WordPress Vulnerability Report — March 6, 2024

Since last week, 126 new vulnerabilities emerged in the WordPress ecosystem, including 5 in themes and 121 in plugins. 49 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Mar 6, 2024

Filed Under:WordPress Vulnerability Report

Reading Time:23 min.

In this report, 126 vulnerabilities have been publicly disclosed. Security patches for 77 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 49 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the reasons why WordPress websites get hacked. (See our Annual Vulnerability Report for 2022.) Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 73 Patched / 48 Unpatched

2.1 Slivery Extender
2.2 IDonate – blood request management system
2.3 Adsmonetizer
2.4 ArtiBot
2.5 Auto Refresh Single Page
2.6 BeePress
2.7 Blue Triad EZAnalytics
2.8 Change Memory Limit
2.9 Under Construction / Maintenance Mode from Acurax
2.10 Under Construction / Maintenance Mode from Acurax
2.11 Configure SMTP
2.12 Build & Control Block Patterns
2.13 Custom fields shortcode
2.14 Download Media
2.15 Duitku Payment Gateway
2.16 Easy!Appointments
2.17 Ebook Store
2.18 Conversios.io
2.19 FeedWordPress
2.20 Fontific | Google Fonts
2.21 Gestpay for WooCommerce
2.22 Maintenance Mode by helderk
2.23 JM Twitter Cards
2.24 Marketing Optimizer
2.25 Master Slider
2.26 Master Slider
2.27 Media Alt Renamer
2.28 WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit
2.29 Page Builder Sandwich – Front-End Page Builder
2.30 Page Builder Sandwich – Front-End Page Builder
2.31 Page Restrict
2.32 Password Protected Store for WooCommerce
2.33 PayU India
2.34 postMash – custom post order
2.35 Restaurant Solutions – Checklist
2.36 Rolo Slider
2.37 Simple Tweet
2.38 Ultimate Bootstrap Elements for Elementor
2.39 Ultimate Bootstrap Elements for Elementor
2.40 User Shortcodes Plus
2.41 Vimeography: Vimeo Video Gallery WordPress Plugin
2.42 Watermark RELOADED
2.43 WordPress Access Control
2.44 CodeMirror Blocks
2.45 WP eCommerce
2.46 WP eCommerce
2.47 Page Duplicator
2.48 WP Private Content Plus
2.49 LiteSpeed Cache
2.50 LiteSpeed Cache
2.51 Complianz – GDPR/CCPA Cookie Consent
2.52 Premium Addons for Elementor
2.53 WP Shortcodes Plugin — Shortcodes Ultimate
2.54 SiteOrigin Widgets Bundle
2.55 Happy Addons for Elementor
2.56 Nextend Social Login and Register
2.57 GenerateBlocks
2.58 Page Builder: Pagelayer – Drag and Drop website builder
2.59 Orbit Fox by ThemeIsle
2.60 Orbit Fox by ThemeIsle
2.61 Beaver Builder – WordPress Page Builder
2.62 Download Manager
2.63 Download Manager
2.64 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
2.65 Events Manager – Calendar, Bookings, Tickets, and more!
2.66 WP Show Posts
2.67 Advanced iFrame
2.68 AI Engine
2.69 Booking for Appointments and Events Calendar – Amelia
2.70 Exclusive Addons for Elementor
2.71 Exclusive Addons for Elementor
2.72 Exclusive Addons for Elementor
2.73 Exclusive Addons for Elementor
2.74 Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages
2.75 Calculated Fields Form
2.76 Custom Field Suite
2.77 NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor
2.78 WP Dashboard Notes
2.79 MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance
2.80 Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
2.81 Restrict User Access – Ultimate Membership & Content Protection
2.82 Seraphinite Accelerator
2.83 NextMove Lite – Thank You Page for WooCommerce
2.84 Easy PayPal & Stripe Buy Now Button
2.85 Easy PayPal & Stripe Buy Now Button
2.86 WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
2.87 Wp Social Login and Register Social Counter
2.88 AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
2.89 Contact Form 7 – PayPal & Stripe Add-on
2.90 Contact Form 7 – PayPal & Stripe Add-on
2.91 Envo’s Elementor Templates & Widgets for WooCommerce
2.92 Envo’s Elementor Templates & Widgets for WooCommerce
2.93 Envo’s Elementor Templates & Widgets for WooCommerce
2.94 LifterLMS – WordPress LMS Plugin for eLearning
2.95 SportsPress – Sports Club & League Manager
2.96 Smart Forms – when you need more than just a contact form
2.97 WPvivid Backup for MainWP
2.98 Finale Lite – Sales Countdown Timer & Discount for WooCommerce
2.99 SoundCloud Shortcode
2.100 SMS Alert Order Notifications – WooCommerce
2.101 Thank You Page Customizer for WooCommerce – Increase Your Sales
2.102 Thank You Page Customizer for WooCommerce – Increase Your Sales
2.103 Coming Soon Page & Maintenance Mode
2.104 Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back
2.105 Slider Responsive Slideshow – Image slider, Gallery slideshow
2.106 Spiffy Calendar
2.107 Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
2.108 Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
2.109 Friends
2.110 Oliver POS – A WooCommerce Point of Sale (POS)
2.111 Page Restriction WordPress (WP) – Protect WP Pages/Post
2.112 Image Optimizer, Resizer and CDN – Sirv
2.113 Image Optimizer, Resizer and CDN – Sirv
2.114 Tainacan
2.115 Comments Extra Fields For Post,Pages and CPT
2.116 Comments Extra Fields For Post,Pages and CPT
2.117 Backup
2.118 Elementor Pro
2.119 JobSearch
2.120 JobSearch
2.121 WP Social Widget

3. WordPress Themes — 4 Patched / 1 Unpatched

3.1 Atahualpa
3.2 Yuki
3.3 Yuki
3.4 Avada
3.5 Avada

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.

The next major release will be version 6.5, planned for March 26, 2024.

WordPress Plugins — 73 Patched / 48 Unpatched

Plugin:: Slivery Extender
Plugin Slug:: slivery-extender
Installations: 2,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-27191

Plugin:: IDonate – blood request management system
Plugin Slug:: idonate
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Adsmonetizer
Plugin Slug:: adsensei-b30
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-1437

Plugin:: ArtiBot
Plugin Slug:: artibot
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0449

Plugin:: Auto Refresh Single Page
Plugin Slug:: auto-refresh-single-page
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-1731

Plugin:: BeePress
Plugin Slug:: beepress
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-27197

Plugin:: Blue Triad EZAnalytics
Plugin Slug:: blue-triad-ezanalytics
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-1782

Plugin:: Change Memory Limit
Plugin Slug:: change-memory-limit
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1093

Plugin:: Under Construction / Maintenance Mode from Acurax
Plugin Slug:: coming-soon-maintenance-mode-from-acurax
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6922

Plugin:: Under Construction / Maintenance Mode from Acurax
Plugin Slug:: coming-soon-maintenance-mode-from-acurax
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1476

Plugin:: Configure SMTP
Plugin Slug:: configure-smtp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-27192

Plugin:: Build & Control Block Patterns
Plugin Slug:: control-block-patterns
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1095

Plugin:: Custom fields shortcode
Plugin Slug:: custom-fields-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6809

Plugin:: Download Media
Plugin Slug:: download-media
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-27190

Plugin:: Duitku Payment Gateway
Plugin Slug:: duitku-social-payment-gateway
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0631

Plugin:: Easy!Appointments
Plugin Slug:: easyappointments
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0698

Plugin:: Ebook Store
Plugin Slug:: ebook-store
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-23501

Plugin:: Conversios.io
Plugin Slug:: enhanced-e-commerce-for-woocommerce-store
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-0786

Plugin:: FeedWordPress
Plugin Slug:: feedwordpress
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0839

Plugin:: Fontific | Google Fonts
Plugin Slug:: fontific
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-27194

Plugin:: Gestpay for WooCommerce
Plugin Slug:: gestpay-for-woocommerce
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0431

Plugin:: Maintenance Mode by helderk
Plugin Slug:: hkdev-maintenance-mode
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1478

Plugin:: JM Twitter Cards
Plugin Slug:: jm-twitter-cards
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1769

Plugin:: Marketing Optimizer
Plugin Slug:: marketing-optimizer
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-1976

Plugin:: Master Slider
Plugin Slug:: master-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0611

Plugin:: Master Slider
Plugin Slug:: master-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1449

Plugin:: Media Alt Renamer
Plugin Slug:: media-alt-renamer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1434

Plugin:: WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit
Plugin Slug:: myshopkit-popup-smartbar-slidein
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1436

Plugin:: Page Builder Sandwich – Front-End Page Builder
Plugin Slug:: page-builder-sandwich
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1285

Plugin:: Page Builder Sandwich – Front-End Page Builder
Plugin Slug:: page-builder-sandwich
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1381

Plugin:: Page Restrict
Plugin Slug:: pagerestrict
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0682

Plugin:: Password Protected Store for WooCommerce
Plugin Slug:: password-protected-woo-store
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1088

Plugin:: PayU India
Plugin Slug:: payu-india
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-27193

Plugin:: postMash – custom post order
Plugin Slug:: postmash
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-27196

Plugin:: Restaurant Solutions – Checklist
Plugin Slug:: restaurant-solutions-checklist
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1977

Plugin:: Rolo Slider
Plugin Slug:: rolo-slider
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-1438

Plugin:: Simple Tweet
Plugin Slug:: simple-tweet
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0700

Plugin:: Ultimate Bootstrap Elements for Elementor
Plugin Slug:: ultimate-bootstrap-elements-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-2132

Plugin:: Ultimate Bootstrap Elements for Elementor
Plugin Slug:: ultimate-bootstrap-elements-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1398

Plugin:: User Shortcodes Plus
Plugin Slug:: user-shortcodes-plus
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6969

Plugin:: Vimeography: Vimeo Video Gallery WordPress Plugin
Plugin Slug:: vimeography
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-0825

Plugin:: Watermark RELOADED
Plugin Slug:: watermark-reloaded
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-27195

Plugin:: WordPress Access Control
Plugin Slug:: wordpress-access-control
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0975

Plugin:: CodeMirror Blocks
Plugin Slug:: wp-codemirror-block
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1791

Plugin:: WP eCommerce
Plugin Slug:: wp-e-commerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1516

Plugin:: WP eCommerce
Plugin Slug:: wp-e-commerce
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-1514

Plugin:: Page Duplicator
Plugin Slug:: wp-page-duplicator
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-1368

Plugin:: WP Private Content Plus
Plugin Slug:: wp-private-content-plus
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-0680

Plugin:: LiteSpeed Cache
Plugin Slug:: litespeed-cache
Installations: 5,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.7.0.1
Severity Score:: High
CVE:: 2023-45000

Plugin:: LiteSpeed Cache
Plugin Slug:: litespeed-cache
Installations: 5,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.7.0.1
Severity Score:: High
CVE:: 2023-40000

Plugin:: Complianz – GDPR/CCPA Cookie Consent
Plugin Slug:: complianz-gdpr
Installations: 900,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 7.0.0
Severity Score:: Medium
CVE:: 2024-1592

Plugin:: Premium Addons for Elementor
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.10.22
Severity Score:: Medium
CVE:: 2024-1680

Plugin:: WP Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.0.4
Severity Score:: Medium
CVE:: 2024-1808

Plugin:: SiteOrigin Widgets Bundle
Plugin Slug:: so-widgets-bundle
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.58.8
Severity Score:: Medium
CVE:: 2024-1723

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.10.2
Severity Score:: Medium
CVE:: 2024-0438

Plugin:: Nextend Social Login and Register
Plugin Slug:: nextend-facebook-connect
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.13
Severity Score:: High
CVE:: 2024-1775

Plugin:: GenerateBlocks
Plugin Slug:: generateblocks
Installations: 200,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.8.3
Severity Score:: Medium
CVE:: 2024-1452

Plugin:: Page Builder: Pagelayer – Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.1
Severity Score:: Medium
CVE:: 2023-7115

Plugin:: Orbit Fox by ThemeIsle
Plugin Slug:: themeisle-companion
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.32
Severity Score:: Medium
CVE:: 2024-1323

Plugin:: Orbit Fox by ThemeIsle
Plugin Slug:: themeisle-companion
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.31
Severity Score:: Medium
CVE:: 2024-1499

Plugin:: Beaver Builder – WordPress Page Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.4.3
Severity Score:: Medium
CVE:: 2024-1074

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.86
Severity Score:: Medium
CVE:: 2023-6954

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.85
Severity Score:: Medium
CVE:: 2023-6785

Plugin:: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Plugin Slug:: essential-blocks
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.2
Severity Score:: Medium
CVE:: 2024-1854

Plugin:: Events Manager – Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.7
Severity Score:: Medium
CVE:: 2024-0614

Plugin:: WP Show Posts
Plugin Slug:: wp-show-posts
Installations: 90,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.5
Severity Score:: Medium
CVE:: 2024-1479

Plugin:: Advanced iFrame
Plugin Slug:: advanced-iframe
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2024.2
Severity Score:: Medium
CVE:: 2024-1341

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.1
Severity Score:: High
CVE:: 2024-0378

Plugin:: Booking for Appointments and Events Calendar – Amelia
Plugin Slug:: ameliabooking
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.99
Severity Score:: High
CVE:: 2024-1484

Plugin:: Exclusive Addons for Elementor
Plugin Slug:: exclusive-addons-for-elementor
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.9.1
Severity Score:: Medium
CVE:: 2024-1414

Plugin:: Exclusive Addons for Elementor
Plugin Slug:: exclusive-addons-for-elementor
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.9.1
Severity Score:: Medium
CVE:: 2024-1234

Plugin:: Exclusive Addons for Elementor
Plugin Slug:: exclusive-addons-for-elementor
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.9.1
Severity Score:: Medium
CVE:: 2024-2028

Plugin:: Exclusive Addons for Elementor
Plugin Slug:: exclusive-addons-for-elementor
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.9.1
Severity Score:: Medium
CVE:: 2024-1413

Plugin:: Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages
Plugin Slug:: visualcomposer
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 45.7.0
Severity Score:: Medium
CVE:: 2023-6880

Plugin:: Calculated Fields Form
Plugin Slug:: calculated-fields-form
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.57
Severity Score:: High
CVE:: 2024-2020

Plugin:: Custom Field Suite
Plugin Slug:: custom-field-suite
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.5
Severity Score:: Medium
CVE:: 2024-0689

Plugin:: NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor
Plugin Slug:: notificationx
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.8.3
Severity Score:: Critical
CVE:: 2024-1698

Plugin:: WP Dashboard Notes
Plugin Slug:: wp-dashboard-notes
Installations: 30,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.0.11
Severity Score:: Medium
CVE:: 2023-7198

Plugin:: MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance
Plugin Slug:: mainwp
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.0
Severity Score:: Medium
CVE:: 2024-1642

Plugin:: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
Plugin Slug:: rafflepress
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.12.7
Severity Score:: High
CVE:: 2024-1935

Plugin:: Restrict User Access – Ultimate Membership & Content Protection
Plugin Slug:: restrict-user-access
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.6
Severity Score:: Medium
CVE:: 2024-0687

Plugin:: Seraphinite Accelerator
Plugin Slug:: seraphinite-accelerator
Installations: 20,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.21
Severity Score:: Medium
CVE:: 2024-1568

Plugin:: NextMove Lite – Thank You Page for WooCommerce
Plugin Slug:: woo-thank-you-page-nextmove-lite
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.18.1
Severity Score:: Medium
CVE:: 2024-1120

Plugin:: Easy PayPal & Stripe Buy Now Button
Plugin Slug:: wp-ecommerce-paypal
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.9
Severity Score:: Medium
CVE:: 2024-1719

Plugin:: Easy PayPal & Stripe Buy Now Button
Plugin Slug:: wp-ecommerce-paypal
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.9
Severity Score:: Medium
CVE:: 2024-1719

Plugin:: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Plugin Slug:: wp-event-manager
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.42
Severity Score:: High
CVE:: 2024-0976

Plugin:: Wp Social Login and Register Social Counter
Plugin Slug:: wp-social
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.1
Severity Score:: Medium
CVE:: 2024-1763

Plugin:: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
Plugin Slug:: aweber-web-form-widget
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 7.3.15
Severity Score:: High
CVE:: 2024-1793

Plugin:: Contact Form 7 – PayPal & Stripe Add-on
Plugin Slug:: contact-form-7-paypal-add-on
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.2
Severity Score:: Medium
CVE:: 2024-1719

Plugin:: Contact Form 7 – PayPal & Stripe Add-on
Plugin Slug:: contact-form-7-paypal-add-on
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.2
Severity Score:: Medium
CVE:: 2024-1719

Plugin:: Envo’s Elementor Templates & Widgets for WooCommerce
Plugin Slug:: envo-elementor-for-woocommerce
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.5
Severity Score:: Medium
CVE:: 2024-0766

Plugin:: Envo’s Elementor Templates & Widgets for WooCommerce
Plugin Slug:: envo-elementor-for-woocommerce
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.4.5
Severity Score:: Medium
CVE:: 2024-0767

Plugin:: Envo’s Elementor Templates & Widgets for WooCommerce
Plugin Slug:: envo-elementor-for-woocommerce
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.4.5
Severity Score:: Medium
CVE:: 2024-0768

Plugin:: LifterLMS – WordPress LMS Plugin for eLearning
Plugin Slug:: lifterlms
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.5.2
Severity Score:: Medium
CVE:: 2024-0377

Plugin:: SportsPress – Sports Club & League Manager
Plugin Slug:: sportspress
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.18
Severity Score:: Medium
CVE:: 2024-1178

Plugin:: Smart Forms – when you need more than just a contact form
Plugin Slug:: smart-forms
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.87
Severity Score:: Medium
CVE:: 2023-7203

Plugin:: WPvivid Backup for MainWP
Plugin Slug:: wpvivid-backup-mainwp
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.9.33
Severity Score:: High
CVE:: 2024-1383

Plugin:: Finale Lite – Sales Countdown Timer & Discount for WooCommerce
Plugin Slug:: finale-woocommerce-sales-countdown-timer-discount
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.18.0
Severity Score:: Medium
CVE:: 2024-1120

Plugin:: SoundCloud Shortcode
Plugin Slug:: soundcloud-shortcode
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.2
Severity Score:: Medium
CVE:: 2024-25936

Plugin:: SMS Alert Order Notifications – WooCommerce
Plugin Slug:: sms-alert
Installations: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.7.0
Severity Score:: Medium
CVE:: 2024-1489

Plugin:: Thank You Page Customizer for WooCommerce – Increase Your Sales
Plugin Slug:: woo-thank-you-page-customizer
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.3
Severity Score:: Medium
CVE:: 2024-1687

Plugin:: Thank You Page Customizer for WooCommerce – Increase Your Sales
Plugin Slug:: woo-thank-you-page-customizer
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.3
Severity Score:: Medium
CVE:: 2024-1686

Plugin:: Coming Soon Page & Maintenance Mode
Plugin Slug:: responsive-coming-soon
Installations: 4,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2024-1136

Plugin:: Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back
Plugin Slug:: chat-bubble
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4
Severity Score:: Medium
CVE:: 2024-0898

Plugin:: Slider Responsive Slideshow – Image slider, Gallery slideshow
Plugin Slug:: slider-responsive-slideshow
Installations: 3,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4.0
Severity Score:: High
CVE:: 2024-1859

Plugin:: Spiffy Calendar
Plugin Slug:: spiffy-calendar
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.9
Severity Score:: Medium
CVE:: 2024-0855

Plugin:: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
Plugin Slug:: antihacker
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.52
Severity Score:: Medium
CVE:: 2024-1860

Plugin:: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
Plugin Slug:: antihacker
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.53
Severity Score:: Medium
CVE:: 2024-1861

Plugin:: Friends
Plugin Slug:: friends
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.8.6
Severity Score:: Medium
CVE:: 2024-1978

Plugin:: Oliver POS – A WooCommerce Point of Sale (POS)
Plugin Slug:: oliver-pos
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.1.9
Severity Score:: Medium
CVE:: 2024-1954

Plugin:: Page Restriction WordPress (WP) – Protect WP Pages/Post
Plugin Slug:: page-and-post-restriction
Installations: 1,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.3.5
Severity Score:: Medium
CVE:: 2024-0681

Plugin:: Image Optimizer, Resizer and CDN – Sirv
Plugin Slug:: sirv
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.2.1
Severity Score:: Medium
CVE:: 2024-27950

Plugin:: Image Optimizer, Resizer and CDN – Sirv
Plugin Slug:: sirv
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 7.2.1
Severity Score:: Medium
CVE:: 2024-27949

Plugin:: Tainacan
Plugin Slug:: tainacan
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 0.20.7
Severity Score:: Medium
CVE:: 2024-1435

Plugin:: Comments Extra Fields For Post,Pages and CPT
Plugin Slug:: wp-comment-fields
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.1
Severity Score:: Medium
CVE:: 2024-0830

Plugin:: Comments Extra Fields For Post,Pages and CPT
Plugin Slug:: wp-comment-fields
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1
Severity Score:: Medium
CVE:: 2024-0829

Plugin:: Backup
Plugin Slug:: backup2
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.0.9.9
Severity Score:: High
CVE:: 2023-7165

Plugin:: Elementor Pro
Plugin Slug:: elementor-pro
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.19.3
Severity Score:: Medium
CVE:: 2024-23523

Plugin:: JobSearch
Plugin Slug:: wp-jobsearch
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.3.4
Severity Score:: Critical
CVE:: 2023-6585

Plugin:: JobSearch
Plugin Slug:: wp-jobsearch
Vulnerability:: Broken Authentication
Patched in Version:: 2.3.4
Severity Score:: Critical
CVE:: 2023-6584

Plugin:: WP Social Widget
Plugin Slug:: wp-social-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.6
Severity Score:: Medium
CVE:: 2024-27189

WordPress Themes — 4 Patched / 1 Unpatched

Theme:: Atahualpa
Theme Slug:: atahualpa
Downloads: 1,333,690
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-27948

Theme:: Yuki
Theme Slug:: yuki
Downloads: 133,433
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.14
Severity Score:: Medium
CVE:: 2024-1388

Theme:: Yuki
Theme Slug:: yuki
Downloads: 133,433
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.15
Severity Score:: Medium
CVE:: 2024-1943

Theme:: Avada
Theme Slug:: avada
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.11.6
Severity Score:: Medium
CVE:: 2024-1668

Theme:: Avada
Theme Slug:: avada
Vulnerability:: Arbitrary File Upload
Patched in Version:: 7.11.5
Severity Score:: Critical
CVE:: 2024-1468

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. As our product marketer, Sarah works on providing helpful content for our customers and building the most beautiful spreadsheets you’ll ever behold. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her two older boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Table of Contents

WordPress Core

WordPress Plugins — 73 Patched / 48 Unpatched

WordPress Themes — 4 Patched / 1 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 24, 2024

Solid Security Pro Feature Spotlight – Password Requirements

WordPress Vulnerability Report — April 17, 2024

WordPress Vulnerability Report — April 10, 2024