Welcome to Patchstack’s WordPress vulnerability overview for the week of July 3 – 9, 2024.
As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).
The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.
Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers are able to issue an update.
WordPress vulnerability landscape (July 3 – 9, 2024)
- New WordPress vulnerabilities added to Patchstack’s database: 213
- Vulnerabilities discovered by Patchstack: 101
- Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 30
How severe were this week’s vulnerabilities?
WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.
Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.
| Low-severity vulnerabilities this week | Medium-severity vulnerabilities | High-severity vulnerabilities |
| 173 | 21 | 19 |
Most dangerous vulnerabilities from last week
Last week we added several high-severity vulnerabilities to our database, some in very popular plugins.
If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:
- SEOPress < 7.9 – PHP Object Injection
- WordPress JetThemeCore Plugin < 2.2.1 – Arbitrary File Deletion
- ProfileGrid Plugin <= 5.8.9 – Privilege Escalation
- WordPress Product Table by WBW Plugin <= 2.0.1 – Remote Code Execution (RCE)
- Zephyr Project Manager Plugin <= 3.3.97 – Privilege Escalation
- Church Admin Plugin <= 4.4.6 – Arbitrary File Upload
WordPress vulnerabilities discovered from June 26 to July 2, 2024
Vulnerable plugins with 100K+ installs
Elementor – Header, Footer & Blocks Template
Cross Site Scripting (XSS). Update the WordPress Elementor – Header, Footer & Blocks Template plugin to the latest available version (at least 1.6.36).
Ninja Forms
Broken Access Control. Update the WordPress Ninja Forms plugin to the latest available version (at least 3.8.5).
Spectra
Broken Access Control. Update the WordPress Spectra plugin to the latest available version (at least 2.13.8).
Premium Addons for Elementor
Cross Site Scripting (XSS). Update the WordPress Premium Addons for Elementor plugin to the latest available version (at least 4.10.36).
Premium Addons for Elementor
Denial of Service Attack. Update the WordPress Premium Addons for Elementor plugin to the latest available version (at least 4.10.36).
The Events Calendar
Cross Site Request Forgery (CSRF). Update the WordPress The Events Calendar plugin to the latest available version (at least 6.5.1.5).
Ocean Extra
Cross Site Scripting (XSS). Update the WordPress Ocean Extra plugin to the latest available version (at least 2.3.0).
SEOPress
PHP Object Injection. Update the WordPress SEOPress plugin to the latest available version (at least 7.9).
Gutenberg
Cross Site Scripting (XSS). Update the WordPress Gutenberg plugin to the latest available version (at least 18.6.1).
Ultimate Addons for Elementor
Privilege Escalation. Update the WordPress Ultimate Addons for Elementor plugin to the latest available version (at least 1.36.32).
Hestia Theme
Cross Site Request Forgery (CSRF). Update the WordPress Hestia theme to the latest available version (at least 3.1.3).
Blocksy Theme
Cross Site Request Forgery (CSRF). Update the WordPress Blocksy theme to the latest available version (at least 2.0.23).
The Plus Addons for Elementor Page Builder Lite
Cross Site Scripting (XSS). Update the WordPress The Plus Addons for Elementor Page Builder Lite plugin to the latest available version (at least 5.6.2).
Nested Pages
Cross Site Request Forgery (CSRF). Update the WordPress Nested Pages plugin to the latest available version (at least 3.2.8).
Beaver Builder
Cross Site Scripting (XSS). Update the WordPress Beaver Builder plugin to the latest available version (at least 2.8.3).
Vulnerable plugins with up to 100K+ installs
The following is a full list of plugins added to our database that have fewer than 100,000 installs.
High & Medium priority vulnerabilities are expected to be exploited and are receiving Patchstack’s virtual patch protection.
Low priority vulnerabilities are not expected to become exploited, but you should update those plugins regardless.
| Plugin or theme name | Vulnerability | Patch Priority score |
| JetThemeCore | Arbitrary File Deletion | High priority |
| ProfileGrid | Privilege Escalation | High priority |
| Product Table by WBW | Remote Code Execution (RCE) | High priority |
| Zephyr Project Manager | Privilege Escalation | High priority |
| Church Admin | Arbitrary File Upload | High priority |
| Modern Events Calendar | Arbitrary File Upload | High priority |
| Modern Events Calendar Lite | Arbitrary File Upload | High priority |
| WordPress Form Builder Plugin – Gutenberg Forms | Arbitrary File Upload | High priority |
| IQ Testimonials | Arbitrary File Upload | High priority |
| Woffice Core | Broken Access Control | High priority |
| BookYourTravel | Privilege Escalation | High priority |
| Pie Register | Broken Access Control | High priority |
| The Post Grid | Broken Access Control | Medium priority |
| Woffice Core | Cross Site Scripting (XSS) | Medium priority |
| Woffice | Cross Site Scripting (XSS) | Medium priority |
| Charitable | Broken Access Control | Medium priority |
| bbPress Notify | Cross Site Scripting (XSS) | Medium priority |
| IMGspider | Arbitrary File Upload | Medium priority |
| WP Directory Kit | Cross Site Scripting (XSS) | Medium priority |
| WooCommerce Social Login | PHP Object Injection | Medium priority |
| One Click Order Re-Order | Cross Site Scripting (XSS) | Medium priority |
| MakeCommerce for WooCommerce | Cross Site Scripting (XSS) | Medium priority |
| PayPlus Payment Gateway | Cross Site Scripting (XSS) | Medium priority |
| IdeaPush | Cross Site Scripting (XSS) | Medium priority |
| XPlainer – WooCommerce Product FAQ | Cross Site Scripting (XSS) | Medium priority |
| Responsive Image Gallery, Gallery Album | Broken Access Control | Medium priority |
| File Manager Advanced Shortcode | Arbitrary File Upload | Medium priority |
| ScrollTo Top | Cross Site Request Forgery (CSRF) | Medium priority |
| Default Thumbnail Plus | Arbitrary File Upload | Medium priority |
| XPlainer – WooCommerce Product FAQ | Cross Site Scripting (XSS) | Medium priority |
| Easy Pixels | Cross Site Scripting (XSS) | Medium priority |
| EventON | Cross Site Scripting (XSS) | Medium priority |
| SCSS Happy Compiler | Cross Site Scripting (XSS) | Medium priority |
| The Post Grid | Broken Access Control | Low priority |
| The Post Grid | Broken Access Control | Low priority |
| Paid Memberships Pro | SQL Injection | Low priority |
| Featured Image from URL | Broken Access Control | Low priority |
| Amelia | Backdoor | Low priority |
| Livemesh Addons for Elementor | Local File Inclusion | Low priority |
| Ultimate Blocks – Gutenberg Blocks Plugin | Cross Site Scripting (XSS) | Low priority |
| Ashe | Cross Site Request Forgery (CSRF) | Low priority |
| Pixel Manager for WooCommerce | Backdoor | Low priority |
| WP Lightbox 2 | Cross Site Scripting (XSS) | Low priority |
| Social Warfare | Backdoor | Low priority |
| Apollo13 Framework Extensions | Cross Site Scripting (XSS) | Low priority |
| Rife Free | Cross Site Request Forgery (CSRF) | Low priority |
| WP User Frontend | Backdoor | Low priority |
| weForms | Backdoor | Low priority |
| Meks Easy Ads Widget | Cross Site Scripting (XSS) | Low priority |
| Noptin | Broken Access Control | Low priority |
| Highlight | Cross Site Request Forgery (CSRF) | Low priority |
| GPT3 AI Content Writer | Cross Site Scripting (XSS) | Low priority |
| Mega Elements | Cross Site Scripting (XSS) | Low priority |
| Newsmatic | Broken Access Control | Low priority |
| Product Customer List for WooCommerce | Backdoor | Low priority |
| Bard | Cross Site Request Forgery (CSRF) | Low priority |
| Eventin | Cross Site Scripting (XSS) | Low priority |
| Charitable | Broken Access Control | Low priority |
| Swift Performance Lite | Cross Site Request Forgery (CSRF) | Low priority |
| NEX-Forms – Ultimate Form Builder | Cross Site Scripting (XSS) | Low priority |
| Sentry | Backdoor | Low priority |
| Youzify | SQL Injection | Low priority |
| Table & Contact Form 7 Database – Tablesome | Sensitive Data Exposure | Low priority |
| YITH WooCommerce Affiliates | Backdoor | Low priority |
| Create by Mediavine | Cross Site Scripting (XSS) | Low priority |
| ProfileGrid | Broken Access Control | Low priority |
| Ultimate Bootstrap Elements for Elementor | Local File Inclusion | Low priority |
| Beaver Builder Addons by WPZOOM | Local File Inclusion | Low priority |
| WPCafe | Local File Inclusion | Low priority |
| Snippet Shortcodes | Cross Site Request Forgery (CSRF) | Low priority |
| WPJAM Basic | Backdoor | Low priority |
| AWSM Team | Local File Inclusion | Low priority |
| FireBox | Backdoor | Low priority |
| HelloAsso | Cross Site Scripting (XSS) | Low priority |
| Posterity | Cross Site Request Forgery (CSRF) | Low priority |
| Online Booking & Scheduling Calendar for WordPress by vcita | Local File Inclusion | Low priority |
| FileBird Document Library | Sensitive Data Exposure | Low priority |
| Advanced Classifieds & Directory Pro | Local File Inclusion | Low priority |
| ShopBuilder – Elementor WooCommerce Builder Addons | Local File Inclusion | Low priority |
| CRM Perks Forms | Broken Access Control | Low priority |
| YAHMAN Add-ons | Backdoor | Low priority |
| Rara Business | Cross Site Request Forgery (CSRF) | Low priority |
| Construction Landing Page | Cross Site Request Forgery (CSRF) | Low priority |
| Business One Page | Broken Access Control | Low priority |
| Premium Blocks – Gutenberg Blocks for WordPress | Cross Site Scripting (XSS) | Low priority |
| Login Logo Editor | Cross Site Scripting (XSS) | Low priority |
| Ultimate Auction | Cross Site Request Forgery (CSRF) | Low priority |
| SuperSaaS – online appointment scheduling | Cross Site Scripting (XSS) | Low priority |
| Trendy News | Cross Site Request Forgery (CSRF) | Low priority |
| Newspack Ads | Cross Site Scripting (XSS) | Low priority |
| Newspack Newsletters | Broken Access Control | Low priority |
| Newspack Campaigns | Cross Site Scripting (XSS) | Low priority |
| Newspack Content Converter | Broken Access Control | Low priority |
| OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) | Backdoor | Low priority |
| Tooltip for Gravity Forms | Backdoor | Low priority |
| nicen-localize-image | Backdoor | Low priority |
| Bakes And Cakes | Broken Access Control | Low priority |
| Metro Magazine | Broken Access Control | Low priority |
| Lawyer Landing Page | Cross Site Request Forgery (CSRF) | Low priority |
| CopySafe Web Protection | Cross Site Scripting (XSS) | Low priority |
| zBench | Cross Site Scripting (XSS) | Low priority |
| CC & BCC for Woocommerce Order Emails | Cross Site Scripting (XSS) | Low priority |
| Elementor Addons, Widgets and Enhancements – Stax | Cross Site Scripting (XSS) | Low priority |
| Get Better Reviews for WooCommerce | Broken Access Control | Low priority |
| Floating Social Media Links | Cross Site Scripting (XSS) | Low priority |
| Image Hover Effects – Caption Hover with Carousel | Cross Site Scripting (XSS) | Low priority |
| Save as PDF plugin by Pdfcrowd | Cross Site Scripting (XSS) | Low priority |
| Simple Social Share | Cross Site Scripting (XSS) | Low priority |
| Leaky Paywall | Cross Site Request Forgery (CSRF) | Low priority |
| Contact Form 7 Multi-Step Addon | Backdoor | Low priority |
| TotalSurvey | Backdoor | Low priority |
| Weight Tracker | Backdoor | Low priority |
| Taager | Backdoor | Low priority |
| Comment Reply Email | Cross Site Scripting (XSS) | Low priority |
| TotalRating Pro | Backdoor | Low priority |
| WP To Do | Cross Site Scripting (XSS) | Low priority |
| WS Theme Addons | Backdoor | Low priority |
| Amelia Shortcode Extended | Backdoor | Low priority |
| Link To Bible | Cross Site Scripting (XSS) | Low priority |
| Meal Tracker | Backdoor | Low priority |
| BLAZE Retail Widget | Backdoor | Low priority |
| Canvas-Nest.js | Backdoor | Low priority |
| Logic Hop | Backdoor | Low priority |
| ShipAny | Backdoor | Low priority |
| Easy Custom Code (LESS/CSS/JS) – Live editing | Cross Site Scripting (XSS) | Low priority |
| Integration for Luminate and Gravity Forms | Backdoor | Low priority |
| Contact Form by TotalForm | Backdoor | Low priority |
| WS Contact Form | Cross Site Scripting (XSS) | Low priority |
| Easy Speedup by PageCDN | Backdoor | Low priority |
| WebSitter Pro | Backdoor | Low priority |
| Qualified Electronic Signatures by eID Easy | Backdoor | Low priority |
| ADDRESSYA | Backdoor | Low priority |
| Field Day | Backdoor | Low priority |
| Ideaplus | Backdoor | Low priority |
| Magic Conversation For Gravity Forms | Backdoor | Low priority |
| Viva Payments | Backdoor | Low priority |
| Mine Video Player | Backdoor | Low priority |
| Alfred Easy Shipping | Backdoor | Low priority |
| wp-code-highlightjs | Backdoor | Low priority |
| Jobs.af | Backdoor | Low priority |
| Word Balloon | Backdoor | Low priority |
| Digital River Global Commerce | Backdoor | Low priority |
| Simply Show Hooks | Backdoor | Low priority |
| alfred24 Click & Collect | Backdoor | Low priority |
| CommandBar for WP Admin | Backdoor | Low priority |
| Himer | Cross Site Request Forgery (CSRF) | Low priority |
| Himer | Cross Site Scripting (XSS) | Low priority |
| WPQA – Builder forms Addon | Cross Site Scripting (XSS) | Low priority |
| WPQA – Builder forms Addon | Cross Site Request Forgery (CSRF) | Low priority |
| Livemesh Addons for Elementor | Cross Site Scripting (XSS) | Low priority |
| Social Media & Share Icons | Cross Site Scripting (XSS) | Low priority |
| Template Kit – Export | Cross Site Scripting (XSS) | Low priority |
| Testimonials Widget | Cross Site Scripting (XSS) | Low priority |
| UltraAddons Elementor Lite | Cross Site Scripting (XSS) | Low priority |
| WordPress Notification Bar | Cross Site Scripting (XSS) | Low priority |
| WP Cookie Law Info | Cross Site Scripting (XSS) | Low priority |
| WPFavicon | Cross Site Request Forgery (CSRF) | Low priority |
| Houzez Theme – Functionality | SQL Injection | Low priority |
| Media Hygiene | Broken Access Control | Low priority |
| Houzez CRM | SQL Injection | Low priority |
| File Manager Advanced Shortcode | Directory Traversal | Low priority |
| Blog, Posts and Category Filter for Elementor | Cross Site Scripting (XSS) | Low priority |
| Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | SQL Injection | Low priority |
| Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | Cross Site Scripting (XSS) | Low priority |
| Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | Bypass Vulnerability | Low priority |
| Advanced AJAX Page Loader | Cross Site Request Forgery (CSRF) | Low priority |
| ScrollTo Bottom | Cross Site Request Forgery (CSRF) | Low priority |
| Attachment File Icons | Cross Site Request Forgery (CSRF) | Low priority |
| Generate PDF using Contact Form 7 | Cross Site Request Forgery (CSRF) | Low priority |
| Bit Form – Contact Form Plugin | Arbitrary File Upload | Low priority |
| Cliengo – Chatbot | Broken Access Control | Low priority |
| Cliengo – Chatbot | Broken Access Control | Low priority |
| Extensions for Elementor | Cross Site Scripting (XSS) | Low priority |
| Genesis Blocks | Cross Site Scripting (XSS) | Low priority |
| XPlainer – WooCommerce Product FAQ | Broken Access Control | Low priority |
| WP2Speed Faster | Broken Authentication | Low priority |
| Product Designer | Broken Access Control | Low priority |
| Webico Slider Flatsome Addons | Cross Site Scripting (XSS) | Low priority |
| OSM – OpenStreetMap | SQL Injection | Low priority |
| Pricing Table | Cross Site Request Forgery (CSRF) | Low priority |
| Pricing Table | Broken Access Control | Low priority |
| Comment Images Reloaded | Broken Access Control | Low priority |
| Simple Alert Boxes | Cross Site Scripting (XSS) | Low priority |
| Panda Video | Local File Inclusion | Low priority |
| Panda Video | Cross Site Scripting (XSS) | Low priority |
| LearnDash LMS – Reports | Broken Access Control | Low priority |
| WPBITS Addons For Elementor Page Builder | Cross Site Scripting (XSS) | Low priority |
| oik | Cross Site Scripting (XSS) | Low priority |
| DN Footer Contacts | Cross Site Scripting (XSS) | Low priority |
| URL Shortener by MyThemeShop | Cross Site Scripting (XSS) | Low priority |
| Easy Table of Contents | Cross Site Scripting (XSS) | Low priority |
| Kiwi | Sensitive Data Exposure | Low priority |
| Just Custom Fields | Broken Access Control | Low priority |
| Just Custom Fields | Cross Site Request Forgery (CSRF) | Low priority |
| Squelch Tabs and Accordions Shortcodes | Cross Site Scripting (XSS) | Low priority |
How does Patchstack make WordPress safer?
Patchstack protects WordPress websites against vulnerable plugins. As the #1 vulnerability processor (CNA) globally, we maintain a database of over 18,000 vulnerabilities. Our users receive 48-hour early warning for new vulnerabilities and real-time vPatching to protect their websites until the vulnerabilities are resolved.
Start getting tailored notifications for the plugins installed on your site for free. Sign up today!
