Welcome to Patchstack’s WordPress vulnerability overview for the week of July 24 – 30, 2024.
As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).
The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.
Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers can issue an update.
WordPress vulnerability landscape (July 24 – 30, 2024)
- New WordPress vulnerabilities added to Patchstack’s database: 70
- Vulnerabilities discovered by Patchstack: 8
- Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 3
🎉 Cause for celebration: This week, Patchstack celebrates our 5000th published CVE ID since 2021! Join our bug bounty program to help us keep open source safer.
How severe were this week’s vulnerabilities?
WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.
Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.
| Low-severity vulnerabilities this week | Medium-severity vulnerabilities | High-severity vulnerabilities |
| 47 | 17 | 6 |
The most dangerous vulnerabilities from last week
Last week we added several high-severity vulnerabilities to our database, some in very popular plugins.
If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:
- CZ Loan Management – SQL Injection (No patched version available. Get Patchstack’s virtual patch to prevent exploits.)
- ListingPro – SQL Injection (No reply from the vendor, and no patched version available. Get Patchstack’s virtual patch to prevent exploits.)
- Media.net Ads Manager – Arbitrary File Upload (Deactivate and delete the plugin.)
- Social Auto Poster – Arbitrary File Upload
- WpStickyBar – SQL Injection (Deactivate and delete the plugin.)
WordPress vulnerabilities discovered from July 24 to 30, 2024
Vulnerable plugins with 100K+ installs
AMP for WP
Cross Site Scripting (XSS). Update the WordPress AMP for WP plugin to the latest available version (at least 1.0.97).
FluentForm
Cross Site Scripting (XSS). Update the WordPress FluentForm plugin to the latest available version (at least 5.1.20).
Happy Addons for Elementor
Cross Site Scripting (XSS). Update the WordPress Happy Addons for Elementor plugin to the latest available version (at least 3.11.3).
Inline Related Posts
Cross Site Scripting (XSS). Update the WordPress Inline Related Posts plugin to the latest available version (at least 3.8.0).
NextGEN Gallery
Cross Site Scripting (XSS). Update the WordPress NextGEN Gallery plugin to the latest available version (at least 3.59.4).
Ninja Forms
Cross Site Request Forgery (CSRF). Update the WordPress Ninja Forms plugin to the latest available version (at least 3.8.7).
PowerPack for Beaver Builder
Privilege Escalation. Update the WordPress PowerPack for Beaver Builder plugin to the latest available version (at least 2.33.1).
PowerPack Pro for Elementor
Privilege Escalation. Update the WordPress PowerPack Pro for Elementor plugin to the latest available version (at least 2.10.15).
Royal Elementor Addons
Cross Site Scripting (XSS). Update the WordPress Royal Elementor Addons plugin to the latest available version (at least 1.3.981).
SiteOrigin Widgets Bundle
Cross Site Scripting (XSS). Update the WordPress SiteOrigin Widgets Bundle plugin to the latest available version (at least 1.62.3).
Vulnerable plugins with up to 100K+ installs (July 24 – 30, 2024)
The following is a full list of plugins added to our database with fewer than 100,000 installs.
3 & 4 Priority vulnerabilities are expected to be exploited and receive Patchstack’s virtual patch protection.
Vulnerabilities with scores below 3 are not expected to become exploited, but you should update those plugins regardless.
| Plugin name | Vulnerability | Patch Priority score |
| Add Admin CSS | Sensitive Data Exposure | 1 |
| Add Admin JavaScript | Sensitive Data Exposure | 1 |
| Admin Post Navigation | Sensitive Data Exposure | 1 |
| Admin Trim Interface | Sensitive Data Exposure | 1 |
| Affiliate Manager | Cross Site Request Forgery (CSRF) | 1 |
| AI Engine: ChatGPT Chatbot | Server Side Request Forgery (SSRF) | 1 |
| All-in-One Video Gallery | Cross Site Scripting (XSS) | 1 |
| Aramex Shipping WooCommerce | Sensitive Data Exposure | 1 |
| aThemes Starter Sites | Cross Site Scripting (XSS) | 1 |
| Best Restaurant Menu by PriceListo | SQL Injection | 1 |
| Bold Page Builder | Cross Site Scripting (XSS) | 1 |
| Booking Calendar | Cross Site Scripting (XSS) | 1 |
| Business Card | Arbitrary File Upload | 1 |
| Campaign Monitor for WordPress | Sensitive Data Exposure | 1 |
| Contest Gallery | Cross Site Scripting (XSS) | 2 |
| Custom Query Blocks | Broken Access Control | 1 |
| CZ Loan Management | SQL Injection | 3 |
| Donation Block For PayPal | Cross Site Scripting (XSS) | 2 |
| Email Encoder Bundle | Cross Site Scripting (XSS) | 1 |
| Flipbox Builder | PHP Object Injection | 2 |
| Funnel Builder for WordPress by FunnelKit | Broken Access Control | 1 |
| Himalayas | Cross Site Scripting (XSS) | 1 |
| Icegram | Broken Access Control | 1 |
| IgnitionDeck | Broken Access Control | 1 |
| Intelligence | Sensitive Data Exposure | 1 |
| Language Translate Widget for WordPress – ConveyThis | Broken Access Control | 1 |
| LearnPress | Local File Inclusion | 1 |
| ListingPro | SQL Injection | 3 |
| ListingPro | SQL Injection | 3 |
| ListingPro | Local File Inclusion | 3 |
| ListingPro | Cross Site Request Forgery (CSRF) | 1 |
| ListingPro | SQL Injection | 3 |
| ListingPro | Local File Inclusion | 3 |
| ListingPro | Local File Inclusion | 1 |
| Master Currency WP | Cross Site Scripting (XSS) | 1 |
| Media.net Ads Manager | Arbitrary File Upload | 4 |
| One Click Close Comments | Sensitive Data Exposure | 1 |
| Optimize images ALT Text (alt tag) & names for SEO using AI | Sensitive Data Exposure | 1 |
| Paid Memberships Pro – Member Directory Add On | SQL Injection | 1 |
| Pardakht Delkhah | Cross Site Request Forgery (CSRF) | 1 |
| ParityPress | Cross Site Scripting (XSS) | 1 |
| Piotnet Addons For Elementor | Sensitive Data Exposure | 1 |
| Pmpro Membership Maps | Sensitive Data Exposure | 1 |
| Pretty Simple Popup Builder | Cross Site Scripting (XSS) | 1 |
| Profile Builder | Broken Access Control | 1 |
| Responsive Tabs | Cross Site Scripting (XSS) | 1 |
| Robo Gallery | Cross Site Scripting (XSS) | 1 |
| Send email only on Reply to My Comment | Cross Site Scripting (XSS) | 2 |
| Send email only on Reply to My Comment | Cross Site Scripting (XSS) | 2 |
| Social Auto Poster | Arbitrary File Upload | 2 |
| Social Auto Poster | Broken Access Control | 3 |
| Social Auto Poster | Cross Site Scripting (XSS) | 2 |
| Social Auto Poster | Broken Access Control | 2 |
| Social Auto Poster | Cross Site Scripting (XSS) | 2 |
| Social Auto Poster | Cross Site Request Forgery (CSRF) | 1 |
| Social Auto Poster | Broken Access Control | 1 |
| SportsPress – Sports Club & League Manager | Cross Site Scripting (XSS) | 1 |
| Timetable and Event Schedule | PHP Object Injection | 1 |
| Tutor LMS – Migration Tool | Broken Access Control | 1 |
| Ultimate Auction | Broken Access Control | 2 |
| Ultimate Classified Listings | Local File Inclusion | 3 |
| Ultimate Classified Listings | Cross Site Scripting (XSS) | 2 |
| Web Directory Free | Cross Site Scripting (XSS) | 2 |
| WooCommerce Product Table Lite | Cross Site Scripting (XSS) | 2 |
| WP Ajax Contact Form | Cross Site Scripting (XSS) | 2 |
| WP Ajax Contact Form | Cross Site Request Forgery (CSRF) | 1 |
| WP EasyPay | Broken Access Control | 1 |
| WP Meteor Page Speed Optimization Topping | Sensitive Data Exposure | 1 |
| WP ULike | Cross Site Scripting (XSS) | 1 |
| WpStickyBar | SQL Injection | 3 |
| WpStickyBar | Cross Site Scripting (XSS) | 2 |
| Youzify | Broken Access Control | 1 |
| Zephyr Project Manager | Cross Site Scripting (XSS) | 1 |
How does Patchstack make WordPress safer?
Patchstack protects WordPress websites against vulnerable plugins. As the #1 vulnerability processor (CNA) globally, we maintain a database of over 18,000 vulnerabilities.
Our users receive 48-hour early warning for new vulnerabilities and real-time vPatching to protect their websites until the vulnerabilities are resolved.
Start getting tailored notifications for the plugins installed on your site for free. Sign up today!
Are you a security researcher?
Join our bug bounty program to win rewards for finding vulnerabilities!
