Welcome to Patchstack’s WordPress vulnerability overview for the week of July 17 – 23, 2024.
As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).
The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.
Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers can issue an update.
WordPress vulnerability landscape (July 17 – 23, 2024)
- New WordPress vulnerabilities added to Patchstack’s database: 78
- Vulnerabilities discovered by Patchstack: 34
- Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 16
🎉 Cause for celebration: This week, Patchstack will officially reach 20,000 vulnerabilities published! Join our bug bounty program to help us get to 30k faster and keep open source safer.
How severe were this week’s vulnerabilities?
WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.
Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.
| Low-severity vulnerabilities this week | Medium-severity vulnerabilities | High-severity vulnerabilities |
| 58 | 5 | 15 |
The most dangerous vulnerabilities from last week
Last week we added several high-severity vulnerabilities to our database, some in very popular plugins.
If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:
- BookingPress – Arbitrary File Upload
- Keydatas – Arbitrary File Upload
- MasterStudy LMS – Privilege Escalation
- MaxiBlocks – Arbitrary File Deletion
- Mercado Pago payments for WooCommerce – Arbitrary File Download
WordPress vulnerabilities discovered from July 17 to 23, 2024
Vulnerable plugins with 100K+ installs
CoBlocks
Server Side Request Forgery (SSRF). Update the WordPress CoBlocks plugin to the latest available version (at least 3.1.12).
Conditional Fields for Contact Form 7
Cross Site Request Forgery (CSRF). Update the WordPress Conditional Fields for Contact Form 7 plugin to the latest available version (at least 2.4.14).
CTX Feed
Privilege Escalation. Update the WordPress CTX Feed plugin to the latest available version (at least 6.5.7).
Element Pack Elementor Addons
Cross Site Scripting (XSS). Update the WordPress Element Pack Elementor Addons plugin to the latest available version (at least 5.6.6).
Elements kit Elementor addons
Sensitive Data Exposure. Update the WordPress Elements kit Elementor addons plugin to the latest available version (at least 3.2.1).
GiveWP
Insecure Direct Object References (IDOR). Update the WordPress GiveWP plugin to the latest available version (at least 3.14.0).
LiteSpeed Cache
Cross Site Request Forgery (CSRF). Update the WordPress LiteSpeed Cache plugin to the latest available version (at least 6.3).
Mercado Pago payments for WooCommerce
Arbitrary File Download. Update the WordPress Mercado Pago payments for WooCommerce plugin to the latest available version (at least 7.6.2).
Redux Framework
Cross Site Scripting (XSS). Update the WordPress Redux Framework plugin to the latest available version (at least 4.4.18).
Schema & Structured Data for WP & AMP
Cross Site Scripting (XSS). Update the WordPress Schema & Structured Data for WP & AMP plugin to the latest available version (at least 1.34.1).
SiteGround Security
Broken Access Control. Update the WordPress SiteGround Security plugin to the latest available version (at least 1.5.1).
WPForms User Registration
Privilege Escalation. Update the WordPress WPForms User Registration plugin to the latest available version (at least 2.1.2).
WP Mail SMTP by WPForms
Sensitive Data Exposure. Update the WordPress WP Mail SMTP by WPForms plugin to the latest available version (at least 4.1.0).
Hide My WP Ghost
Bypass Vulnerability. Update the WordPress Hide My WP Ghost plugin to the latest available version (at least 5.2.02).
Vulnerable plugins with up to 100K+ installs
The following is a full list of plugins added to our database with fewer than 100,000 installs.
3 & 4 Priority vulnerabilities are expected to be exploited and receive Patchstack’s virtual patch protection.
Vulnerabilities with scores below 3 are not expected to become exploited, but you should update those plugins regardless.
| Plugin name | Vulnerability | Patch Priority score |
| Addonify | Sensitive Data Exposure | 1 |
| Arconix FAQ | Broken Access Control | 1 |
| Arconix Shortcodes | Broken Access Control | 1 |
| ArtPlacer Widget | Broken Access Control | 1 |
| ArtPlacer Widget | Cross Site Request Forgery (CSRF) | 1 |
| Atarim | Broken Access Control | 2 |
| Booking Ultra Pro | Broken Access Control | 1 |
| BookingPress | Arbitrary File Upload | 4 |
| BookingPress | Arbitrary File Upload | 4 |
| Brizy – Page Builder | Arbitrary File Upload | 2 |
| BSK PDF Manager | Cross Site Scripting (XSS) | 1 |
| Bug Library | Cross Site Scripting (XSS) | 1 |
| ChatBot | Cross Site Scripting (XSS) | 1 |
| CM Pop-Up banners | Cross Site Scripting (XSS) | 1 |
| Community Events | Cross Site Request Forgery (CSRF) | 1 |
| Cooked | Cross Site Request Forgery (CSRF) | 1 |
| Cooked | Content Injection | 1 |
| CopySafe Web Protection | Cross Site Scripting (XSS) | 2 |
| CoziPress | Cross Site Scripting (XSS) | 1 |
| Duplica | Broken Access Control | 1 |
| Easy Testimonials | Cross Site Scripting (XSS) | 1 |
| Email Subscribers & Newsletters | Broken Access Control | 1 |
| Eventin | Broken Access Control | 1 |
| Filter & Grids | Local File Inclusion | 3 |
| FormLift for Infusionsoft Web Forms | SQL Injection | 3 |
| FV Flowplayer Video Player | SQL Injection | 3 |
| Getwid – Gutenberg Blocks | Broken Access Control | 1 |
| Gutenverse | Cross Site Scripting (XSS) | 1 |
| HTML Forms | Cross Site Scripting (XSS) | 1 |
| JetWidgets for Elementor and WooCommerce | Local File Inclusion | 1 |
| Keydatas | Arbitrary File Upload | 4 |
| Leaflet Maps Marker | Cross Site Scripting (XSS) | 1 |
| Livemesh Addons for Beaver Builder | Cross Site Scripting (XSS) | 1 |
| MasterStudy LMS | Privilege Escalation | 4 |
| MaxiBlocks | Arbitrary File Deletion | 4 |
| pz-frontend-manager | Cross Site Request Forgery (CSRF) | 1 |
| RegLevel | Cross Site Scripting (XSS) | 1 |
| Request a Quote | Cross Site Scripting (XSS) | 1 |
| Smartsupp – live chat, chatbots, AI and lead generation | Cross Site Request Forgery (CSRF) | 1 |
| SVG Support | Cross Site Scripting (XSS) | 1 |
| Telegram Bot & Channel | Cross Site Request Forgery (CSRF) | 1 |
| The Pack Elementor addons | Local File Inclusion | 1 |
| Timeline Event History | PHP Object Injection | 2 |
| UiPress lite | SQL Injection | 1 |
| Ultimate Addons for WPBakery Page Builder | Cross Site Scripting (XSS) | 1 |
| WP Fast Total Search | Cross Site Request Forgery (CSRF) | 1 |
| WP GoToWebinar | Cross Site Scripting (XSS) | 1 |
| WP QuickLaTeX | Cross Site Scripting (XSS) | 1 |
| YITH Essential Kit for WooCommerce #1 | Broken Access Control | 1 |
| Zenon Lite | Cross Site Scripting (XSS) | 1 |
How does Patchstack make WordPress safer?
Patchstack protects WordPress websites against vulnerable plugins. As the #1 vulnerability processor (CNA) globally, we maintain a database of over 18,000 vulnerabilities.
Our users receive 48-hour early warning for new vulnerabilities and real-time vPatching to protect their websites until the vulnerabilities are resolved.
Start getting tailored notifications for the plugins installed on your site for free. Sign up today!
Are you a security researcher?
Join our bug bounty program to win rewards for finding vulnerabilities!
