WordPress Vulnerability Report — July 24, 2024

Since last week, 93 new vulnerabilities emerged in the WordPress ecosystem including 87 plugins and 6 themes. 21 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah

Published:Jul 24, 2024

Filed Under:WordPress Vulnerability Report

Reading Time:18 min.

In this report, 93 vulnerabilities have been publicly disclosed. Security patches for 72 of these plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 21 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 72 Patched / 15 Unpatched

2.1 Timetable and Event Schedule by MotoPress
2.2 Smartsupp – live chat, chatbots, AI and lead generation
2.3 Pretty Simple Popup Builder
2.4 Booking Ultra Pro
2.5 Easy Testimonials
2.6 Keydatas
2.7 Light Poll
2.8 ListingPro
2.9 ListingPro
2.10 ListingPro
2.11 ListingPro
2.12 RegLevel
2.13 SVG Support
2.14 Telegram Bot & Channel
2.15 Timeline Event History
2.16 WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin
2.17 ElementsKit Elementor addons
2.18 Redux Framework
2.19 Security Optimizer – The All-In-One Protection Plugin
2.20 WPS Hide Login
2.21 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
2.22 Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
2.23 Conditional Fields for Contact Form 7
2.24 GiveWP – Donation Plugin and Fundraising Platform
2.25 Schema & Structured Data for WP & AMP
2.26 CTX Feed – WooCommerce Product Feed Manager Plugin
2.27 Mercado Pago payments for WooCommerce
2.28 HUSKY – Products Filter Professional for WooCommerce
2.29 Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce
2.30 Brizy – Page Builder
2.31 Brizy – Page Builder
2.32 AI Engine
2.33 Premium Portfolio Features for Phlox theme
2.34 Getwid – Gutenberg Blocks
2.35 Image Hover Effects – Elementor Addon
2.36 RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
2.37 Gutenverse – Gutenberg Blocks – Page Builder for Site Editor
2.38 FV Flowplayer Video Player
2.39 Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
2.40 WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
2.41 WordPress File Upload
2.42 Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress
2.43 Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress
2.44 BSK PDF Manager
2.45 CM Popup Plugin for WordPress – Popup Maker
2.46 Language Translate Widget for WP – ConveyThis
2.47 JetWidgets for Elementor and WooCommerce
2.48 Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)
2.49 MasterStudy LMS WordPress Plugin – for Online Courses and Education
2.50 UiPress lite | Effortless custom dashboards, admin themes and pages
2.51 Event Manager, Events Calendar, Tickets, Registrations – Eventin
2.52 SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher
2.53 Backup, Restore and Migrate WordPress Sites With the XCloner Plugin
2.54 Arconix FAQ
2.55 HTML Forms – Simple WordPress Forms Plugin
2.56 YITH Essential Kit for WooCommerce #1
2.57 Arconix Shortcodes
2.58 AI ChatBot for WordPress – WPBot
2.59 WP QuickLaTeX
2.60 Livemesh Addons for Beaver Builder
2.61 Cooked – Recipe Management
2.62 Cooked – Recipe Management
2.63 AForms — Form Builder for Price Calculator & Cost Estimation
2.64 Insert or Embed Articulate Content into WordPress
2.65 Addonify – Quick View For WooCommerce
2.66 Visual Website Collaboration, Feedback & Project Management – Atarim
2.67 Glossary
2.68 The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)
2.69 Web and WooCommerce Addons for WPBakery Builder
2.70 Great Restaurant Menu WP
2.71 Duplica – Duplicate Posts, Pages, Custom Posts or Users
2.72 WP Fast Total Search – The Power of Indexed Search
2.73 MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons & 100 Styles
2.74 Custom Query Blocks
2.75 Filter & Grids
2.76 FormLift for Infusionsoft Web Forms
2.77 ArtPlacer Widget
2.78 ArtPlacer Widget
2.79 Bug Library
2.80 Community Events
2.81 PZ Frontend Manager
2.82 Ultimate Addons for WPBakery Page Builder
2.83 WP eStore
2.84 WP eStore
2.85 CopySafe Web Protection
2.86 WP GoToWebinar
2.87 WPForms User Registration

3. WordPress Themes — 0 Patched / 6 Unpatched

3.1 CoziPress
3.2 Himalayas
3.3 ListingPro
3.4 ListingPro
3.5 ListingPro
3.6 Zenon Lite

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.6.1 is now available! This minor release features 7 bug fixes in Core and 9 bug fixes for the Block Editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement.

WordPress Plugins — 72 Patched / 15 Unpatched

Plugin:: Timetable and Event Schedule by MotoPress
Plugin Slug:: mp-timetable
Installations: 30,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-39630

Plugin:: Smartsupp – live chat, chatbots, AI and lead generation
Plugin Slug:: smartsupp-live-chat
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-38790

Plugin:: Pretty Simple Popup Builder
Plugin Slug:: pretty-simple-popup-builder
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-39626

Plugin:: Booking Ultra Pro
Plugin Slug:: booking-ultra-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6175

Plugin:: Easy Testimonials
Plugin Slug:: easy-testimonials
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-2337

Plugin:: Keydatas
Plugin Slug:: keydatas
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-6220

Plugin:: Light Poll
Plugin Slug:: light-poll
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6720

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-39621

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-39620

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-39619

Plugin:: ListingPro
Plugin Slug:: listingpro-plugin
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-38795

Plugin:: RegLevel
Plugin Slug:: reglevel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-6705

Plugin:: SVG Support
Plugin Slug:: svg-support
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6708

Plugin:: Telegram Bot & Channel
Plugin Slug:: telegram-bot
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-38789

Plugin:: Timeline Event History
Plugin Slug:: timeline-event-history
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-5726

Plugin:: WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin
Plugin Slug:: wp-mail-smtp
Installations: 3,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.1.0
Severity Score:: Low
CVE:: 2024-6694

Plugin:: ElementsKit Elementor addons
Plugin Slug:: elementskit-lite
Installations: 1,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2024-6455

Plugin:: Redux Framework
Plugin Slug:: redux-framework
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.18
Severity Score:: High
CVE:: 2024-6828

Plugin:: Security Optimizer – The All-In-One Protection Plugin
Plugin Slug:: sg-security
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.1
Severity Score:: Medium
CVE:: 2024-38774

Plugin:: WPS Hide Login
Plugin Slug:: wps-hide-login
Installations: 1,000,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.9.16.4
Severity Score:: Medium
CVE:: 2024-6289

Plugin:: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.59.4
Severity Score:: Medium
CVE:: 2024-39627

Plugin:: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.6
Severity Score:: Medium
CVE:: 2024-5555

Plugin:: Conditional Fields for Contact Form 7
Plugin Slug:: cf7-conditional-fields
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.14
Severity Score:: Medium
CVE:: 2024-5804

Plugin:: GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.14.0
Severity Score:: Medium
CVE:: 2024-5977

Plugin:: Schema & Structured Data for WP & AMP
Plugin Slug:: schema-and-structured-data-for-wp
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.34.1
Severity Score:: Medium
CVE:: 2024-5582

Plugin:: CTX Feed – WooCommerce Product Feed Manager Plugin
Plugin Slug:: webappick-product-feed-for-woocommerce
Installations: 100,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 6.5.7
Severity Score:: High
CVE:: 2024-38775

Plugin:: Mercado Pago payments for WooCommerce
Plugin Slug:: woocommerce-mercadopago
Installations: 100,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 7.6.2
Severity Score:: Medium
CVE:: 2024-3934

Plugin:: HUSKY – Products Filter Professional for WooCommerce
Plugin Slug:: woocommerce-products-filter
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.3.6.1
Severity Score:: Critical
CVE:: 2024-6457

Plugin:: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce
Plugin Slug:: email-subscribers
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.7.27
Severity Score:: Medium
CVE:: 2024-5703

Plugin:: Brizy – Page Builder
Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.4.45
Severity Score:: Critical
CVE:: 2024-3242

Plugin:: Brizy – Page Builder
Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.45
Severity Score:: High
CVE:: 2024-1937

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 70,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.4.8
Severity Score:: Medium
CVE:: 2024-38791

Plugin:: Premium Portfolio Features for Phlox theme
Plugin Slug:: auxin-portfolio
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.3
Severity Score:: Medium
CVE:: 2024-3587

Plugin:: Getwid – Gutenberg Blocks
Plugin Slug:: getwid
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.11
Severity Score:: Medium
CVE:: 2024-6491

Plugin:: Image Hover Effects – Elementor Addon
Plugin Slug:: image-hover-effects-addon-for-elementor
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.4
Severity Score:: Medium
CVE:: 2024-4780

Plugin:: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
Plugin Slug:: wp-rss-aggregator
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.23.12
Severity Score:: Medium
CVE:: 2024-6621

Plugin:: Gutenverse – Gutenberg Blocks – Page Builder for Site Editor
Plugin Slug:: gutenverse
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.3
Severity Score:: Medium
CVE:: 2024-38785

Plugin:: FV Flowplayer Video Player
Plugin Slug:: fv-wordpress-flowplayer
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 7.5.47.7212
Severity Score:: High
CVE:: 2024-6338

Plugin:: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Plugin Slug:: icegram
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.25
Severity Score:: Medium
CVE:: 2024-39625

Plugin:: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Plugin Slug:: wp-event-manager
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.44
Severity Score:: Medium
CVE:: 2024-2691

Plugin:: WordPress File Upload
Plugin Slug:: wp-file-upload
Installations: 20,000+
Vulnerability:: Directory Traversal
Patched in Version:: 4.24.8
Severity Score:: Medium
CVE:: 2024-5852

Plugin:: Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress
Plugin Slug:: bookingpress-appointment-booking
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.6
Severity Score:: Critical
CVE:: 2024-6660

Plugin:: Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress
Plugin Slug:: bookingpress-appointment-booking
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.6
Severity Score:: High
CVE:: 2024-6467

Plugin:: BSK PDF Manager
Plugin Slug:: bsk-pdf-manager
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.1
Severity Score:: Medium
CVE:: 2024-38767

Plugin:: CM Popup Plugin for WordPress – Popup Maker
Plugin Slug:: cm-pop-up-banners
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.6
Severity Score:: Medium
CVE:: 2024-5004

Plugin:: Language Translate Widget for WP – ConveyThis
Plugin Slug:: conveythis-translate
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 235
Severity Score:: Medium
CVE:: 2024-38792

Plugin:: JetWidgets for Elementor and WooCommerce
Plugin Slug:: jetwoo-widgets-for-elementor
Installations: 10,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.8
Severity Score:: Medium
CVE:: 2024-38772

Plugin:: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)
Plugin Slug:: leaflet-maps-marker
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.12.10
Severity Score:: Medium
CVE:: 2024-38782

Plugin:: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.3.24
Severity Score:: High
CVE:: 2024-5973

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.4.07
Severity Score:: High
CVE:: 2024-38788

Plugin:: Event Manager, Events Calendar, Tickets, Registrations – Eventin
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.5
Severity Score:: Medium
CVE:: 2024-6033

Plugin:: SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher
Plugin Slug:: wp-scheduled-posts
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.1.4
Severity Score:: Medium
CVE:: 2024-6557

Plugin:: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin
Plugin Slug:: xcloner-backup-and-restore
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.7.4
Severity Score:: Medium
CVE:: 2024-6559

Plugin:: Arconix FAQ
Plugin Slug:: arconix-faq
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.5
Severity Score:: Medium
CVE:: 2024-38783

Plugin:: HTML Forms – Simple WordPress Forms Plugin
Plugin Slug:: html-forms
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.33
Severity Score:: Medium
CVE:: 2024-6243

Plugin:: YITH Essential Kit for WooCommerce #1
Plugin Slug:: yith-essential-kit-for-woocommerce-1
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.35.0
Severity Score:: Medium
CVE:: 2024-6799

Plugin:: Arconix Shortcodes
Plugin Slug:: arconix-shortcodes
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.12
Severity Score:: Medium
CVE:: 2024-38769

Plugin:: AI ChatBot for WordPress – WPBot
Plugin Slug:: chatbot
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.8
Severity Score:: Medium
CVE:: 2024-6669

Plugin:: WP QuickLaTeX
Plugin Slug:: wp-quicklatex
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.8
Severity Score:: Medium
CVE:: 2024-5529

Plugin:: Livemesh Addons for Beaver Builder
Plugin Slug:: addons-for-beaver-builder
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7
Severity Score:: Medium
CVE:: 2024-38784

Plugin:: Cooked – Recipe Management
Plugin Slug:: cooked
Installations: 4,000+
Vulnerability:: Content Injection
Patched in Version:: 1.8.0
Severity Score:: Medium

Plugin:: Cooked – Recipe Management
Plugin Slug:: cooked
Installations: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.8.0
Severity Score:: Medium

Plugin:: AForms — Form Builder for Price Calculator & Cost Estimation
Plugin Slug:: aforms-form-builder-for-price-calculator-cost-estimation
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.7
Severity Score:: Medium
CVE:: 2024-6565

Plugin:: Insert or Embed Articulate Content into WordPress
Plugin Slug:: insert-or-embed-articulate-content-into-wordpress
Installations: 3,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.3000000024
Severity Score:: Critical
CVE:: 2024-5630

Plugin:: Addonify – Quick View For WooCommerce
Plugin Slug:: addonify-quick-view
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.2.17
Severity Score:: Medium
CVE:: 2024-6560

Plugin:: Visual Website Collaboration, Feedback & Project Management – Atarim
Plugin Slug:: atarim-visual-collaboration
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.1
Severity Score:: Medium
CVE:: 2024-38771

Plugin:: Glossary
Plugin Slug:: glossary-by-codeat
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.27
Severity Score:: Medium
CVE:: 2024-6570

Plugin:: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)
Plugin Slug:: the-pack-addon
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.0.8.7
Severity Score:: Medium
CVE:: 2024-38768

Plugin:: Web and WooCommerce Addons for WPBakery Builder
Plugin Slug:: vc-addons-by-bit14
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.6
Severity Score:: Medium
CVE:: 2024-6579

Plugin:: Great Restaurant Menu WP
Plugin Slug:: best-restaurant-menu-by-pricelisto
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.2
Severity Score:: High
CVE:: 2024-38793

Plugin:: Duplica – Duplicate Posts, Pages, Custom Posts or Users
Plugin Slug:: duplica
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.7
Severity Score:: Medium
CVE:: 2024-5997

Plugin:: WP Fast Total Search – The Power of Indexed Search
Plugin Slug:: fulltext-search
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.70.236
Severity Score:: Medium
CVE:: 2024-38778

Plugin:: MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons & 100 Styles
Plugin Slug:: maxi-blocks
Installations: 1,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.9.3
Severity Score:: High
CVE:: 2024-6885

Plugin:: Custom Query Blocks
Plugin Slug:: post-type-archive-mapping
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.3.0
Severity Score:: Medium
CVE:: 2024-38794

Plugin:: Filter & Grids
Plugin Slug:: ymc-smart-filter
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.8.33
Severity Score:: High
CVE:: 2024-6164

Plugin:: FormLift for Infusionsoft Web Forms
Plugin Slug:: formlift
Installations: 800+
Vulnerability:: SQL Injection
Patched in Version:: 7.5.18
Severity Score:: Critical
CVE:: 2024-38773

Plugin:: ArtPlacer Widget
Plugin Slug:: artplacer-widget
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.21.2
Severity Score:: High
CVE:: 2023-7269

Plugin:: ArtPlacer Widget
Plugin Slug:: artplacer-widget
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 2.21.2
Severity Score:: Medium
CVE:: 2023-7268

Plugin:: Bug Library
Plugin Slug:: bug-library
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2024-5604

Plugin:: Community Events
Plugin Slug:: community-events
Installations: 40+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5
Severity Score:: Medium
CVE:: 2024-6271

Plugin:: PZ Frontend Manager
Plugin Slug:: pz-frontend-manager
Installations: 10+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.6
Severity Score:: Medium
CVE:: 2024-6244

Plugin:: Ultimate Addons for WPBakery Page Builder
Plugin Slug:: ultimate_vc_addons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.19.20.1
Severity Score:: Medium
CVE:: 2024-5251

Plugin:: WP eStore
Plugin Slug:: wp-cart-for-digital-products
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 8.5.5
Severity Score:: Medium
CVE:: 2024-6075

Plugin:: WP eStore
Plugin Slug:: wp-cart-for-digital-products
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5.5
Severity Score:: High
CVE:: 2024-6072

Plugin:: CopySafe Web Protection
Plugin Slug:: wp-copysafe-web
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0
Severity Score:: High
CVE:: 2024-38781

Plugin:: WP GoToWebinar
Plugin Slug:: wp-gotowebinar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 15.8
Severity Score:: High
CVE:: 2024-38776

Plugin:: WPForms User Registration
Plugin Slug:: wpforms-user-registration
Vulnerability:: Privilege Escalation
Patched in Version:: 2.1.2
Severity Score:: High
CVE:: 2023-52209

WordPress Themes — 0 Patched / 6 Unpatched

Theme:: CoziPress
Theme Slug:: cozipress
Downloads: 144,938
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-38786

Theme:: Himalayas
Theme Slug:: himalayas
Downloads: 334,322
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-39629

Theme:: ListingPro
Theme Slug:: listingpro
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-39624

Theme:: ListingPro
Theme Slug:: listingpro
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-39623

Theme:: ListingPro
Theme Slug:: listingpro
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-39622

Theme:: Zenon Lite
Theme Slug:: zenon-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5964

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 72 Patched / 15 Unpatched

WordPress Themes — 0 Patched / 6 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 22, 2026

WordPress Vulnerability Report — April 15, 2026

WordPress Vulnerability Report — April 8, 2026

WordPress Vulnerability Report — April 1, 2026