In this report, 70 vulnerabilities have been publicly disclosed. Security patches for 57 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.
Additionally, there are 13 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress Core
WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.
The next major release will be version 6.5, planned for March 26, 2024.
WordPress Plugins — 55 Patched / 13 Unpatched
HT Easy GA4 – Google Analytics WordPress Plugin
- Plugin Slug:
- ht-easy-google-analytics
- Installations
- 6,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-1176
Auto Refresh Single Page
- Plugin:
- Auto Refresh Single Page
- Plugin Slug:
- auto-refresh-single-page
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-1731
Blue Triad EZAnalytics
- Plugin:
- Blue Triad EZAnalytics
- Plugin Slug:
- blue-triad-ezanalytics
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-1782
Change Memory Limit
- Plugin:
- Change Memory Limit
- Plugin Slug:
- change-memory-limit
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-1093
Build & Control Block Patterns
- Plugin:
- Build & Control Block Patterns
- Plugin Slug:
- control-block-patterns
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-1095
Droit Elementor Addons
- Plugin:
- Droit Elementor Addons
- Plugin Slug:
- droit-elementor-addons
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-2252
FeedWordPress
- Plugin:
- FeedWordPress
- Plugin Slug:
- feedwordpress
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-0839
Maintenance Mode by helderk
- Plugin:
- Maintenance Mode by helderk
- Plugin Slug:
- hkdev-maintenance-mode
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-1478
Master Slider
- Plugin:
- Master Slider
- Plugin Slug:
- master-slider
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-0611
Master Slider
- Plugin:
- Master Slider
- Plugin Slug:
- master-slider
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-1449
Page Builder Sandwich – Front-End Page Builder
- Plugin:
- Page Builder Sandwich – Front-End Page Builder
- Plugin Slug:
- page-builder-sandwich
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-1285
Page Builder Sandwich – Front-End Page Builder
- Plugin:
- Page Builder Sandwich – Front-End Page Builder
- Plugin Slug:
- page-builder-sandwich
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-1381
Vimeography: Vimeo Video Gallery WordPress Plugin
- Plugin:
- Vimeography: Vimeo Video Gallery WordPress Plugin
- Plugin Slug:
- vimeography
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-0825
File Manager
- Plugin:
- File Manager
- Plugin Slug:
- wp-file-manager
- Installations
- 1,000,000+
- Vulnerability:
- Path Traversal
- Patched in Version:
- 7.2.2
- Severity Score:
- High
- CVE:
- 2023-6825
SiteOrigin Widgets Bundle
- Plugin:
- SiteOrigin Widgets Bundle
- Plugin Slug:
- so-widgets-bundle
- Installations
- 600,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.58.8
- Severity Score:
- Medium
- CVE:
- 2024-1723
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
- Plugin Slug:
- fluentform
- Installations
- 400,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 5.1.10
- Severity Score:
- Medium
- CVE:
- 2023-6957
Happy Addons for Elementor
- Plugin:
- Happy Addons for Elementor
- Plugin Slug:
- happy-elementor-addons
- Installations
- 400,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.10.4
- Severity Score:
- Medium
- CVE:
- 2024-1366
Happy Addons for Elementor
- Plugin:
- Happy Addons for Elementor
- Plugin Slug:
- happy-elementor-addons
- Installations
- 400,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.10.4
- Severity Score:
- Medium
- CVE:
- 2024-1377
Metform Elementor Contact Form Builder
- Plugin Slug:
- metform
- Installations
- 300,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.8.4
- Severity Score:
- Medium
- CVE:
- 2024-1585
Royal Elementor Addons and Templates
- Plugin Slug:
- royal-elementor-addons
- Installations
- 300,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.3.92
- Severity Score:
- Medium
- CVE:
- 2024-1500
Page Builder: Pagelayer – Drag and Drop website builder
- Plugin Slug:
- pagelayer
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.8.4
- Severity Score:
- Medium
- CVE:
- 2024-2127
Orbit Fox by ThemeIsle
- Plugin:
- Orbit Fox by ThemeIsle
- Plugin Slug:
- themeisle-companion
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.10.33
- Severity Score:
- Medium
- CVE:
- 2024-2126
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
- Plugin Slug:
- ultimate-member
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.8.4
- Severity Score:
- High
- CVE:
- 2024-2123
Colibri Page Builder
- Plugin:
- Colibri Page Builder
- Plugin Slug:
- colibri-page-builder
- Installations
- 100,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.0.263
- Severity Score:
- Medium
- CVE:
- 2024-1870
Social Sharing Plugin – Sassy Social Share
- Plugin Slug:
- sassy-social-share
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.3.59
- Severity Score:
- Medium
- CVE:
- 2024-1989
The Plus Addons for Elementor
- Plugin:
- The Plus Addons for Elementor
- Plugin Slug:
- the-plus-addons-for-elementor-page-builder
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 5.4.1
- Severity Score:
- Medium
- CVE:
- 2024-1419
WP Chat App
- Plugin:
- WP Chat App
- Plugin Slug:
- wp-whatsapp
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.6.2
- Severity Score:
- Medium
- CVE:
- 2024-1761
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
- Plugin Slug:
- embedpress
- Installations
- 90,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.9.11
- Severity Score:
- Medium
- CVE:
- 2024-1802
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
- Plugin Slug:
- embedpress
- Installations
- 90,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.9.11
- Severity Score:
- Medium
- CVE:
- 2024-2128
Event Tickets and Registration
- Plugin:
- Event Tickets and Registration
- Plugin Slug:
- event-tickets
- Installations
- 80,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.8.1
- Severity Score:
- Medium
- CVE:
- 2024-1316
Database for Contact Form 7, WPforms, Elementor forms
- Plugin Slug:
- contact-form-entries
- Installations
- 60,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.3.4
- Severity Score:
- Medium
- CVE:
- 2024-2030
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin
- Plugin Slug:
- user-registration
- Installations
- 60,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.1.5
- Severity Score:
- High
- CVE:
- 2024-1720
WP-Members Membership Plugin
- Plugin:
- WP-Members Membership Plugin
- Plugin Slug:
- wp-members
- Installations
- 60,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.4.9.2
- Severity Score:
- Medium
- CVE:
- 2024-1987
Simple Membership
- Plugin:
- Simple Membership
- Plugin Slug:
- simple-membership
- Installations
- 50,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.4.3
- Severity Score:
- High
- CVE:
- 2024-1985
Booster for WooCommerce
- Plugin:
- Booster for WooCommerce
- Plugin Slug:
- woocommerce-jetpack
- Installations
- 50,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 7.1.8
- Severity Score:
- Medium
- CVE:
- 2024-1534
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
- Plugin Slug:
- simply-schedule-appointments
- Installations
- 30,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.6.6.24
- Severity Score:
- Medium
- CVE:
- 2024-1760
MasterStudy LMS WordPress Plugin – for Online Courses and Education
- Plugin Slug:
- masterstudy-lms-learning-management-system
- Installations
- 10,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 3.2.11
- Severity Score:
- Medium
- CVE:
- 2024-2106
SportsPress – Sports Club & League Manager
- Plugin Slug:
- sportspress
- Installations
- 10,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.7.18
- Severity Score:
- Medium
- CVE:
- 2024-1178
Product Carousel Slider & Grid Ultimate for WooCommerce
- Plugin Slug:
- woo-product-carousel-slider-and-grid-ultimate
- Installations
- 9,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.9.8
- Severity Score:
- High
- CVE:
- 2024-1950
JM Twitter Cards
- Plugin:
- JM Twitter Cards
- Plugin Slug:
- jm-twitter-cards
- Installations
- 7,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 14
- Severity Score:
- Medium
- CVE:
- 2024-1769
Ultimate Bootstrap Elements for Elementor
- Plugin Slug:
- ultimate-bootstrap-elements-for-elementor
- Installations
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.3.7
- Severity Score:
- Medium
- CVE:
- 2024-1398
WPKoi Templates for Elementor
- Plugin:
- WPKoi Templates for Elementor
- Plugin Slug:
- wpkoi-templates-for-elementor
- Installations
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.5.7
- Severity Score:
- Medium
- CVE:
- 2024-2136
Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid
- Plugin Slug:
- logo-showcase-ultimate
- Installations
- 5,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.3.9
- Severity Score:
- High
- CVE:
- 2024-1951
Auto Affiliate Links
- Plugin:
- Auto Affiliate Links
- Plugin Slug:
- wp-auto-affiliate-links
- Installations
- 4,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 6.4.3.1
- Severity Score:
- Medium
- CVE:
- 2024-1843
EventPrime – Events Calendar, Bookings and Tickets
- Plugin Slug:
- eventprime-event-calendar-management
- Installations
- 3,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.4.3
- Severity Score:
- Medium
- CVE:
- 2024-1123
EventPrime – Events Calendar, Bookings and Tickets
- Plugin Slug:
- eventprime-event-calendar-management
- Installations
- 3,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.4.4
- Severity Score:
- Medium
- CVE:
- 2024-1124
Profile Box Shortcode And Widget
- Plugin:
- Profile Box Shortcode And Widget
- Plugin Slug:
- facebook-likebox-widget-and-shortcode
- Installations
- 3,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.2.1
- Severity Score:
- Medium
- CVE:
- 2024-1401
Password Protected Store for WooCommerce
- Plugin Slug:
- password-protected-woo-store
- Installations
- 3,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.3
- Severity Score:
- Medium
- CVE:
- 2024-1088
WooCommerce Add to Cart Custom Redirect
- Plugin Slug:
- woocommerce-add-to-cart-custom-redirect
- Installations
- 3,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.2.14
- Severity Score:
- High
- CVE:
- 2024-1862
affiliate-toolkit – WordPress Affiliate Plugin
- Plugin Slug:
- affiliate-toolkit-starter
- Installations
- 2,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.5.5
- Severity Score:
- Medium
- CVE:
- 2024-1851
affiliate-toolkit – WordPress Affiliate Plugin
- Plugin Slug:
- affiliate-toolkit-starter
- Installations
- 2,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.5.5
- Severity Score:
- Medium
- CVE:
- 2024-2298
Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget
- Plugin Slug:
- post-grid-carousel-ultimate
- Installations
- 1,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.6.8
- Severity Score:
- High
- CVE:
- 2024-2006
Simple Restrict
- Plugin:
- Simple Restrict
- Plugin Slug:
- simple-restrict
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.2.7
- Severity Score:
- Medium
- CVE:
- 2024-1083
Easy!Appointments
- Plugin:
- Easy!Appointments
- Plugin Slug:
- easyappointments
- Installations
- 700+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.3.2
- Severity Score:
- Medium
- CVE:
- 2024-0698
Booster Elite for WooCommerce
- Plugin:
- Booster Elite for WooCommerce
- Plugin Slug:
- booster-elite-for-woocommerce
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 7.1.8
- Severity Score:
- Critical
- CVE:
- 2024-1986
BuddyForms
- Plugin:
- BuddyForms
- Plugin Slug:
- buddyforms
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.8.8
- Severity Score:
- High
- CVE:
- 2024-1170
BuddyForms
- Plugin:
- BuddyForms
- Plugin Slug:
- buddyforms
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.8.8
- Severity Score:
- Medium
- CVE:
- 2024-1158
BuddyForms
- Plugin:
- BuddyForms
- Plugin Slug:
- buddyforms
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.8.8
- Severity Score:
- High
- CVE:
- 2024-1169
Digits
- Plugin:
- Digits
- Plugin Slug:
- digits
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 8.4.2
- Severity Score:
- Medium
- CVE:
- 2024-0203
Events Tickets Plus
- Plugin:
- Events Tickets Plus
- Plugin Slug:
- event-tickets-plus
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.9.1
- Severity Score:
- Medium
- CVE:
- 2024-1319
Events Tickets Plus
- Plugin:
- Events Tickets Plus
- Plugin Slug:
- event-tickets-plus
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.9.1
- Severity Score:
- Medium
- CVE:
- 2024-1316
Mollie Forms
- Plugin:
- Mollie Forms
- Plugin Slug:
- mollie-forms
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.6.4
- Severity Score:
- Medium
- CVE:
- 2024-1400
Mollie Forms
- Plugin:
- Mollie Forms
- Plugin Slug:
- mollie-forms
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.6.4
- Severity Score:
- Medium
- CVE:
- 2024-1645
Restaurant Reservations
- Plugin:
- Restaurant Reservations
- Plugin Slug:
- nd-restaurant-reservations
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- 2.0
- Severity Score:
- High
- CVE:
- 2024-1382
Otter Blocks PRO
- Plugin:
- Otter Blocks PRO
- Plugin Slug:
- otter-pro
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.6.4
- Severity Score:
- Medium
- CVE:
- 2024-1684
Otter Blocks PRO
- Plugin:
- Otter Blocks PRO
- Plugin Slug:
- otter-pro
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.6.4
- Severity Score:
- High
- CVE:
- 2024-1691
Premium Addons PRO
- Plugin:
- Premium Addons PRO
- Plugin Slug:
- premium-addons-pro
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.9.13
- Severity Score:
- Medium
- CVE:
- 2024-1996
File Manager Pro
- Plugin:
- File Manager Pro
- Plugin Slug:
- wp-file-manager-pro
- Vulnerability:
- Path Traversal
- Patched in Version:
- 8.3.5
- Severity Score:
- Critical
- CVE:
- 2023-6825
WordPress Themes — 2 Patched / 0 Unpatched
Blocksy
Total
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Sign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed