Start FREE

Patchstack’s Weekly WordPress Vulnerability Overview – July 10 to 16, 2024

Published 17 July 2024
Lana Rafaela
Lana Rafaela is Lifecycle Marketing Manager at Patchstack.
Table of Contents

Welcome to Patchstack’s WordPress vulnerability overview for the week of July 10 – 16, 2024.

As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).

The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.

Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers are able to issue an update.

WordPress vulnerability landscape (July 10 – 16, 2024)

  • New WordPress vulnerabilities added to Patchstack’s database: 218
  • Vulnerabilities discovered by Patchstack: 121
  • Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 60

How severe were this week’s vulnerabilities?

WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.

Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.

Low-severity vulnerabilities this weekMedium-severity vulnerabilitiesHigh-severity vulnerabilities
1634213

The most dangerous vulnerabilities from last week

Last week we added several high-severity vulnerabilities to our database, some in very popular plugins.

If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:

WordPress vulnerabilities discovered from July 10 to 16, 2024

Vulnerable plugins with 100K+ installs

WPS Hide Login

Bypass Vulnerability. Update the WordPress WPS Hide Login plugin to the latest available version (at least 1.9.16.4).

1M
CVSS 5.3

Duplicator

Full Path Disclosure (FPD). Update the WordPress Duplicator plugin to the latest available version (at least 1.5.10).

1M
CVSS 5.3

Premium Addons for Elementor

Cross Site Scripting (XSS). Update the WordPress Premium Addons for Elementor plugin to the latest available version (at least 4.10.37).

700K
CVSS 6.5

NextGEN Gallery

Cross Site Scripting (XSS). Update the WordPress NextGEN Gallery plugin to the latest available version (at least 3.59.3).

500K
CVSS 5.9

User Feedback

Cross Site Scripting (XSS). Update the WordPress User Feedback plugin to the latest available version (at least 1.0.16).

200K
CVSS 7.1

HUSKY

SQL Injection. Update the WordPress HUSKY plugin to the latest available version (at least 1.3.6.1).

100K
CVSS 9.3

Inline Related Posts

Cross Site Scripting (XSS). Update the WordPress Inline Related Posts plugin to the latest available version (at least 3.7.0).

100K
CVSS 7.1

Titan Anti-spam & Security

Broken Access Control. No patched version is available. No reply from the vendor. WP plugins review team was notified.

100K
CVSS 6.5

HT Mega

Path Traversal. Update the WordPress HT Mega plugin to the latest available version (at least 2.5.8).

100K
CVSS 6.5

MaxButtons

Cross Site Scripting (XSS). Update the WordPress MaxButtons plugin to the latest available version (at least 9.7.8).

100K
CVSS 5.9

Search & Replace

Deserialization of untrusted data. No patched version is available. No reply from the vendor. WP plugins review team was notified.

100K
CVSS 5.4

Feeds for YouTube

Cross Site Scripting (XSS). Update the WordPress Feeds for YouTube plugin to the latest available version (at least 2.2.2).

100K
CVSS 6.5

VK All in One Expansion Unit

Cross Site Scripting (XSS). No patched version is available. No reply from the vendor.

100K
CVSS 6.5

Vulnerable plugins with up to 100K+ installs

The following is a full list of plugins added to our database with fewer than 100,000 installs.

3 & 4 Priority vulnerabilities are expected to be exploited and receive Patchstack’s virtual patch protection.

Vulnerabilities with scores below 3 are not expected to become exploited, but you should update those plugins regardless.

Plugin nameVulnerabilityPatch Priority score
EmbedPressBroken Access Control2
YITH WooCommerce Ajax Product FilterCross Site Scripting (XSS)2
Brizy – Page BuilderBroken Access Control1
Matomo AnalyticsCross Site Request Forgery (CSRF)1
Event TicketsCross Site Request Forgery (CSRF)1
OnePressCross Site Scripting (XSS)1
Tutor LMSCross Site Scripting (XSS)1
Auto Featured Image (Auto Post Thumbnail)Broken Access Control1
WP RSS AggregatorBroken Access Control1
Phlox PortfolioCross Site Scripting (XSS)1
Image Hover Effects – Elementor AddonCross Site Scripting (XSS)1
Ultimate Blocks – Gutenberg Blocks PluginCross Site Scripting (XSS)1
Internal Link Juicer: SEO Auto Linker for WordPressCross Site Request Forgery (CSRF)1
DittyCross Site Scripting (XSS)1
PowerPress PodcastingCross Site Scripting (XSS)1
Social Media WidgetCross Site Scripting (XSS)1
Qi BlocksCross Site Scripting (XSS)1
Quiz And Survey MasterCross Site Scripting (XSS)1
Index WP MySQL For SpeedCross Site Scripting (XSS)2
FULL CustomerCross Site Scripting (XSS)2
Seriously Simple PodcastingCross Site Scripting (XSS)1
WP PopupsFull Path Disclosure (FPD)1
Master Addons for ElementorCross Site Scripting (XSS)1
Team MembersCross Site Scripting (XSS)1
Backup and Staging by WP Time CapsulePrivilege Escalation4
Form Vibes – Database Manager for FormsSQL Injection3
TeraWallet – For WooCommerceSQL Injection3
Login by Auth0Cross Site Scripting (XSS)2
WP Event ManagerCross Site Scripting (XSS)1
WordPress File UploadDirectory Traversal1
User Submitted PostsCross Site Scripting (XSS)1
Giveaways and Contests by RafflePressCross Site Scripting (XSS)1
Image Photo Gallery Final Tiles GridCross Site Scripting (XSS)1
Wholesale SuiteBroken Access Control1
Secure Copy Content Protection and Content LockingCross Site Scripting (XSS)1
Slider by 10WebCross Site Scripting (XSS)1
BrandaFull Path Disclosure (FPD)1
Meks Smart Author WidgetCross Site Scripting (XSS)1
SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizerFull Path Disclosure (FPD)1
MP3 Audio Player for Music, Radio & Podcast by SonaarCross Site Scripting (XSS)1
WP Accessibility Helper (WAH)Broken Access Control1
SmartMagMultiple Vulnerabilities1
WP Photo Album PlusCross Site Scripting (XSS)2
Link LibraryCross Site Scripting (XSS)2
GoftinoCross Site Scripting (XSS)2
XCloner Backup, Restore and MigrateSensitive Data Exposure1
SchedulePressSensitive Data Exposure1
Shortcodes Ultimate ProCross Site Scripting (XSS)1
Product Enquiry for WooCommerceCross Site Scripting (XSS)1
Packlink PRO shipping moduleBroken Access Control1
Metorik – Reports & Email Automation for WooCommerceCross Site Request Forgery (CSRF)1
ReCaptcha Integration for WordPressCross Site Scripting (XSS)1
WP Travel EngineCross Site Scripting (XSS)1
BuddyBoss ThemeCross Site Request Forgery (CSRF)1
Gum Elementor AddonCross Site Scripting (XSS)1
Simple Post NotesCross Site Scripting (XSS)1
If-So Dynamic Content PersonalizationCross Site Scripting (XSS)2
If-So Dynamic Content PersonalizationCross Site Scripting (XSS)1
JSON Content ImporterServer Side Request Forgery (SSRF)1
WP ERPSQL Injection1
Plugin Notes PlusCross Site Scripting (XSS)1
iPanorama 360 WordPress Virtual Tour BuilderBroken Access Control1
ProfileGridInsecure Direct Object References (IDOR)1
JobmonsterArbitrary File Deletion4
JobmonsterPrivilege Escalation4
Advanced post sliderCross Site Scripting (XSS)1
Post Layouts for GutenbergCross Site Scripting (XSS)1
InstaWP ConnectPrivilege Escalation4
Plum: Spin Wheel & Email Pop-upCross Site Scripting (XSS)3
WP QuickLaTeXCross Site Scripting (XSS)1
WP Links PageBroken Access Control1
Send Users EmailSensitive Data Exposure1
Plum: Spin Wheel & Email Pop-upBroken Access Control1
Magical Addons For ElementorServer Side Request Forgery (SSRF)1
Magical Addons For ElementorCross Site Scripting (XSS)1
FusionCross Site Scripting (XSS)1
MStore APIBroken Authentication4
Zoho CampaignsCross Site Scripting (XSS)2
Zoho CRM Lead MagnetCross Site Scripting (XSS)2
CM On Demand Search And ReplaceCross Site Request Forgery (CSRF)1
Watu QuizCross Site Scripting (XSS)1
Google Adsense & Banner Ads by AdsforWPCross Site Request Forgery (CSRF)1
ElementInvader Addons for ElementorCross Site Scripting (XSS)1
VikRentCarCross Site Request Forgery (CSRF)1
Arkhe BlocksCross Site Scripting (XSS)1
Magical Posts Display – Elementor & Gutenberg Posts BlocksCross Site Scripting (XSS)1
PointCross Site Request Forgery (CSRF)1
WP2Speed FasterSensitive Data Exposure1
Generate PDF using Contact Form 7Cross Site Request Forgery (CSRF)1
Woocommerce OpenPosArbitrary File Deletion4
MakeStories (for Google Web Stories)Arbitrary File Download3
Woocommerce OpenPosBroken Access Control3
Woocommerce OpenPosSQL Injection3
Insert or Embed Articulate Content into WordPressArbitrary File Upload2
Simple Responsive SliderCross Site Scripting (XSS)2
AFormsSensitive Data Exposure1
TypebotCross Site Scripting (XSS)1
HitPay Payment Gateway for WooCommerceSensitive Data Exposure1
Realtyna Organic IDX pluginArbitrary File Upload1
Meks Video ImporterBroken Access Control1
Events Calendar for GoogleLocal File Inclusion1
Wallet System for WooCommerceSensitive Data Exposure1
Spiffy CalendarSQL Injection1
Recipe Maker For Your Food Blog from Zip RecipesSensitive Data Exposure1
Cliengo – ChatbotCross Site Request Forgery (CSRF)1
Timeline Module for Beaver BuilderCross Site Scripting (XSS)1
ConeBlog – WordPress Blog WidgetsCross Site Scripting (XSS)1
JSON API UserPrivilege Escalation4
EazyDocsBroken Access Control2
MoloniCross Site Scripting (XSS)2
AdPushCross Site Scripting (XSS)2
ARForms Form BuilderCross Site Scripting (XSS)2
Web and WooCommerce Addons for WPBakery BuilderBroken Access Control1
GlossarySensitive Data Exposure1
SVG BlockCross Site Scripting (XSS)1
Popularis VerseCross Site Request Forgery (CSRF)1
EleFormsBroken Access Control1
Change From EmailCross Site Scripting (XSS)1
EazyDocsCross Site Scripting (XSS)1
Download Button for ElementorCross Site Scripting (XSS)1
ExS WidgetsLocal File Inclusion1
WP Event AggregatorCross Site Scripting (XSS)1
Product Delivery Date for WooCommerce – LiteBroken Access Control1
SKT Skill BarCross Site Scripting (XSS)1
Simple PopupCross Site Scripting (XSS)1
SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)Cross Site Scripting (XSS)1
Calendar.online / Kalender.digitalCross Site Scripting (XSS)1
codocCross Site Scripting (XSS)1
Caxton – Create Pro page layouts in GutenbergCross Site Scripting (XSS)1
Featured Image GeneratorBroken Access Control1
Chained QuizBroken Access Control1
WP User SwitchPrivilege Escalation4
Event postLocal File Inclusion3
Product DesignerArbitrary Content Deletion3
PayPlus Payment GatewaySQL Injection3
Import Spreadsheets from Microsoft ExcelArbitrary File Upload2
Seraphinite Post .DOCX SourceServer Side Request Forgery (SSRF)2
Booking Ultra ProLocal File Inclusion2
WPCSContent Injection2
WooCommerce ReportCross Site Scripting (XSS)2
Appmaker – Convert WooCommerce to Android & iOS Native Mobile AppsCross Site Scripting (XSS)2
Multisite Content Copier/UpdaterCross Site Scripting (XSS)2
WP GoToWebinarCross Site Scripting (XSS)2
WooCommerce Predictive SearchCross Site Scripting (XSS)2
MBE eShipCross Site Scripting (XSS)2
TOCHAT.BECross Site Scripting (XSS)2
CM Email Registration Blacklist and WhitelistCross Site Request Forgery (CSRF)1
OceanicCross Site Request Forgery (CSRF)1
i-transformCross Site Request Forgery (CSRF)1
Zephyr Project ManagerSensitive Data Exposure1
Quotes And TipsArbitrary File Upload1
WappPressServer Side Request Forgery (SSRF)1
Coming SoonSensitive Data Exposure1
DirectoryPressSQL Injection1
TaggboxCross Site Request Forgery (CSRF)1
Animated Rotating WordsCross Site Request Forgery (CSRF)1
Olive One Click Demo ImportSensitive Data Exposure1
MBE eShipSensitive Data Exposure1
Amazing Hover EffectsCross Site Scripting (XSS)1
ReDi Restaurant ReservationBroken Access Control1
Patricia BlogCross Site Request Forgery (CSRF)1
i-amazeCross Site Request Forgery (CSRF)1
MBE eShipCross Site Request Forgery (CSRF)1
Seraphinite Post .DOCX SourceBroken Access Control1
WP Fast Total SearchBroken Access Control1
GD Rating SystemLocal File Inclusion1
WordPress Team ManagerLocal File Inclusion1
Academy LMSBroken Access Control1
SirvBroken Access Control1
WP GoToWebinarBroken Access Control1
Sky Addons for ElementorCross Site Scripting (XSS)1
FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & ElementorCross Site Scripting (XSS)1
Animated Typed JS ShortcodeCross Site Scripting (XSS)1
REVIEWS.ioCross Site Scripting (XSS)1
Booking Ultra ProCross Site Scripting (XSS)1
SKT Addons for ElementorCross Site Scripting (XSS)1
CodePen Embedded Pens ShortcodeCross Site Scripting (XSS)1
Power BI Embedded for WordPressCross Site Scripting (XSS)1
Bradmax PlayerCross Site Scripting (XSS)1
GutSlider – All in One Block SliderCross Site Scripting (XSS)1
Responsive MobileCross Site Scripting (XSS)1
WPBITS Addons For Elementor Page BuilderCross Site Scripting (XSS)1
Gravity Forms: Multiple Form InstancesFull Path Disclosure (FPD)1
Patricia LiteCross Site Request Forgery (CSRF)1
Tabs For WPBakery Page BuilderCross Site Scripting (XSS)1
Barcode Scanner with Inventory & Order ManagerSQL Injection3
BerqWPServer Side Request Forgery (SSRF)2
SociallyViralCross Site Request Forgery (CSRF)1
User Activity Log ProBroken Access Control2
Admin Dashboard RSS FeedCross Site Scripting (XSS)1
Job Board ManagerCross Site Scripting (XSS)2
Contact Form 7 Summary and PrintCross Site Request Forgery (CSRF)1
Master PopupsCross Site Scripting (XSS)1
TournamatchCross Site Scripting (XSS)2
TournamatchCross Site Scripting (XSS)1
Smart Image GalleryCross Site Request Forgery (CSRF)1
Bug LibraryRemote Code Execution (RCE)4
Uncanny Automator ProCross Site Scripting (XSS)2
Affiliate ManagerCross Site Request Forgery (CSRF)1
Embed Peertube PlaylistCross Site Scripting (XSS)1
Website Content in Page or PostCross Site Scripting (XSS)1
HostelCross Site Scripting (XSS)2
OpenPGP Form EncryptionCross Site Scripting (XSS)1
WP Total BrandingCross Site Scripting (XSS)1
SULlyCross Site Scripting (XSS)2
counterpointCross Site Scripting (XSS)2
SULlyCross Site Scripting (XSS)1
SULlyCross Site Request Forgery (CSRF)1
SULlyCross Site Request Forgery (CSRF)1
Support SVGCross Site Scripting (XSS)1
Simple Video DirectoryCross Site Scripting (XSS)1
WP AnnouncementCross Site Scripting (XSS)1
Seraphinite Accelerator (Full, premium)Cross Site Request Forgery (CSRF)1
WP eStoreCross Site Scripting (XSS)2
WP eMemberCross Site Scripting (XSS)2
Affiliate ManagerCross Site Scripting (XSS)2
WP eMemberCross Site Scripting (XSS)2
WP eMemberCross Site Scripting (XSS)2
Swift Framework Page BuilderCross Site Scripting (XSS)2
Light PollCross Site Request Forgery (CSRF)1
WP eStoreCross Site Request Forgery (CSRF)1
Affiliate ManagerCross Site Request Forgery (CSRF)1
WP eMemberArbitrary File Upload1
WP eMemberCross Site Request Forgery (CSRF)1
WP eMemberCross Site Request Forgery (CSRF)1
EventONCross Site Scripting (XSS)1
LapostaSensitive Data Exposure1
Swift Framework Page BuilderCross Site Scripting (XSS)1
Event postCross Site Request Forgery (CSRF)1
FormFlowCross Site Scripting (XSS)1
Payflex Payment GatewayBroken Access Control1
UltraAddons Elementor LiteCross Site Scripting (XSS)1

How does Patchstack make WordPress safer?

Patchstack protects WordPress websites against vulnerable plugins. As the #1 vulnerability processor (CNA) globally, we maintain a database of over 18,000 vulnerabilities. Our users receive 48-hour early warning for new vulnerabilities and real-time vPatching to protect their websites until the vulnerabilities are resolved.

Start getting tailored notifications for the plugins installed on your site for free. Sign up today!

The latest in Weekly vulnerability overview

Protection

PricingWordPressFor agenciesStandard APIDocumentation

Solutions

WordPress securityPlugin auditingManaged VDPBug bountyEnterprise API

Bug bounty

LeaderboardSecurity programsGuidelinesReport
Learn

Resources

Vulnerability database
Vulnerability statistics
Whitepaper 2024
ArticlesJoin Discord

Patchstack

About
Store
CareersMedia kitLinkedInFacebookX
Patchstack logo
© 2024 Patchstack
DPAPrivacy PolicyTerms & ConditionsCo-funded by EU logo
Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu