Patchstack’s Weekly WordPress Vulnerability Overview – July 17 to 23, 2024

Published 24 July 2024
Table of Contents

Welcome to Patchstack’s WordPress vulnerability overview for the week of July 17 – 23, 2024.

As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).

The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.

Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers can issue an update.

WordPress vulnerability landscape (July 17 – 23, 2024)

  • New WordPress vulnerabilities added to Patchstack’s database: 78
  • Vulnerabilities discovered by Patchstack: 34
  • Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 16

🎉 Cause for celebration: This week, Patchstack will officially reach 20,000 vulnerabilities published! Join our bug bounty program to help us get to 30k faster and keep open source safer.

How severe were this week’s vulnerabilities?

WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.

Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.

Low-severity vulnerabilities this weekMedium-severity vulnerabilitiesHigh-severity vulnerabilities
58515

The most dangerous vulnerabilities from last week

Last week we added several high-severity vulnerabilities to our database, some in very popular plugins.

If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:

WordPress vulnerabilities discovered from July 17 to 23, 2024

Vulnerable plugins with 100K+ installs

CoBlocks

Server Side Request Forgery (SSRF). Update the WordPress CoBlocks plugin to the latest available version (at least 3.1.12).

400K
CVSS 4.9

Conditional Fields for Contact Form 7

Cross Site Request Forgery (CSRF). Update the WordPress Conditional Fields for Contact Form 7 plugin to the latest available version (at least 2.4.14).

100K
CVSS 4.3

CTX Feed

Privilege Escalation. Update the WordPress CTX Feed plugin to the latest available version (at least 6.5.7).

100K
CVSS 7.2

Element Pack Elementor Addons

Cross Site Scripting (XSS). Update the WordPress Element Pack Elementor Addons plugin to the latest available version (at least 5.6.6).

100K
CVSS 6.5

Elements kit Elementor addons

Sensitive Data Exposure. Update the WordPress Elements kit Elementor addons plugin to the latest available version (at least 3.2.1).

1M
CVSS 5.3

GiveWP

Insecure Direct Object References (IDOR). Update the WordPress GiveWP plugin to the latest available version (at least 3.14.0).

100K
CVSS 5.4

LiteSpeed Cache

Cross Site Request Forgery (CSRF). Update the WordPress LiteSpeed Cache plugin to the latest available version (at least 6.3).

5M
CVSS 7.1

Mercado Pago payments for WooCommerce

Arbitrary File Download. Update the WordPress Mercado Pago payments for WooCommerce plugin to the latest available version (at least 7.6.2).

100K
CVSS 6.5

Redux Framework

Cross Site Scripting (XSS). Update the WordPress Redux Framework plugin to the latest available version (at least 4.4.18).

1M
CVSS 7.1

Schema & Structured Data for WP & AMP

Cross Site Scripting (XSS). Update the WordPress Schema & Structured Data for WP & AMP plugin to the latest available version (at least 1.34.1).

100K
CVSS 6.5

SiteGround Security

Broken Access Control. Update the WordPress SiteGround Security plugin to the latest available version (at least 1.5.1).

1M
CVSS 5.4

WPForms User Registration

Privilege Escalation. Update the WordPress WPForms User Registration plugin to the latest available version (at least 2.1.2).

500K
CVSS 8.0

WP Mail SMTP by WPForms

Sensitive Data Exposure. Update the WordPress WP Mail SMTP by WPForms plugin to the latest available version (at least 4.1.0).

3M
CVSS 2.7

Hide My WP Ghost

Bypass Vulnerability. Update the WordPress Hide My WP Ghost plugin to the latest available version (at least 5.2.02).

100K
CVSS 3.7

Vulnerable plugins with up to 100K+ installs

The following is a full list of plugins added to our database with fewer than 100,000 installs.

3 & 4 Priority vulnerabilities are expected to be exploited and receive Patchstack’s virtual patch protection.

Vulnerabilities with scores below 3 are not expected to become exploited, but you should update those plugins regardless.

Plugin nameVulnerabilityPatch Priority score
AddonifySensitive Data Exposure1
Arconix FAQBroken Access Control1
Arconix ShortcodesBroken Access Control1
ArtPlacer WidgetBroken Access Control1
ArtPlacer WidgetCross Site Request Forgery (CSRF)1
AtarimBroken Access Control2
Booking Ultra ProBroken Access Control1
BookingPressArbitrary File Upload4
BookingPressArbitrary File Upload4
Brizy – Page BuilderArbitrary File Upload2
BSK PDF ManagerCross Site Scripting (XSS)1
Bug LibraryCross Site Scripting (XSS)1
ChatBotCross Site Scripting (XSS)1
CM Pop-Up bannersCross Site Scripting (XSS)1
Community EventsCross Site Request Forgery (CSRF)1
CookedCross Site Request Forgery (CSRF)1
CookedContent Injection1
CopySafe Web ProtectionCross Site Scripting (XSS)2
CoziPressCross Site Scripting (XSS)1
DuplicaBroken Access Control1
Easy TestimonialsCross Site Scripting (XSS)1
Email Subscribers & NewslettersBroken Access Control1
EventinBroken Access Control1
Filter & GridsLocal File Inclusion3
FormLift for Infusionsoft Web FormsSQL Injection3
FV Flowplayer Video PlayerSQL Injection3
Getwid – Gutenberg BlocksBroken Access Control1
GutenverseCross Site Scripting (XSS)1
HTML FormsCross Site Scripting (XSS)1
JetWidgets for Elementor and WooCommerceLocal File Inclusion1
KeydatasArbitrary File Upload4
Leaflet Maps MarkerCross Site Scripting (XSS)1
Livemesh Addons for Beaver BuilderCross Site Scripting (XSS)1
MasterStudy LMSPrivilege Escalation4
MaxiBlocksArbitrary File Deletion4
pz-frontend-managerCross Site Request Forgery (CSRF)1
RegLevelCross Site Scripting (XSS)1
Request a QuoteCross Site Scripting (XSS)1
Smartsupp – live chat, chatbots, AI and lead generationCross Site Request Forgery (CSRF)1
SVG SupportCross Site Scripting (XSS)1
Telegram Bot & ChannelCross Site Request Forgery (CSRF)1
The Pack Elementor addonsLocal File Inclusion1
Timeline Event HistoryPHP Object Injection2
UiPress liteSQL Injection1
Ultimate Addons for WPBakery Page BuilderCross Site Scripting (XSS)1
WP Fast Total SearchCross Site Request Forgery (CSRF)1
WP GoToWebinarCross Site Scripting (XSS)1
WP QuickLaTeXCross Site Scripting (XSS)1
YITH Essential Kit for WooCommerce #1Broken Access Control1
Zenon LiteCross Site Scripting (XSS)1

How does Patchstack make WordPress safer?

Patchstack protects WordPress websites against vulnerable plugins. As the #1 vulnerability processor (CNA) globally, we maintain a database of over 18,000 vulnerabilities.

Our users receive 48-hour early warning for new vulnerabilities and real-time vPatching to protect their websites until the vulnerabilities are resolved.

Start getting tailored notifications for the plugins installed on your site for free. Sign up today!

Are you a security researcher?

Join our bug bounty program to win rewards for finding vulnerabilities!

The latest in Weekly vulnerability overview

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu