Patchstack’s Weekly WordPress Vulnerability Overview – July 24 to 30, 2024

Published 31 July 2024
Table of Contents

Welcome to Patchstack’s WordPress vulnerability overview for the week of July 24 – 30, 2024.

As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).

The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.

Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers can issue an update.

WordPress vulnerability landscape (July 24 – 30, 2024)

  • New WordPress vulnerabilities added to Patchstack’s database: 70
  • Vulnerabilities discovered by Patchstack: 8
  • Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 3

🎉 Cause for celebration: This week, Patchstack celebrates our 5000th published CVE ID since 2021! Join our bug bounty program to help us keep open source safer.

How severe were this week’s vulnerabilities?

WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.

Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.

Low-severity vulnerabilities this weekMedium-severity vulnerabilitiesHigh-severity vulnerabilities
47176

The most dangerous vulnerabilities from last week

Last week we added several high-severity vulnerabilities to our database, some in very popular plugins.

If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:

WordPress vulnerabilities discovered from July 24 to 30, 2024

Vulnerable plugins with 100K+ installs

AMP for WP

Cross Site Scripting (XSS). Update the WordPress AMP for WP plugin to the latest available version (at least 1.0.97).

100K
CVSS 5.9

FluentForm

Cross Site Scripting (XSS). Update the WordPress FluentForm plugin to the latest available version (at least 5.1.20).

400K
CVSS 5.9

Happy Addons for Elementor

Cross Site Scripting (XSS). Update the WordPress Happy Addons for Elementor plugin to the latest available version (at least 3.11.3).

400M
CVSS 6.5

Inline Related Posts

Cross Site Scripting (XSS). Update the WordPress Inline Related Posts plugin to the latest available version (at least 3.8.0).

100K
CVSS 5.9

NextGEN Gallery

Cross Site Scripting (XSS). Update the WordPress NextGEN Gallery plugin to the latest available version (at least 3.59.4).

500K
CVSS 5.9

Ninja Forms

Cross Site Request Forgery (CSRF). Update the WordPress Ninja Forms plugin to the latest available version (at least 3.8.7).

800K
CVSS 5.4

PowerPack for Beaver Builder

Privilege Escalation. Update the WordPress PowerPack for Beaver Builder plugin to the latest available version (at least 2.33.1).

125K
CVSS 8.8

PowerPack Pro for Elementor

Privilege Escalation. Update the WordPress PowerPack Pro for Elementor plugin to the latest available version (at least 2.10.15).

100K
CVSS 8.8

Royal Elementor Addons

Cross Site Scripting (XSS). Update the WordPress Royal Elementor Addons plugin to the latest available version (at least 1.3.981).

400K
CVSS 6.5

SiteOrigin Widgets Bundle

Cross Site Scripting (XSS). Update the WordPress SiteOrigin Widgets Bundle plugin to the latest available version (at least 1.62.3).

600K
CVSS 6.5

Vulnerable plugins with up to 100K+ installs (July 24 – 30, 2024)

The following is a full list of plugins added to our database with fewer than 100,000 installs.

3 & 4 Priority vulnerabilities are expected to be exploited and receive Patchstack’s virtual patch protection.

Vulnerabilities with scores below 3 are not expected to become exploited, but you should update those plugins regardless.

Plugin nameVulnerabilityPatch Priority score
Add Admin CSSSensitive Data Exposure1
Add Admin JavaScriptSensitive Data Exposure1
Admin Post NavigationSensitive Data Exposure1
Admin Trim InterfaceSensitive Data Exposure1
Affiliate ManagerCross Site Request Forgery (CSRF)1
AI Engine: ChatGPT ChatbotServer Side Request Forgery (SSRF)1
All-in-One Video GalleryCross Site Scripting (XSS)1
Aramex Shipping WooCommerceSensitive Data Exposure1
aThemes Starter SitesCross Site Scripting (XSS)1
Best Restaurant Menu by PriceListoSQL Injection1
Bold Page BuilderCross Site Scripting (XSS)1
Booking CalendarCross Site Scripting (XSS)1
Business CardArbitrary File Upload1
Campaign Monitor for WordPressSensitive Data Exposure1
Contest GalleryCross Site Scripting (XSS)2
Custom Query BlocksBroken Access Control1
CZ Loan ManagementSQL Injection3
Donation Block For PayPalCross Site Scripting (XSS)2
Email Encoder BundleCross Site Scripting (XSS)1
Flipbox BuilderPHP Object Injection2
Funnel Builder for WordPress by FunnelKitBroken Access Control1
HimalayasCross Site Scripting (XSS)1
IcegramBroken Access Control1
IgnitionDeckBroken Access Control1
IntelligenceSensitive Data Exposure1
Language Translate Widget for WordPress – ConveyThisBroken Access Control1
LearnPressLocal File Inclusion1
ListingProSQL Injection3
ListingProSQL Injection3
ListingProLocal File Inclusion3
ListingProCross Site Request Forgery (CSRF)1
ListingProSQL Injection3
ListingProLocal File Inclusion3
ListingProLocal File Inclusion1
Master Currency WPCross Site Scripting (XSS)1
Media.net Ads ManagerArbitrary File Upload4
One Click Close CommentsSensitive Data Exposure1
Optimize images ALT Text (alt tag) & names for SEO using AISensitive Data Exposure1
Paid Memberships Pro – Member Directory Add OnSQL Injection1
Pardakht DelkhahCross Site Request Forgery (CSRF)1
ParityPressCross Site Scripting (XSS)1
Piotnet Addons For ElementorSensitive Data Exposure1
Pmpro Membership MapsSensitive Data Exposure1
Pretty Simple Popup BuilderCross Site Scripting (XSS)1
Profile BuilderBroken Access Control1
Responsive TabsCross Site Scripting (XSS)1
Robo GalleryCross Site Scripting (XSS)1
Send email only on Reply to My CommentCross Site Scripting (XSS)2
Send email only on Reply to My CommentCross Site Scripting (XSS)2
Social Auto PosterArbitrary File Upload2
Social Auto PosterBroken Access Control3
Social Auto PosterCross Site Scripting (XSS)2
Social Auto PosterBroken Access Control2
Social Auto PosterCross Site Scripting (XSS)2
Social Auto PosterCross Site Request Forgery (CSRF)1
Social Auto PosterBroken Access Control1
SportsPress – Sports Club & League ManagerCross Site Scripting (XSS)1
Timetable and Event SchedulePHP Object Injection1
Tutor LMS – Migration ToolBroken Access Control1
Ultimate AuctionBroken Access Control2
Ultimate Classified ListingsLocal File Inclusion3
Ultimate Classified ListingsCross Site Scripting (XSS)2
Web Directory FreeCross Site Scripting (XSS)2
WooCommerce Product Table LiteCross Site Scripting (XSS)2
WP Ajax Contact FormCross Site Scripting (XSS)2
WP Ajax Contact FormCross Site Request Forgery (CSRF)1
WP EasyPayBroken Access Control1
WP Meteor Page Speed Optimization ToppingSensitive Data Exposure1
WP ULikeCross Site Scripting (XSS)1
WpStickyBarSQL Injection3
WpStickyBarCross Site Scripting (XSS)2
YouzifyBroken Access Control1
Zephyr Project ManagerCross Site Scripting (XSS)1

How does Patchstack make WordPress safer?

Patchstack protects WordPress websites against vulnerable plugins. As the #1 vulnerability processor (CNA) globally, we maintain a database of over 18,000 vulnerabilities.

Our users receive 48-hour early warning for new vulnerabilities and real-time vPatching to protect their websites until the vulnerabilities are resolved.

Start getting tailored notifications for the plugins installed on your site for free. Sign up today!

Are you a security researcher?

Join our bug bounty program to win rewards for finding vulnerabilities!

The latest in Weekly vulnerability overview

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu