WordPress Vulnerability Report

WordPress Vulnerability Report — November 20, 2024

This last week, 205 new plugin and theme vulnerabilities emerged in the WordPress ecosystem. 119 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah

Published:Nov 20, 2024

Filed Under:WordPress Vulnerability Report

Reading Time:37 min.

In this report, 205 vulnerabilities have been publicly disclosed. Security patches for 86 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 119 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.7, code-named “Rollins,” is out now, paying tribute to the legendary jazz saxophonist Sonny Rollins. WordPress 6.7 debuts the modern Twenty Twenty-Five theme, offering design flexibility for blogs.

No new core vulnerabilities were disclosed this week.

WordPress Plugins — 84 Patched / 115 Unpatched

Disable Admin Notices individually

Plugin:
Disable Admin Notices individually
Plugin Slug:
disable-admin-notices
Installations
100,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-52420
The vulnerability has not been patched. You should deactivate the plugin.

Copy Anything to Clipboard

Plugin:
Copy Anything to Clipboard
Plugin Slug:
copy-the-code
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-52419
The vulnerability has not been patched. You should deactivate the plugin.

Popup by Supsystic

Plugin:
Popup by Supsystic
Plugin Slug:
popup-by-supsystic
Installations
10,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52434
The vulnerability has not been patched. You should deactivate the plugin.

Weather Atlas Widget

Plugin:
Weather Atlas Widget
Plugin Slug:
weather-atlas
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52472
The vulnerability has not been patched. You should deactivate the plugin.

Team Member – Multi Language Supported Team Plugin

Plugin:
Team Member – Multi Language Supported Team Plugin
Plugin Slug:
team-showcase-supreme
Installations
8,000+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-52385
The vulnerability has not been patched. You should deactivate the plugin.

Themify Builder

Plugin:
Themify Builder
Plugin Slug:
themify-builder
Installations
7,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-52423
The vulnerability has not been patched. You should deactivate the plugin.

BuddyPress Builder for Elementor – BuddyBuilder

Plugin:
BuddyPress Builder for Elementor – BuddyBuilder
Plugin Slug:
stax-buddy-builder
Installations
2,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-10778
The vulnerability has not been patched. You should deactivate the plugin.

Extensions for Elementor

Plugin:
Extensions for Elementor
Plugin Slug:
extensions-for-elementor
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52471
The vulnerability has not been patched. You should deactivate the plugin.

Library Bookshelves

Plugin:
Library Bookshelves
Plugin Slug:
library-bookshelves
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52453
The vulnerability has not been patched. You should deactivate the plugin.

Team Rosters

Plugin:
Team Rosters
Plugin Slug:
team-rosters
Installations
300+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52439
The vulnerability has not been patched. You should deactivate the plugin.

Buying Buddy IDX CRM

Plugin:
Buying Buddy IDX CRM
Plugin Slug:
buying-buddy-idx-crm
Installations
200+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52446
The vulnerability has not been patched. You should deactivate the plugin.

Post By Email

Plugin:
Post By Email
Plugin Slug:
post-by-email
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52463
The vulnerability has not been patched. You should deactivate the plugin.

AI Responsive Gallery Album

Plugin:
AI Responsive Gallery Album
Plugin Slug:
ai-responsive-gallery-album
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52467
The vulnerability has not been patched. You should deactivate the plugin.

amr shortcodes

Plugin:
amr shortcodes
Plugin Slug:
amr-shortcodes
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52464
The vulnerability has not been patched. You should deactivate the plugin.

WP Popup Window Maker

Plugin:
WP Popup Window Maker
Plugin Slug:
easy-popup-lightbox-maker
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52421
The vulnerability has not been patched. You should deactivate the plugin.

LeadBoxer

Plugin:
LeadBoxer
Plugin Slug:
leadboxer
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52468
The vulnerability has not been patched. You should deactivate the plugin.

LGPD Framework By Data443

Plugin:
LGPD Framework By Data443
Plugin Slug:
lgpd-framework
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52465
The vulnerability has not been patched. You should deactivate the plugin.

NIX Anti-Spam Light

Plugin:
NIX Anti-Spam Light
Plugin Slug:
nix-anti-spam-light
Installations
100+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52432
The vulnerability has not been patched. You should deactivate the plugin.

TM Islamic Helper

Plugin:
TM Islamic Helper
Plugin Slug:
tm-islamic-helper
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52458
The vulnerability has not been patched. You should deactivate the plugin.

Linear

Plugin:
Linear
Plugin Slug:
linear
Installations
70+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-52426
The vulnerability has not been patched. You should deactivate the plugin.

Open edX LMS and WordPress integrator (LITE)

Plugin:
Open edX LMS and WordPress integrator (LITE)
Plugin Slug:
edunext-openedx-integrator
Installations
60+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52452
The vulnerability has not been patched. You should deactivate the plugin.

Geolocator

Plugin:
Geolocator
Plugin Slug:
geolocator
Installations
50+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52443
The vulnerability has not been patched. You should deactivate the plugin.

Infinite Slider

Plugin:
Infinite Slider
Plugin Slug:
infinite-slider
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52461
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Price Alert

Plugin:
WooCommerce Price Alert
Plugin Slug:
price-alert-woocommerce
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52469
The vulnerability has not been patched. You should deactivate the plugin.

QRMenu Restaurant QR Menu Lite

Plugin:
QRMenu Restaurant QR Menu Lite
Plugin Slug:
qrmenu-lite
Installations
50+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52445
The vulnerability has not been patched. You should deactivate the plugin.

WP e-Commerce Style Email

Plugin:
WP e-Commerce Style Email
Plugin Slug:
wp-e-commerce-style-email
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52462
The vulnerability has not been patched. You should deactivate the plugin.

de:branding

Plugin:
de:branding
Plugin Slug:
debranding
Installations
30+
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52438
The vulnerability has not been patched. You should deactivate the plugin.

My Geo Posts Free

Plugin:
My Geo Posts Free
Plugin Slug:
my-geo-posts-free
Installations
30+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52433
The vulnerability has not been patched. You should deactivate the plugin.

Awesome Studio

Plugin:
Awesome Studio
Plugin Slug:
awesome-studio
Installations
20+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52456
The vulnerability has not been patched. You should deactivate the plugin.

HTML5 Lyrics Karaoke Player

Plugin:
HTML5 Lyrics Karaoke Player
Plugin Slug:
html5-lyrics-karaoke-player
Installations
20+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52473
The vulnerability has not been patched. You should deactivate the plugin.

nBlocks – Responsive Gutenberg News Blocks

Plugin:
nBlocks – Responsive Gutenberg News Blocks
Plugin Slug:
nblocks
Installations
20+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52450
The vulnerability has not been patched. You should deactivate the plugin.

Post Ideas

Plugin:
Post Ideas
Plugin Slug:
post-ideas
Installations
20+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52451
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate Classified Listings

Plugin:
Ultimate Classified Listings
Plugin Slug:
ultimate-classified-listings
Installations
20+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52448
The vulnerability has not been patched. You should deactivate the plugin.

AtaraPay WooCommerce Payment Gateway

Plugin:
AtaraPay WooCommerce Payment Gateway
Plugin Slug:
atarapay-woocommerce
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52460
The vulnerability has not been patched. You should deactivate the plugin.

Chameleoni Jobs

Plugin:
Chameleoni Jobs
Plugin Slug:
chameleon-jobs
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52459
The vulnerability has not been patched. You should deactivate the plugin.

Explara Events

Plugin:
Explara Events
Plugin Slug:
explara-events
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52466
The vulnerability has not been patched. You should deactivate the plugin.

GoQMieruca

Plugin:
GoQMieruca
Plugin Slug:
goqmieruca
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52454
The vulnerability has not been patched. You should deactivate the plugin.

GoQSmile

Plugin:
GoQSmile
Plugin Slug:
goqsmile
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52455
The vulnerability has not been patched. You should deactivate the plugin.

Xpresslane Fast Checkout

Plugin:
Xpresslane Fast Checkout
Plugin Slug:
xpresslane-integration-for-woocommerce
Installations
10+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52440
The vulnerability has not been patched. You should deactivate the plugin.

404 Error Monitor

Plugin:
404 Error Monitor
Plugin Slug:
404-error-monitor
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11118
The vulnerability has not been patched. You should deactivate the plugin.

Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation

Plugin:
Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation
Plugin Slug:
ai-content-generator
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52384
The vulnerability has not been patched. You should deactivate the plugin.

AJAX Login and Registration modal popup + inline form

Plugin:
AJAX Login and Registration modal popup + inline form
Plugin Slug:
ajax-login-and-registration-modal-popup
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-8874
The vulnerability has not been patched. You should deactivate the plugin.

AJAX Random Posts

Plugin:
AJAX Random Posts
Plugin Slug:
ajax-random-posts
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52409
The vulnerability has not been patched. You should deactivate the plugin.

EleForms

Plugin:
EleForms
Plugin Slug:
all-contact-form-integration-for-elementor
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-6628
The vulnerability has not been patched. You should deactivate the plugin.

Aqua SVG Sprite

Plugin:
Aqua SVG Sprite
Plugin Slug:
aqua-svg-sprite
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-9426
The vulnerability has not been patched. You should deactivate the plugin.

B-Banner Slider

Plugin:
B-Banner Slider
Plugin Slug:
b-banner-slider
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52405
The vulnerability has not been patched. You should deactivate the plugin.

Banner System

Plugin:
Banner System
Plugin Slug:
banner-system
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52437
The vulnerability has not been patched. You should deactivate the plugin.

BasePress Migration Tools

Plugin:
BasePress Migration Tools
Plugin Slug:
basepress-migration-tools
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52407
The vulnerability has not been patched. You should deactivate the plugin.

Blogger 301 Redirect

Plugin:
Blogger 301 Redirect
Plugin Slug:
blogger-301-redirect
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-10645
The vulnerability has not been patched. You should deactivate the plugin.

Boat Rental Plugin for WordPress

Plugin:
Boat Rental Plugin for WordPress
Plugin Slug:
boat-rental-system
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52376
The vulnerability has not been patched. You should deactivate the plugin.

Bounce Handler MailPoet 3

Plugin:
Bounce Handler MailPoet 3
Plugin Slug:
bounce-handler-mailpoet
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-9938
The vulnerability has not been patched. You should deactivate the plugin.

BulkPress

Plugin:
BulkPress
Plugin Slug:
bulkpress
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-9615
The vulnerability has not been patched. You should deactivate the plugin.

Buy one click WooCommerce

Plugin:
Buy one click WooCommerce
Plugin Slug:
buy-one-click-woocommerce
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-10852
The vulnerability has not been patched. You should deactivate the plugin.

SVG Case Study

Plugin:
SVG Case Study
Plugin Slug:
case-study
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-9850
The vulnerability has not been patched. You should deactivate the plugin.

CF7 Reply Manager

Plugin:
CF7 Reply Manager
Plugin Slug:
cf7-reply-manager
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52404
The vulnerability has not been patched. You should deactivate the plugin.

Constant Contact Forms by MailMunch

Plugin:
Constant Contact Forms by MailMunch
Plugin Slug:
constant-contact-forms-by-mailmunch
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-9614
The vulnerability has not been patched. You should deactivate the plugin.

Contact Page With Google Map

Plugin:
Contact Page With Google Map
Plugin Slug:
contact-page-with-google-map
Vulnerability:
Arbitrary File Deletion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52447
The vulnerability has not been patched. You should deactivate the plugin.

Convert Docx2post

Plugin:
Convert Docx2post
Plugin Slug:
convert-docx2post
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52397
The vulnerability has not been patched. You should deactivate the plugin.

CSV to html

Plugin:
CSV to html
Plugin Slug:
csv-to-html
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52406
The vulnerability has not been patched. You should deactivate the plugin.

Datasets Manager by Arttia Creative

Plugin:
Datasets Manager by Arttia Creative
Plugin Slug:
datasets-manager-by-arttia-creative
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52375
The vulnerability has not been patched. You should deactivate the plugin.

Debug Tool

Plugin:
Debug Tool
Plugin Slug:
debug-tool
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52416
The vulnerability has not been patched. You should deactivate the plugin.

Devexhub Gallery

Plugin:
Devexhub Gallery
Plugin Slug:
devexhub-gallery
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52373
The vulnerability has not been patched. You should deactivate the plugin.

DigiPass

Plugin:
DigiPass
Plugin Slug:
digipass
Vulnerability:
Arbitrary File Download
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52378
The vulnerability has not been patched. You should deactivate the plugin.

Do That Task

Plugin:
Do That Task
Plugin Slug:
do-that-task
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52374
The vulnerability has not been patched. You should deactivate the plugin.

Drop Shadow Boxes

Plugin:
Drop Shadow Boxes
Plugin Slug:
drop-shadow-boxes
Vulnerability:
Arbitrary Code Execution
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-10262
The vulnerability has not been patched. You should deactivate the plugin.

Drozd – Addons for Elementor

Plugin:
Drozd – Addons for Elementor
Plugin Slug:
drozd-addons-for-elementor
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-52425
The vulnerability has not been patched. You should deactivate the plugin.

Dynamic URL SEO

Plugin:
Dynamic URL SEO
Plugin Slug:
dynamic-url-seo
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52470
The vulnerability has not been patched. You should deactivate the plugin.

Easy CSV Importer BETA

Plugin:
Easy CSV Importer BETA
Plugin Slug:
easy-csv-importer
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52372
The vulnerability has not been patched. You should deactivate the plugin.

Elfsight Telegram Chat CC

Plugin:
Elfsight Telegram Chat CC
Plugin Slug:
elfsight-telegram-chat-cc
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-10390
The vulnerability has not been patched. You should deactivate the plugin.

Exclusive Content Password Protect

Plugin:
Exclusive Content Password Protect
Plugin Slug:
exclusive-content-password-protect
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52402
The vulnerability has not been patched. You should deactivate the plugin.

Exclusive Divi

Plugin:
Exclusive Divi
Plugin Slug:
exclusive-divi
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-9386
The vulnerability has not been patched. You should deactivate the plugin.

External Database Based Actions

Plugin:
External Database Based Actions
Plugin Slug:
external-database-based-actions
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-10311
The vulnerability has not been patched. You should deactivate the plugin.

Fancy Gallery

Plugin:
Fancy Gallery
Plugin Slug:
fancy-gallery
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-10875
The vulnerability has not been patched. You should deactivate the plugin.

Fat Rat Collect

Plugin:
Fat Rat Collect
Plugin Slug:
fat-rat-collect
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-10577
The vulnerability has not been patched. You should deactivate the plugin.

Ads Booster by Ads Pro

Plugin:
Ads Booster by Ads Pro
Plugin Slug:
free-wp-booster-by-ads-pro
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52428
The vulnerability has not been patched. You should deactivate the plugin.

Gallerio

Plugin:
Gallerio
Plugin Slug:
gallerio
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52400
The vulnerability has not been patched. You should deactivate the plugin.

Global Gateway e4 | Payeezy Gateway |

Plugin:
Global Gateway e4 | Payeezy Gateway |
Plugin Slug:
globe-gateway-e4
Vulnerability:
Arbitrary File Deletion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52371
The vulnerability has not been patched. You should deactivate the plugin.

Hacklog DownloadManager

Plugin:
Hacklog DownloadManager
Plugin Slug:
hacklog-downloadmanager
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52401
The vulnerability has not been patched. You should deactivate the plugin.

Hide Links

Plugin:
Hide Links
Plugin Slug:
hide-links
Vulnerability:
Broken Authentication
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-9578
The vulnerability has not been patched. You should deactivate the plugin.

KBucket

Plugin:
KBucket
Plugin Slug:
kbucket
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52369
The vulnerability has not been patched. You should deactivate the plugin.

Lis Video Gallery

Plugin:
Lis Video Gallery
Plugin Slug:
lis-video-gallery
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52430
The vulnerability has not been patched. You should deactivate the plugin.

Matix Popup Builder

Plugin:
Matix Popup Builder
Plugin Slug:
medma-matix
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52382
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Personalization

Plugin:
Advanced Personalization
Plugin Slug:
personalization-by-flowcraft
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52411
The vulnerability has not been patched. You should deactivate the plugin.

Picsmize

Plugin:
Picsmize
Plugin Slug:
picsmize
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52380
The vulnerability has not been patched. You should deactivate the plugin.

PJW Mime Config

Plugin:
PJW Mime Config
Plugin Slug:
pjw-mime-config
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-10017
The vulnerability has not been patched. You should deactivate the plugin.

Push Notifications for WordPress by PushAssist

Plugin:
Push Notifications for WordPress by PushAssist
Plugin Slug:
push-notification-for-wp-by-pushassist
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52408
The vulnerability has not been patched. You should deactivate the plugin.

Quick Learn

Plugin:
Quick Learn
Plugin Slug:
quick-learn
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52441
The vulnerability has not been patched. You should deactivate the plugin.

Razorpay Payment Button

Plugin:
Razorpay Payment Button
Plugin Slug:
razorpay-payment-button
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-10851
The vulnerability has not been patched. You should deactivate the plugin.

Referrer Detector

Plugin:
Referrer Detector
Plugin Slug:
referrer-detector
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52410
The vulnerability has not been patched. You should deactivate the plugin.

Relais 2FA

Plugin:
Relais 2FA
Plugin Slug:
relais-2fa
Vulnerability:
Broken Authentication
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-10245
The vulnerability has not been patched. You should deactivate the plugin.

SimpleForm

Plugin:
SimpleForm
Plugin Slug:
simpleform
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-10883
The vulnerability has not been patched. You should deactivate the plugin.

SimpleForm Contact Form Submissions

Plugin:
SimpleForm Contact Form Submissions
Plugin Slug:
simpleform-contact-form-submissions
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-10884
The vulnerability has not been patched. You should deactivate the plugin.

SK WP Settings Backup

Plugin:
SK WP Settings Backup
Plugin Slug:
sk-wp-settings-backup
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52415
The vulnerability has not been patched. You should deactivate the plugin.

Social Proof (Testimonial) Slider

Plugin:
Social Proof (Testimonial) Slider
Plugin Slug:
social-proof-testimonials-slider
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-8985
The vulnerability has not been patched. You should deactivate the plugin.

Steel

Plugin:
Steel
Plugin Slug:
steel
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-10147
The vulnerability has not been patched. You should deactivate the plugin.

Styler for Ninja Forms

Plugin:
Styler for Ninja Forms
Plugin Slug:
styler-for-ninja-forms-lite
Vulnerability:
Settings Change
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-10717
The vulnerability has not been patched. You should deactivate the plugin.

SVGPlus

Plugin:
SVGPlus
Plugin Slug:
svgplus
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11092
The vulnerability has not been patched. You should deactivate the plugin.

Uix Slideshow

Plugin:
Uix Slideshow
Plugin Slug:
uix-slideshow
Vulnerability:
Arbitrary Code Execution
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-9839
The vulnerability has not been patched. You should deactivate the plugin.

User Management

Plugin:
User Management
Plugin Slug:
user-management
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52403
The vulnerability has not been patched. You should deactivate the plugin.

UserPlus

Plugin:
UserPlus
Plugin Slug:
userplus
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52442
The vulnerability has not been patched. You should deactivate the plugin.

WDES Responsive Mobile Menu

Plugin:
WDES Responsive Mobile Menu
Plugin Slug:
wdes-responsive-mobile-menu
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52414
The vulnerability has not been patched. You should deactivate the plugin.

WP Githuber MD

Plugin:
WP Githuber MD
Plugin Slug:
wp-githuber-md
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-52422
The vulnerability has not been patched. You should deactivate the plugin.

WP Log Viewer

Plugin:
WP Log Viewer
Plugin Slug:
wp-log-viewer
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11085
The vulnerability has not been patched. You should deactivate the plugin.

wp-login customizer

Plugin:
wp-login customizer
Plugin Slug:
wp-login-customizer
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52424
The vulnerability has not been patched. You should deactivate the plugin.

WP Quick Setup

Plugin:
WP Quick Setup
Plugin Slug:
wp-quick-setup
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52429
The vulnerability has not been patched. You should deactivate the plugin.

WP-Strava

Plugin:
WP-Strava
Plugin Slug:
wp-strava
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-10038
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Video Robot – The Ultimate Video Importer

Plugin:
WordPress Video Robot – The Ultimate Video Importer
Plugin Slug:
wp-video-robot
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-9192
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Video Robot – The Ultimate Video Importer

Plugin:
WordPress Video Robot – The Ultimate Video Importer
Plugin Slug:
wp-video-robot
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52431
The vulnerability has not been patched. You should deactivate the plugin.

Premium Packages

Plugin:
Premium Packages
Plugin Slug:
wpdm-premium-packages
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52435
The vulnerability has not been patched. You should deactivate the plugin.

Writer Helper

Plugin:
Writer Helper
Plugin Slug:
writer-helper
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52399
The vulnerability has not been patched. You should deactivate the plugin.

Youneeq Recommendations

Plugin:
Youneeq Recommendations
Plugin Slug:
youneeq-panel
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52457
The vulnerability has not been patched. You should deactivate the plugin.

ZIJ KART

Plugin:
ZIJ KART
Plugin Slug:
zij-kart
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52381
The vulnerability has not been patched. You should deactivate the plugin.

Google for WooCommerce

Plugin:
Google for WooCommerce
Plugin Slug:
google-listings-and-ads
Installations
900,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
2.8.7
Severity Score:
Medium
CVE:
2024-10486
The vulnerability has been patched, so you should update to version 2.8.7.

Migration, Backup, Staging – WPvivid Backup & Migration

Plugin:
Migration, Backup, Staging – WPvivid Backup & Migration
Plugin Slug:
wpvivid-backuprestore
Installations
600,000+
Vulnerability:
PHP Object Injection
Patched in Version:
0.9.108
Severity Score:
Critical
CVE:
2024-10962
The vulnerability has been patched, so you should update to version 0.9.108.

Happy Addons for Elementor

Plugin:
Happy Addons for Elementor
Plugin Slug:
happy-elementor-addons
Installations
400,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.12.6
Severity Score:
Medium
CVE:
2024-10538
The vulnerability has been patched, so you should update to version 3.12.6.

Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Plugin:
Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Plugin Slug:
post-smtp
Installations
400,000+
Vulnerability:
SQL Injection
Patched in Version:
2.9.10
Severity Score:
High
CVE:
2024-52436
The vulnerability has been patched, so you should update to version 2.9.10.

Hide My WP Ghost – Security & Firewall

Plugin:
Hide My WP Ghost – Security & Firewall
Plugin Slug:
hide-my-wp
Installations
200,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.3.02
Severity Score:
High
CVE:
2024-10825
The vulnerability has been patched, so you should update to version 5.3.02.

WP Activity Log

Plugin:
WP Activity Log
Plugin Slug:
wp-security-audit-log
Installations
200,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.2.2
Severity Score:
High
CVE:
2024-10793
The vulnerability has been patched, so you should update to version 5.2.2.

Admin and Site Enhancements (ASE)

Plugin:
Admin and Site Enhancements (ASE)
Plugin Slug:
admin-site-enhancements
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
7.5.2
Severity Score:
Medium
CVE:
2024-10790
The vulnerability has been patched, so you should update to version 7.5.2.

Simple Local Avatars

Plugin:
Simple Local Avatars
Plugin Slug:
simple-local-avatars
Installations
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.8.0
Severity Score:
Medium
CVE:
2024-10786
The vulnerability has been patched, so you should update to version 2.8.0.

Advanced Order Export For WooCommerce

Plugin:
Advanced Order Export For WooCommerce
Plugin Slug:
woo-order-export-lite
Installations
100,000+
Vulnerability:
PHP Object Injection
Patched in Version:
3.5.6
Severity Score:
Critical
CVE:
2024-10828
The vulnerability has been patched, so you should update to version 3.5.6.

WP Chat App

Plugin:
WP Chat App
Plugin Slug:
wp-whatsapp
Installations
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.6.9
Severity Score:
Medium
CVE:
2024-10533
The vulnerability has been patched, so you should update to version 3.6.9.

Customer Reviews for WooCommerce

Plugin:
Customer Reviews for WooCommerce
Plugin Slug:
customer-reviews-woocommerce
Installations
70,000+
Vulnerability:
Broken Access Control
Patched in Version:
5.62.0
Severity Score:
Medium
CVE:
2024-10614
The vulnerability has been patched, so you should update to version 5.62.0.

Futurio Extra

Plugin:
Futurio Extra
Plugin Slug:
futurio-extra
Installations
20,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.0.14
Severity Score:
Medium
CVE:
2024-10695
The vulnerability has been patched, so you should update to version 2.0.14.

Backup and Staging by WP Time Capsule

Plugin:
Backup and Staging by WP Time Capsule
Plugin Slug:
wp-time-capsule
Installations
20,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
1.22.22
Severity Score:
Critical
CVE:
2024-8856
The vulnerability has been patched, so you should update to version 1.22.22.

404 Solution

Plugin:
404 Solution
Plugin Slug:
404-solution
Installations
10,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
2.35.18
Severity Score:
Medium
CVE:
2024-11094
The vulnerability has been patched, so you should update to version 2.35.18.

AFI – The Easiest Integration Plugin

Plugin:
AFI – The Easiest Integration Plugin
Plugin Slug:
advanced-form-integration
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.92.1
Severity Score:
High
CVE:
2024-10877
The vulnerability has been patched, so you should update to version 1.92.1.

JetWidgets For Elementor

Plugin:
JetWidgets For Elementor
Plugin Slug:
jetwidgets-for-elementor
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.19
Severity Score:
Medium
CVE:
2024-10323
The vulnerability has been patched, so you should update to version 1.0.19.

Jobs for WordPress

Plugin:
Jobs for WordPress
Plugin Slug:
job-postings
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.7.8
Severity Score:
Medium
CVE:
2024-10104
The vulnerability has been patched, so you should update to version 2.7.8.

Music Player for Elementor – Audio Player & Podcast Player

Plugin:
Music Player for Elementor – Audio Player & Podcast Player
Plugin Slug:
music-player-for-elementor
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.4.2
Severity Score:
Medium
CVE:
2024-10582
The vulnerability has been patched, so you should update to version 2.4.2.

Popularis Extra

Plugin:
Popularis Extra
Plugin Slug:
popularis-extra
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.2.8
Severity Score:
Medium
CVE:
2024-10795
The vulnerability has been patched, so you should update to version 1.2.8.

Contact Form 7 Redirect & Thank You Page

Plugin:
Contact Form 7 Redirect & Thank You Page
Plugin Slug:
cf7-redirect-thank-you-page
Installations
7,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.7
Severity Score:
High
CVE:
2024-10685
The vulnerability has been patched, so you should update to version 1.0.7.

Boostify Header Footer Builder for Elementor

Plugin:
Boostify Header Footer Builder for Elementor
Plugin Slug:
boostify-header-footer-builder
Installations
6,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
1.3.7
Severity Score:
Medium
CVE:
2024-10794
The vulnerability has been patched, so you should update to version 1.3.7.

Hash Elements

Plugin:
Hash Elements
Plugin Slug:
hash-elements
Installations
6,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.4.8
Severity Score:
Medium
CVE:
2024-10802
The vulnerability has been patched, so you should update to version 1.4.8.

Simple File List

Plugin:
Simple File List
Plugin Slug:
simple-file-list
Installations
6,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
6.1.13
Severity Score:
High
CVE:
2024-10146
The vulnerability has been patched, so you should update to version 6.1.13.

Podlove Podcast Publisher

Plugin:
Podlove Podcast Publisher
Plugin Slug:
podlove-podcasting-plugin-for-wordpress
Installations
5,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
4.1.17
Severity Score:
Critical
CVE:
2024-52393
The vulnerability has been patched, so you should update to version 4.1.17.

Multiple Page Generator Plugin – MPG

Plugin:
Multiple Page Generator Plugin – MPG
Plugin Slug:
multiple-pages-generator-by-porthas
Installations
3,000+
Vulnerability:
Path Traversal
Patched in Version:
4.0.3
Severity Score:
Low
CVE:
2024-10672
The vulnerability has been patched, so you should update to version 4.0.3.

Parallax Image

Plugin:
Parallax Image
Plugin Slug:
parallax-image
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.9.1
Severity Score:
Medium
CVE:
2024-11224
The vulnerability has been patched, so you should update to version 1.9.1.

RSS Feed Widget

Plugin:
RSS Feed Widget
Plugin Slug:
rss-feed-widget
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.1
Severity Score:
High
CVE:
2024-9835
The vulnerability has been patched, so you should update to version 3.0.1.

Yotpo: Product & Photo Reviews for WooCommerce

Plugin:
Yotpo: Product & Photo Reviews for WooCommerce
Plugin Slug:
yotpo-social-reviews-for-woocommerce
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.10
Severity Score:
High
CVE:
2024-9356
The vulnerability has been patched, so you should update to version 1.7.10.

Chartify – WordPress Chart Plugin

Plugin:
Chartify – WordPress Chart Plugin
Plugin Slug:
chart-builder
Installations
2,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
2.9.6
Severity Score:
Critical
CVE:
2024-10571
The vulnerability has been patched, so you should update to version 2.9.6.

Email Subscription Popup

Plugin:
Email Subscription Popup
Plugin Slug:
email-subscribe
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.23
Severity Score:
Medium
CVE:
2024-11195
The vulnerability has been patched, so you should update to version 1.2.23.

Mapster WP Maps

Plugin:
Mapster WP Maps
Plugin Slug:
mapster-wp-maps
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.0
Severity Score:
Medium
CVE:
2024-10592
The vulnerability has been patched, so you should update to version 1.7.0.

Slickstream: Engagement and Conversions

Plugin:
Slickstream: Engagement and Conversions
Plugin Slug:
slick-engagement
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.0
Severity Score:
Medium
CVE:
2024-10179
The vulnerability has been patched, so you should update to version 2.0.0.

SVG Block

Plugin:
SVG Block
Plugin Slug:
svg-block
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.25
Severity Score:
Medium
CVE:
2024-11098
The vulnerability has been patched, so you should update to version 1.1.25.

Kognetiks Chatbot for WordPress

Plugin:
Kognetiks Chatbot for WordPress
Plugin Slug:
chatbot-chatgpt
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.1.9
Severity Score:
Medium
CVE:
2024-11143
The vulnerability has been patched, so you should update to version 2.1.9.

Kognetiks Chatbot for WordPress

Plugin:
Kognetiks Chatbot for WordPress
Plugin Slug:
chatbot-chatgpt
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.1.8
Severity Score:
Medium
CVE:
2024-10530
The vulnerability has been patched, so you should update to version 2.1.8.

Kognetiks Chatbot for WordPress

Plugin:
Kognetiks Chatbot for WordPress
Plugin Slug:
chatbot-chatgpt
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.1.8
Severity Score:
Medium
CVE:
2024-10529
The vulnerability has been patched, so you should update to version 2.1.8.

Kognetiks Chatbot for WordPress

Plugin:
Kognetiks Chatbot for WordPress
Plugin Slug:
chatbot-chatgpt
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.1.8
Severity Score:
High
CVE:
2024-10684
The vulnerability has been patched, so you should update to version 2.1.8.

Kognetiks Chatbot for WordPress

Plugin:
Kognetiks Chatbot for WordPress
Plugin Slug:
chatbot-chatgpt
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.1.8
Severity Score:
Medium
CVE:
2024-10531
The vulnerability has been patched, so you should update to version 2.1.8.

Event Tickets with Ticket Scanner

Plugin:
Event Tickets with Ticket Scanner
Plugin Slug:
event-tickets-with-ticket-scanner
Installations
1,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
2.3.12
Severity Score:
Critical
CVE:
2024-52427
The vulnerability has been patched, so you should update to version 2.3.12.

GD Rating System

Plugin:
GD Rating System
Plugin Slug:
gd-rating-system
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.6.2
Severity Score:
Medium
CVE:
2024-11198
The vulnerability has been patched, so you should update to version 3.6.2.

Login using WordPress Users ( WP as SAML IDP )

Plugin:
Login using WordPress Users ( WP as SAML IDP )
Plugin Slug:
miniorange-wp-as-saml-idp
Installations
1,000+
Vulnerability:
SQL Injection
Patched in Version:
1.15.7
Severity Score:
High
CVE:
2024-9887
The vulnerability has been patched, so you should update to version 1.15.7.

Product Delivery Date for WooCommerce – Lite

Plugin:
Product Delivery Date for WooCommerce – Lite
Plugin Slug:
product-delivery-date-for-woocommerce-lite
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.8.1
Severity Score:
High
CVE:
2024-10882
The vulnerability has been patched, so you should update to version 2.8.1.

Razorpay Payment Button Elementor Plugin

Plugin:
Razorpay Payment Button Elementor Plugin
Plugin Slug:
razorpay-payment-button-elementor
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.6
Severity Score:
High
CVE:
2024-10850
The vulnerability has been patched, so you should update to version 1.2.6.

W3SPEEDSTER

Plugin:
W3SPEEDSTER
Plugin Slug:
w3speedster-wp
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
7.27
Severity Score:
Medium
CVE:
2024-52392
The vulnerability has been patched, so you should update to version 7.27.

xili-tidy-tags

Plugin:
xili-tidy-tags
Plugin Slug:
xili-tidy-tags
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.12.05
Severity Score:
High
CVE:
2024-9357
The vulnerability has been patched, so you should update to version 1.12.05.

GPX Viewer

Plugin:
GPX Viewer
Plugin Slug:
gpx-viewer
Installations
700+
Vulnerability:
Arbitrary File Upload
Patched in Version:
2.2.10
Severity Score:
Critical
CVE:
2024-10629
The vulnerability has been patched, so you should update to version 2.2.10.

CYAN Backup

Plugin:
CYAN Backup
Plugin Slug:
cyan-backup
Installations
500+
Vulnerability:
Arbitrary File Download
Patched in Version:
2.5.4
Severity Score:
Medium
CVE:
2024-52390
The vulnerability has been patched, so you should update to version 2.5.4.

CM Table Of Contents – WordPress TOC Plugin

Plugin:
CM Table Of Contents – WordPress TOC Plugin
Plugin Slug:
cm-table-of-content
Installations
400+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.2.3
Severity Score:
Medium
CVE:
2024-5030
The vulnerability has been patched, so you should update to version 1.2.3.

CDI – Collect and Deliver Interface for Woocommerce

Plugin:
CDI – Collect and Deliver Interface for Woocommerce
Plugin Slug:
collect-and-deliver-interface-for-woocommerce
Installations
300+
Vulnerability:
Arbitrary File Upload
Patched in Version:
5.5.6
Severity Score:
Critical
CVE:
2024-52398
The vulnerability has been patched, so you should update to version 5.5.6.

Opal Woo Custom Product Variation

Plugin:
Opal Woo Custom Product Variation
Plugin Slug:
opal-woo-custom-product-variation
Installations
200+
Vulnerability:
Arbitrary File Deletion
Patched in Version:
1.1.4
Severity Score:
High
CVE:
2024-52444
The vulnerability has been patched, so you should update to version 1.1.4.

Print PDF Generator and Publisher

Plugin:
Print PDF Generator and Publisher
Plugin Slug:
nopeamedia
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.0
Severity Score:
Medium
CVE:
2024-52394
The vulnerability has been patched, so you should update to version 1.2.0.

WordPress Bootscraper

Plugin:
WordPress Bootscraper
Plugin Slug:
wp-bootscraper
Installations
40+
Vulnerability:
Local File Inclusion
Patched in Version:
4.0.0
Severity Score:
High
CVE:
2024-52449
The vulnerability has been patched, so you should update to version 4.0.0.

Hebrew Dates

Plugin:
Hebrew Dates
Plugin Slug:
hebrewdates
Installations
10+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.3.0
Severity Score:
High
CVE:
2024-52388
The vulnerability has been patched, so you should update to version 2.3.0.

Floating Buttons for WooCommerce

Plugin:
Floating Buttons for WooCommerce
Plugin Slug:
shop-assistant-for-woocommerce-jarvis
Installations
10+
Vulnerability:
Broken Access Control
Patched in Version:
2.9.2
Severity Score:
Medium
CVE:
2024-52395
The vulnerability has been patched, so you should update to version 2.9.2.

kineticPay for WooCommerce

Plugin:
kineticPay for WooCommerce
Plugin Slug:
kineticpay-for-woocommerce
Vulnerability:
Arbitrary File Upload
Patched in Version:
3.0
Severity Score:
Critical
CVE:
2024-52379
The vulnerability has been patched, so you should update to version 3.0.

Luna Web Radio Player

Plugin:
Luna Web Radio Player
Plugin Slug:
lu-radioplayer
Vulnerability:
Directory Traversal
Patched in Version:
6.24.11.07
Severity Score:
High
CVE:
2024-10816
The vulnerability has been patched, so you should update to version 6.24.11.07.

Pie Register Premium

Plugin:
Pie Register Premium
Plugin Slug:
pie-register-premium
Vulnerability:
Broken Access Control
Patched in Version:
3.8.3.3
Severity Score:
Medium
CVE:
2024-52391
The vulnerability has been patched, so you should update to version 3.8.3.3.

Really Simple Security Pro

Plugin:
Really Simple Security Pro
Plugin Slug:
really-simple-ssl-pro
Vulnerability:
Broken Authentication
Patched in Version:
9.1.2
Severity Score:
Critical
CVE:
2024-10924
The vulnerability has been patched, so you should update to version 9.1.2.

Really Simple Security Pro multisite

Plugin:
Really Simple Security Pro multisite
Plugin Slug:
really-simple-ssl-pro-multisite
Vulnerability:
Broken Authentication
Patched in Version:
9.1.2
Severity Score:
Critical
CVE:
2024-10924
The vulnerability has been patched, so you should update to version 9.1.2.

WooCommerce Upload Files

Plugin:
WooCommerce Upload Files
Plugin Slug:
woocommerce-upload-files
Vulnerability:
Arbitrary File Upload
Patched in Version:
84.4
Severity Score:
Critical
CVE:
2024-10820
The vulnerability has been patched, so you should update to version 84.4.

WordPress GDPR & CCPA

Plugin:
WordPress GDPR & CCPA
Plugin Slug:
wordpress-gdpr
Vulnerability:
Broken Access Control
Patched in Version:
2.0.3
Severity Score:
Medium
CVE:
2024-11069
The vulnerability has been patched, so you should update to version 2.0.3.

WordPress GDPR & CCPA

Plugin:
WordPress GDPR & CCPA
Plugin Slug:
wordpress-gdpr
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.3
Severity Score:
High
CVE:
2024-10388
The vulnerability has been patched, so you should update to version 2.0.3.

User Extra Fields

Plugin:
User Extra Fields
Plugin Slug:
wp-user-extra-fields
Vulnerability:
Arbitrary File Deletion
Patched in Version:
16.7
Severity Score:
Critical
CVE:
2024-11150
The vulnerability has been patched, so you should update to version 16.7.

User Extra Fields

Plugin:
User Extra Fields
Plugin Slug:
wp-user-extra-fields
Vulnerability:
Privilege Escalation
Patched in Version:
16.7
Severity Score:
High
CVE:
2024-10800
The vulnerability has been patched, so you should update to version 16.7.

WordPress Themes — 2 Patched / 4 Unpatched

Airin Blog

Theme:
Airin Blog
Theme Slug:
airin-blog
Downloads
7,650
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52413
The vulnerability has not been patched. You should switch themes.

Gameplan

Theme:
Gameplan
Theme Slug:
gameplan
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52418
The vulnerability has not been patched. You should switch themes.

ReConstruction

Theme:
ReConstruction
Theme Slug:
reconstruction
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-52417
The vulnerability has not been patched. You should switch themes.

Xin

Theme:
Xin
Theme Slug:
xin
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-52412
The vulnerability has not been patched. You should switch themes.

Ashe

Theme:
Ashe
Theme Slug:
ashe
Downloads
2,031,980
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.244
Severity Score:
High
CVE:
2024-9777
The vulnerability has been patched, so you should update to version 2.244.

Bard

Theme:
Bard
Theme Slug:
bard
Downloads
934,286
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.217
Severity Score:
High
CVE:
2024-9830
The vulnerability has been patched, so you should update to version 2.217.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles