In this report, 72 vulnerabilities have been publicly disclosed. Security patches for 48 of these plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.
Additionally, there are 24 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress Core
WordPress 6.6.2 is available! This minor release includes 15 bug fixes in Core and 11 in the Block Editor, addressing issues like unexpected CSS specificity changes in certain themes.
WordPress Plugins — 46 Patched / 20 Unpatched
MC4WP: Mailchimp for WordPress
- Plugin:
- MC4WP: Mailchimp for WordPress
- Plugin Slug:
- mailchimp-for-wp
- Installations
- 2,000,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-8850
WCFM Marketplace – Multivendor Marketplace for WooCommerce
- Plugin Slug:
- wc-multivendor-marketplace
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-44009
IMPress for IDX Broker
- Plugin:
- IMPress for IDX Broker
- Plugin Slug:
- idx-broker-platinum
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-44047
WPCargo Track & Trace
- Plugin:
- WPCargo Track & Trace
- Plugin Slug:
- wpcargo
- Installations
- 10,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
- 2024-44004
Product Carousel Slider & Grid Ultimate for WooCommerce
- Plugin Slug:
- woo-product-carousel-slider-and-grid-ultimate
- Installations
- 9,000+
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-44048
Spice Starter Sites
- Plugin:
- Spice Starter Sites
- Plugin Slug:
- spice-starter-sites
- Installations
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-44003
Gutenberg Blocks – Unlimited blocks For Gutenberg
- Plugin Slug:
- unlimited-blocks
- Installations
- 3,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-44049
Team Showcase
- Plugin:
- Team Showcase
- Plugin Slug:
- team
- Installations
- 2,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-44002
Multipurpose Ticket Booking Manager (Bus/Train/Ferry/Boat/Shuttle) | WordPress Plugin
- Plugin Slug:
- bus-booking-manager
- Installations
- 100+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-44037
Accordion Image Menu
- Plugin:
- Accordion Image Menu
- Plugin Slug:
- accordion-image-menu
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-8092
Thanh Toán Quét Mã QR Code T? ??ng
- Plugin:
- Thanh Toán Quét Mã QR Code T? ??ng
- Plugin Slug:
- bck-tu-dong-xac-nhan-thanh-toan-chuyen-khoan-ngan-hang
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-8914
Kodex Posts likes
- Plugin:
- Kodex Posts likes
- Plugin Slug:
- kodex-posts-likes
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-44036
Limit Login Attempts Plus
- Plugin:
- Limit Login Attempts Plus
- Plugin Slug:
- limit-login-attempts-plus
- Vulnerability:
- Bypass Vulnerability
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4533
Logo Manager For Enamad
- Plugin:
- Logo Manager For Enamad
- Plugin Slug:
- logo-manager-for-enamad
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-5170
Posts reminder
- Plugin:
- Posts reminder
- Plugin Slug:
- posts-reminder
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-8093
WooCommerce Multiple Free Gift
- Plugin:
- WooCommerce Multiple Free Gift
- Plugin Slug:
- woocommerce-multiple-free-gift
- Vulnerability:
- Bypass Vulnerability
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-3459
WP Category Dropdown
- Plugin:
- WP Category Dropdown
- Plugin Slug:
- wp-category-dropdown
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-8103
WP Custom Fields Search
- Plugin:
- WP Custom Fields Search
- Plugin Slug:
- wp-custom-fields-search
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-8364
WP Easy Gallery
- Plugin:
- WP Easy Gallery
- Plugin Slug:
- wp-easy-gallery
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-8437
WP Easy Gallery
- Plugin:
- WP Easy Gallery
- Plugin Slug:
- wp-easy-gallery
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-8436
MC4WP: Mailchimp for WordPress
- Plugin:
- MC4WP: Mailchimp for WordPress
- Plugin Slug:
- mailchimp-for-wp
- Installations
- 2,000,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.9.17
- Severity Score:
- Medium
- CVE:
- 2024-8680
W3 Total Cache
- Plugin:
- W3 Total Cache
- Plugin Slug:
- w3-total-cache
- Installations
- 1,000,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.7.6
- Severity Score:
- Low
- CVE:
- 2023-5359
Backuply – Backup, Restore, Migrate and Clone
- Plugin Slug:
- backuply
- Installations
- 200,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 1.3.5
- Severity Score:
- High
- CVE:
- 2024-8669
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
- Plugin Slug:
- photo-gallery
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.8.28
- Severity Score:
- Medium
- CVE:
- 2024-44043
WooCommerce Multilingual & Multicurrency with WPML
- Plugin Slug:
- woocommerce-multilingual
- Installations
- 100,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.3.7
- Severity Score:
- Medium
- CVE:
- 2024-44006
FOX – Currency Switcher Professional for WooCommerce
- Plugin Slug:
- woocommerce-currency-switcher
- Installations
- 60,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.4.2.2
- Severity Score:
- High
- CVE:
- 2024-8271
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
- Plugin Slug:
- easy-digital-downloads
- Installations
- 50,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 3.3.4
- Severity Score:
- Medium
- CVE:
- 2022-2439
Pixel Cat – Conversion Pixel Manager
- Plugin Slug:
- facebook-conversion-pixel
- Installations
- 50,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.0.6
- Severity Score:
- High
- CVE:
- 2024-8544
Koko Analytics
- Plugin:
- Koko Analytics
- Plugin Slug:
- koko-analytics
- Installations
- 40,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.3.13
- Severity Score:
- High
- CVE:
- 2024-8662
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
- Plugin Slug:
- quiz-master-next
- Installations
- 40,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 9.1.3
- Severity Score:
- Medium
- CVE:
- 2024-8758
Greenshift – animation and page builder blocks
- Plugin Slug:
- greenshift-animation-and-page-builder-blocks
- Installations
- 30,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 9.4
- Severity Score:
- Medium
- CVE:
- 2024-44005
Themify – WooCommerce Product Filter
- Plugin Slug:
- themify-wc-product-filter
- Installations
- 30,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.5.2
- Severity Score:
- Medium
- CVE:
- 2024-44046
Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin
- Plugin Slug:
- mailoptin
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.2.70.4
- Severity Score:
- Medium
- CVE:
- 2024-8628
SKT Templates – 100% free Elementor & Gutenberg templates
- Plugin Slug:
- skt-templates
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 6.15
- Severity Score:
- High
- CVE:
- 2024-44007
WP Hardening (discontinued)
- Plugin:
- WP Hardening (discontinued)
- Plugin Slug:
- wp-security-hardening
- Installations
- 20,000+
- Vulnerability:
- Bypass Vulnerability
- Patched in Version:
- 1.2.7
- Severity Score:
- Medium
- CVE:
- 2024-6641
BA Book Everything
- Plugin:
- BA Book Everything
- Plugin Slug:
- ba-book-everything
- Installations
- 10,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.6.21
- Severity Score:
- Medium
- CVE:
- 2024-8794
BA Book Everything
- Plugin:
- BA Book Everything
- Plugin Slug:
- ba-book-everything
- Installations
- 10,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.6.21
- Severity Score:
- High
- CVE:
- 2024-8795
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
- Plugin Slug:
- charitable
- Installations
- 10,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.8.1.15
- Severity Score:
- Critical
- CVE:
- 2024-8791
Gum Elementor Addon
- Plugin:
- Gum Elementor Addon
- Plugin Slug:
- gum-elementor-addon
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.3.8
- Severity Score:
- Medium
- CVE:
- 2024-44035
Maintenance Redirect
- Plugin:
- Maintenance Redirect
- Plugin Slug:
- jf3-maintenance-mode
- Installations
- 10,000+
- Vulnerability:
- Bypass Vulnerability
- Patched in Version:
- 2.1.0
- Severity Score:
- Low
- CVE:
- 2024-45453
WP Booking System – Booking Calendar
- Plugin Slug:
- wp-booking-system
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.0.19.9
- Severity Score:
- High
- CVE:
- 2024-8797
WP Datepicker
- Plugin:
- WP Datepicker
- Plugin Slug:
- wp-datepicker
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.1.2
- Severity Score:
- Medium
- CVE:
- 2024-44042
Affiliate Program Suite — SliceWP Affiliates
- Plugin Slug:
- slicewp
- Installations
- 9,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.1.21
- Severity Score:
- High
- CVE:
- 2024-8714
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
- Plugin Slug:
- radio-player
- Installations
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.0.79
- Severity Score:
- Medium
- CVE:
- 2024-8267
Seriously Simple Stats
- Plugin:
- Seriously Simple Stats
- Plugin Slug:
- seriously-simple-stats
- Installations
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.7.0
- Severity Score:
- High
- CVE:
- 2024-8738
WP Travel – Ultimate Travel Booking System, Tour Management Engine
- Plugin Slug:
- wp-travel
- Installations
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 9.4.0
- Severity Score:
- Medium
- CVE:
- 2024-44039
Garden Gnome Package
- Plugin:
- Garden Gnome Package
- Plugin Slug:
- garden-gnome-package
- Installations
- 5,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.3.0
- Severity Score:
- Medium
- CVE:
- 2024-8657
Geo Mashup
- Plugin:
- Geo Mashup
- Plugin Slug:
- geo-mashup
- Installations
- 4,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.13.13
- Severity Score:
- Medium
- CVE:
- 2024-44008
Waitlist Woocommerce ( Back in stock notifier )
- Plugin Slug:
- waitlist-woocommerce
- Installations
- 4,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.7.6
- Severity Score:
- High
- CVE:
- 2024-8724
PropertyHive
- Plugin:
- PropertyHive
- Plugin Slug:
- propertyhive
- Installations
- 3,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 2.0.20
- Severity Score:
- High
- CVE:
- 2024-8490
Simple Spoiler
- Plugin:
- Simple Spoiler
- Plugin Slug:
- simple-spoiler
- Installations
- 3,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.4
- Severity Score:
- High
- CVE:
- 2024-8479
Appointment & Event Booking Calendar Plugin – Webba Booking
- Plugin Slug:
- webba-booking-lite
- Installations
- 3,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.0.50
- Severity Score:
- Medium
- CVE:
- 2024-8432
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
- Plugin Slug:
- buddyforms
- Installations
- 1,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 2.8.12
- Severity Score:
- High
- CVE:
- 2024-8246
AnWP Football Leagues
- Plugin:
- AnWP Football Leagues
- Plugin Slug:
- football-leagues-by-anwppro
- Installations
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 0.16.8
- Severity Score:
- Medium
- CVE:
- 2024-8917
IdeaPush
- Plugin:
- IdeaPush
- Plugin Slug:
- ideapush
- Installations
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 8.69
- Severity Score:
- Medium
- CVE:
- 2024-44041
Login with phone number
- Plugin:
- Login with phone number
- Plugin Slug:
- login-with-phone-number
- Installations
- 1,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.7.50
- Severity Score:
- High
- CVE:
- 2024-6482
Share This Image
- Plugin:
- Share This Image
- Plugin Slug:
- share-this-image
- Installations
- 1,000+
- Vulnerability:
- Open Redirection
- Patched in Version:
- 2.04
- Severity Score:
- Medium
- CVE:
- 2024-8761
ShiftController Employee Shift Scheduling
- Plugin Slug:
- shiftcontroller
- Installations
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.9.65
- Severity Score:
- Medium
- CVE:
- 2024-44040
Sunshine Photo Cart: Free Client Photo Galleries for Photographers
- Plugin Slug:
- sunshine-photo-cart
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.2.10
- Severity Score:
- Medium
- CVE:
- 2024-44038
MDTF – Meta Data and Taxonomies Filter
- Plugin Slug:
- wp-meta-data-filter-and-taxonomy-filter
- Installations
- 1,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 1.3.3.4
- Severity Score:
- High
- CVE:
- 2024-8624
MDTF – Meta Data and Taxonomies Filter
- Plugin Slug:
- wp-meta-data-filter-and-taxonomy-filter
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.3.3.4
- Severity Score:
- Medium
- CVE:
- 2024-8623
XT Ajax Add To Cart for WooCommerce
- Plugin Slug:
- xt-woo-ajax-add-to-cart
- Installations
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.1.3
- Severity Score:
- High
- CVE:
- 2024-8716
Webo-facto
- Plugin:
- Webo-facto
- Plugin Slug:
- webo-facto-connector
- Installations
- 900+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.41
- Severity Score:
- Critical
- CVE:
- 2024-8853
WP Abstracts
- Plugin:
- WP Abstracts
- Plugin Slug:
- wp-abstracts-manuscripts-manager
- Installations
- 400+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.7.0
- Severity Score:
- Medium
- CVE:
- 2024-44045
Houzez Login Register
- Plugin:
- Houzez Login Register
- Plugin Slug:
- houzez-login-register
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 3.3.0
- Severity Score:
- High
- CVE:
- 2024-21743
WooEvents
- Plugin:
- WooEvents
- Plugin Slug:
- woo-events
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- 4.1.3
- Severity Score:
- Critical
- CVE:
- 2024-8671
WordPress Themes — 2 Patched / 4 Unpatched
Blogvi
- Theme:
- Blogvi
- Theme Slug:
- blogvi
- Downloads
- 25,426
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-35715
Roseta
- Theme:
- Roseta
- Theme Slug:
- roseta
- Downloads
- 97,031
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-45451
Septera
- Theme:
- Septera
- Theme Slug:
- septera
- Downloads
- 126,076
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-45452
Verbosa
- Theme:
- Verbosa
- Theme Slug:
- verbosa
- Downloads
- 108,792
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-44050
Bricks Builder
- Theme:
- Bricks Builder
- Theme Slug:
- bricks
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.10.2
- Severity Score:
- Medium
- CVE:
- 2023-3410
Houzez
- Theme:
- Houzez
- Theme Slug:
- houzez
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 3.3.0
- Severity Score:
- High
- CVE:
- 2024-22303
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Join us for the next Solid Academy Webinar!
Free weekly webinars that will help you master WordPress and increase your business's bottom line.
What is a WordPress Phishing Attack?
Learn how to identify and prevent phishing attacks on WordPress websites.
Kiki SheldonWebsite Protection: 5 Ways to Keep Your Website Safe
Robust website protection is the shield that stands between your business and relentless cyber attacks. Prioritizing website protection enables businesses to fortify defenses to safeguard their online presence and preserve the trust of their customers in the face of ever-evolving cybersecurity threats.
Kiki Sheldon23 Ideas To Grow Your WordPress Business in 2023
WordPress is the most popular website-building platform worldwide, trusted by numerous brands. WordPress enables you to build a user-friendly and highly reliable site, together with tools and plugins to enhance your marketing and work like a lead magnet. All these features make WordPress the platform chosen by more than 43% of businesses globally.
SolidWP Editorial TeamSign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Placeholder text
Placeholder text
Get started with confidence — risk free, guaranteed
