelerated Mobile Pages
- Plugin Slug:
- accelerated-mobile-pages
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.0.93
- Severity Score:
- High
- CVE:
- 2024-0587
FileBird – WordPress Media Library Folders & File Manager
- Plugin Slug:
- filebird
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 5.6.1
- Severity Score:
- Medium
- CVE:
- 2024-0691
Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
- Plugin Slug:
- instant-images
- Installations
- 100,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 6.1.1
- Severity Score:
- High
- CVE:
- 2024-0869
VK Block Patterns
- Plugin:
- VK Block Patterns
- Plugin Slug:
- vk-block-patterns
- Installations
- 80,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.31.2.0
- Severity Score:
- Medium
- CVE:
- 2024-0623
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
- Plugin Slug:
- form-maker
- Installations
- 60,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.15.22
- Severity Score:
- Medium
- CVE:
- 2024-0667
WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
- Plugin Slug:
- wp-rss-aggregator
- Installations
- 60,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.23.5
- Severity Score:
- Medium
- CVE:
- 2024-0630
Exclusive Addons for Elementor
- Plugin:
- Exclusive Addons for Elementor
- Plugin Slug:
- exclusive-addons-for-elementor
- Installations
- 50,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.6.9
- Severity Score:
- Medium
- CVE:
- 2024-0823
Exclusive Addons for Elementor
- Plugin:
- Exclusive Addons for Elementor
- Plugin Slug:
- exclusive-addons-for-elementor
- Installations
- 50,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.6.9
- Severity Score:
- Medium
- CVE:
- 2024-0824
10Web AI Assistant – AI content writing assistant
- Plugin Slug:
- ai-assistant-by-10web
- Installations
- 30,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.0.19
- Severity Score:
- Medium
- CVE:
- 2023-6985
WP Dashboard Notes
- Plugin:
- WP Dashboard Notes
- Plugin Slug:
- wp-dashboard-notes
- Installations
- 30,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.0.11
- Severity Score:
- Medium
- CVE:
- 2023-7239
Meks Smart Social Widget
- Plugin:
- Meks Smart Social Widget
- Plugin Slug:
- meks-smart-social-widget
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.6.4
- Severity Score:
- Medium
- CVE:
- 2024-0664
PDF Poster – PDF Embedder Plugin for WordPress
- Plugin Slug:
- pdf-poster
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.1.18
- Severity Score:
- High
- CVE:
- 2024-23508
WordPress Simple Shopping Cart
- Plugin:
- WordPress Simple Shopping Cart
- Plugin Slug:
- wordpress-simple-paypal-shopping-cart
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.7.2
- Severity Score:
- Medium
- CVE:
- 2023-6497
Cryptocurrency Widgets – Price Ticker & Coins List
- Plugin Slug:
- cryptocurrency-price-ticker-widget
- Installations
- 10,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 2.6.6
- Severity Score:
- Critical
- CVE:
- 2024-0709
WP Customer Area
- Plugin:
- WP Customer Area
- Plugin Slug:
- customer-area
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 8.2.3
- Severity Score:
- High
- CVE:
- 2024-0665
PDF Generator For Fluent Forms – The Contact Form Plugin
- Plugin Slug:
- fluentforms-pdf
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.1.8
- Severity Score:
- Medium
- CVE:
- 2023-6953
Category Discount Woocommerce
- Plugin:
- Category Discount Woocommerce
- Plugin Slug:
- woo-product-category-discount
- Installations
- 7,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 4.12
- Severity Score:
- Medium
- CVE:
- 2024-0617
Category Discount Woocommerce
- Plugin:
- Category Discount Woocommerce
- Plugin Slug:
- woo-product-category-discount
- Installations
- 7,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.13
- Severity Score:
- Medium
- CVE:
- 2024-0617
Sticky Buttons – floating buttons builder
- Plugin Slug:
- sticky-buttons
- Installations
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.2.3
- Severity Score:
- Medium
- CVE:
- 2024-0703
Dragfy Addons for Elementor
- Plugin:
- Dragfy Addons for Elementor
- Plugin Slug:
- dragfy-addons-for-elementor
- Installations
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 8.3.2
- Severity Score:
- Medium
- CVE:
- 2024-0448
InstaWP Connect – 1-click WP Staging & Migration
- Plugin Slug:
- instawp-connect
- Installations
- 1,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 0.1.0.10
- Severity Score:
- High
- CVE:
- 2024-23507
InstaWP Connect – 1-click WP Staging & Migration
- Plugin Slug:
- instawp-connect
- Installations
- 1,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 0.1.0.10
- Severity Score:
- High
- CVE:
- 2024-23506
Views for WPForms – Display & Edit WPForms Entries on your site frontend
- Plugin Slug:
- views-for-wpforms-lite
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.2.3
- Severity Score:
- Medium
- CVE:
- 2024-0370
Allow SVG
coreActivity: Activity Logging plugin for WordPress
- Plugin Slug:
- coreactivity
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.8.1
- Severity Score:
- High
- CVE:
- 2024-0852
MaxButtons
- Plugin:
- MaxButtons
- Plugin Slug:
- maxbutton
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 9.7.7
- Severity Score:
- Medium
- CVE:
- 2023-7029
File Manager Pro
- Plugin:
- File Manager Pro
- Plugin Slug:
- wp-file-manager-pro
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 8.3.5
- Severity Score:
- High
- CVE:
- 2023-6846
WPForms Pro
- Plugin:
- WPForms Pro
- Plugin Slug:
- wpforms
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.8.5.4
- Severity Score:
- High
- CVE:
- 2023-7063
WordPress Themes — 1 Patched / 0 Unpatched
ColorMag
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Sign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed