Patchstack’s Weekly WordPress Vulnerability Overview – July 3 to 9, 2024

Published 10 July 2024
Updated 17 July 2024
Mart Virkus
Head of Marketing
Table of Contents

Welcome to Patchstack’s WordPress vulnerability overview for the week of July 3 – 9, 2024.

As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).

The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.

Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers are able to issue an update.

WordPress vulnerability landscape (July 3 – 9, 2024)

  • New WordPress vulnerabilities added to Patchstack’s database: 213
  • Vulnerabilities discovered by Patchstack: 101
  • Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 30

How severe were this week’s vulnerabilities?

WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.

Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.

Low-severity vulnerabilities this weekMedium-severity vulnerabilitiesHigh-severity vulnerabilities
1732119

Most dangerous vulnerabilities from last week

Last week we added several high-severity vulnerabilities to our database, some in very popular plugins.

If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:

WordPress vulnerabilities discovered from June 26 to July 2, 2024

Vulnerable plugins with 100K+ installs

Elementor – Header, Footer & Blocks Template

Cross Site Scripting (XSS). Update the WordPress Elementor – Header, Footer & Blocks Template plugin to the latest available version (at least 1.6.36).

2M
CVSS 6.5

Ninja Forms

Broken Access Control. Update the WordPress Ninja Forms plugin to the latest available version (at least 3.8.5).

800K
CVSS 5.4

Spectra

Broken Access Control. Update the WordPress Spectra plugin to the latest available version (at least 2.13.8).

800K
CVSS 4.3

Premium Addons for Elementor

Cross Site Scripting (XSS). Update the WordPress Premium Addons for Elementor plugin to the latest available version (at least 4.10.36).

700K
CVSS 6.5

Premium Addons for Elementor

Denial of Service Attack. Update the WordPress Premium Addons for Elementor plugin to the latest available version (at least 4.10.36).

700K
CVSS 3.1

The Events Calendar

Cross Site Request Forgery (CSRF). Update the WordPress The Events Calendar plugin to the latest available version (at least 6.5.1.5).

700K
CVSS 4.3

Ocean Extra

Cross Site Scripting (XSS). Update the WordPress Ocean Extra plugin to the latest available version (at least 2.3.0).

600K
CVSS 6.5

SEOPress

PHP Object Injection. Update the WordPress SEOPress plugin to the latest available version (at least 7.9).

300K
CVSS 8.3

Gutenberg

Cross Site Scripting (XSS). Update the WordPress Gutenberg plugin to the latest available version (at least 18.6.1).

170K
CVSS 8.8

Ultimate Addons for Elementor

Privilege Escalation. Update the WordPress Ultimate Addons for Elementor plugin to the latest available version (at least 1.36.32).

170K
CVSS 8.8

Hestia Theme

Cross Site Request Forgery (CSRF). Update the WordPress Hestia theme to the latest available version (at least 3.1.3).

100K
CVSS 4.3

Blocksy Theme

Cross Site Request Forgery (CSRF). Update the WordPress Blocksy theme to the latest available version (at least 2.0.23).

100K
CVSS 5.4

The Plus Addons for Elementor Page Builder Lite

Cross Site Scripting (XSS). Update the WordPress The Plus Addons for Elementor Page Builder Lite plugin to the latest available version (at least 5.6.2).

100K
CVSS 6.5

Nested Pages

Cross Site Request Forgery (CSRF). Update the WordPress Nested Pages plugin to the latest available version (at least 3.2.8).

100K
CVSS 8.3

Beaver Builder

Cross Site Scripting (XSS). Update the WordPress Beaver Builder plugin to the latest available version (at least 2.8.3).

100K
CVSS 6.5

Vulnerable plugins with up to 100K+ installs

The following is a full list of plugins added to our database that have fewer than 100,000 installs.

High & Medium priority vulnerabilities are expected to be exploited and are receiving Patchstack’s virtual patch protection.

Low priority vulnerabilities are not expected to become exploited, but you should update those plugins regardless.

Plugin or theme nameVulnerabilityPatch Priority score
JetThemeCoreArbitrary File DeletionHigh priority
ProfileGridPrivilege EscalationHigh priority
Product Table by WBWRemote Code Execution (RCE)High priority
Zephyr Project ManagerPrivilege EscalationHigh priority
Church AdminArbitrary File UploadHigh priority
Modern Events CalendarArbitrary File UploadHigh priority
Modern Events Calendar LiteArbitrary File UploadHigh priority
WordPress Form Builder Plugin – Gutenberg FormsArbitrary File UploadHigh priority
IQ TestimonialsArbitrary File UploadHigh priority
Woffice CoreBroken Access ControlHigh priority
BookYourTravelPrivilege EscalationHigh priority
Pie RegisterBroken Access ControlHigh priority
The Post GridBroken Access ControlMedium priority
Woffice CoreCross Site Scripting (XSS)Medium priority
WofficeCross Site Scripting (XSS)Medium priority
CharitableBroken Access ControlMedium priority
bbPress NotifyCross Site Scripting (XSS)Medium priority
IMGspiderArbitrary File UploadMedium priority
WP Directory KitCross Site Scripting (XSS)Medium priority
WooCommerce Social LoginPHP Object InjectionMedium priority
One Click Order Re-OrderCross Site Scripting (XSS)Medium priority
MakeCommerce for WooCommerceCross Site Scripting (XSS)Medium priority
PayPlus Payment GatewayCross Site Scripting (XSS)Medium priority
IdeaPushCross Site Scripting (XSS)Medium priority
XPlainer – WooCommerce Product FAQCross Site Scripting (XSS)Medium priority
Responsive Image Gallery, Gallery AlbumBroken Access ControlMedium priority
File Manager Advanced ShortcodeArbitrary File UploadMedium priority
ScrollTo TopCross Site Request Forgery (CSRF)Medium priority
Default Thumbnail PlusArbitrary File UploadMedium priority
XPlainer – WooCommerce Product FAQCross Site Scripting (XSS)Medium priority
Easy PixelsCross Site Scripting (XSS)Medium priority
EventONCross Site Scripting (XSS)Medium priority
SCSS Happy CompilerCross Site Scripting (XSS)Medium priority
The Post GridBroken Access ControlLow priority
The Post GridBroken Access ControlLow priority
Paid Memberships ProSQL InjectionLow priority
Featured Image from URLBroken Access ControlLow priority
AmeliaBackdoorLow priority
Livemesh Addons for ElementorLocal File InclusionLow priority
Ultimate Blocks – Gutenberg Blocks PluginCross Site Scripting (XSS)Low priority
AsheCross Site Request Forgery (CSRF)Low priority
Pixel Manager for WooCommerceBackdoorLow priority
WP Lightbox 2Cross Site Scripting (XSS)Low priority
Social WarfareBackdoorLow priority
Apollo13 Framework ExtensionsCross Site Scripting (XSS)Low priority
Rife FreeCross Site Request Forgery (CSRF)Low priority
WP User FrontendBackdoorLow priority
weFormsBackdoorLow priority
Meks Easy Ads WidgetCross Site Scripting (XSS)Low priority
NoptinBroken Access ControlLow priority
HighlightCross Site Request Forgery (CSRF)Low priority
GPT3 AI Content WriterCross Site Scripting (XSS)Low priority
Mega ElementsCross Site Scripting (XSS)Low priority
NewsmaticBroken Access ControlLow priority
Product Customer List for WooCommerceBackdoorLow priority
BardCross Site Request Forgery (CSRF)Low priority
EventinCross Site Scripting (XSS)Low priority
CharitableBroken Access ControlLow priority
Swift Performance LiteCross Site Request Forgery (CSRF)Low priority
NEX-Forms – Ultimate Form BuilderCross Site Scripting (XSS)Low priority
SentryBackdoorLow priority
YouzifySQL InjectionLow priority
Table & Contact Form 7 Database – TablesomeSensitive Data ExposureLow priority
YITH WooCommerce AffiliatesBackdoorLow priority
Create by MediavineCross Site Scripting (XSS)Low priority
ProfileGridBroken Access ControlLow priority
Ultimate Bootstrap Elements for ElementorLocal File InclusionLow priority
Beaver Builder Addons by WPZOOMLocal File InclusionLow priority
WPCafeLocal File InclusionLow priority
Snippet ShortcodesCross Site Request Forgery (CSRF)Low priority
WPJAM BasicBackdoorLow priority
AWSM TeamLocal File InclusionLow priority
FireBoxBackdoorLow priority
HelloAssoCross Site Scripting (XSS)Low priority
PosterityCross Site Request Forgery (CSRF)Low priority
Online Booking & Scheduling Calendar for WordPress by vcitaLocal File InclusionLow priority
FileBird Document LibrarySensitive Data ExposureLow priority
Advanced Classifieds & Directory ProLocal File InclusionLow priority
ShopBuilder – Elementor WooCommerce Builder AddonsLocal File InclusionLow priority
CRM Perks FormsBroken Access ControlLow priority
YAHMAN Add-onsBackdoorLow priority
Rara BusinessCross Site Request Forgery (CSRF)Low priority
Construction Landing PageCross Site Request Forgery (CSRF)Low priority
Business One PageBroken Access ControlLow priority
Premium Blocks – Gutenberg Blocks for WordPressCross Site Scripting (XSS)Low priority
Login Logo EditorCross Site Scripting (XSS)Low priority
Ultimate AuctionCross Site Request Forgery (CSRF)Low priority
SuperSaaS – online appointment schedulingCross Site Scripting (XSS)Low priority
Trendy NewsCross Site Request Forgery (CSRF)Low priority
Newspack AdsCross Site Scripting (XSS)Low priority
Newspack NewslettersBroken Access ControlLow priority
Newspack CampaignsCross Site Scripting (XSS)Low priority
Newspack Content ConverterBroken Access ControlLow priority
OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer)BackdoorLow priority
Tooltip for Gravity FormsBackdoorLow priority
nicen-localize-imageBackdoorLow priority
Bakes And CakesBroken Access ControlLow priority
Metro MagazineBroken Access ControlLow priority
Lawyer Landing PageCross Site Request Forgery (CSRF)Low priority
CopySafe Web ProtectionCross Site Scripting (XSS)Low priority
zBenchCross Site Scripting (XSS)Low priority
CC & BCC for Woocommerce Order EmailsCross Site Scripting (XSS)Low priority
Elementor Addons, Widgets and Enhancements – StaxCross Site Scripting (XSS)Low priority
Get Better Reviews for WooCommerceBroken Access ControlLow priority
Floating Social Media LinksCross Site Scripting (XSS)Low priority
Image Hover Effects – Caption Hover with CarouselCross Site Scripting (XSS)Low priority
Save as PDF plugin by PdfcrowdCross Site Scripting (XSS)Low priority
Simple Social ShareCross Site Scripting (XSS)Low priority
Leaky PaywallCross Site Request Forgery (CSRF)Low priority
Contact Form 7 Multi-Step AddonBackdoorLow priority
TotalSurveyBackdoorLow priority
Weight TrackerBackdoorLow priority
TaagerBackdoorLow priority
Comment Reply EmailCross Site Scripting (XSS)Low priority
TotalRating ProBackdoorLow priority
WP To DoCross Site Scripting (XSS)Low priority
WS Theme AddonsBackdoorLow priority
Amelia Shortcode ExtendedBackdoorLow priority
Link To BibleCross Site Scripting (XSS)Low priority
Meal TrackerBackdoorLow priority
BLAZE Retail WidgetBackdoorLow priority
Canvas-Nest.jsBackdoorLow priority
Logic HopBackdoorLow priority
ShipAnyBackdoorLow priority
Easy Custom Code (LESS/CSS/JS) – Live editingCross Site Scripting (XSS)Low priority
Integration for Luminate and Gravity FormsBackdoorLow priority
Contact Form by TotalFormBackdoorLow priority
WS Contact FormCross Site Scripting (XSS)Low priority
Easy Speedup by PageCDNBackdoorLow priority
WebSitter ProBackdoorLow priority
Qualified Electronic Signatures by eID EasyBackdoorLow priority
ADDRESSYABackdoorLow priority
Field DayBackdoorLow priority
IdeaplusBackdoorLow priority
Magic Conversation For Gravity FormsBackdoorLow priority
Viva PaymentsBackdoorLow priority
Mine Video PlayerBackdoorLow priority
Alfred Easy ShippingBackdoorLow priority
wp-code-highlightjsBackdoorLow priority
Jobs.afBackdoorLow priority
Word BalloonBackdoorLow priority
Digital River Global CommerceBackdoorLow priority
Simply Show HooksBackdoorLow priority
alfred24 Click & CollectBackdoorLow priority
CommandBar for WP AdminBackdoorLow priority
HimerCross Site Request Forgery (CSRF)Low priority
HimerCross Site Scripting (XSS)Low priority
WPQA – Builder forms AddonCross Site Scripting (XSS)Low priority
WPQA – Builder forms AddonCross Site Request Forgery (CSRF)Low priority
Livemesh Addons for ElementorCross Site Scripting (XSS)Low priority
Social Media & Share IconsCross Site Scripting (XSS)Low priority
Template Kit – ExportCross Site Scripting (XSS)Low priority
Testimonials WidgetCross Site Scripting (XSS)Low priority
UltraAddons Elementor LiteCross Site Scripting (XSS)Low priority
WordPress Notification BarCross Site Scripting (XSS)Low priority
WP Cookie Law InfoCross Site Scripting (XSS)Low priority
WPFaviconCross Site Request Forgery (CSRF)Low priority
Houzez Theme – FunctionalitySQL InjectionLow priority
Media HygieneBroken Access ControlLow priority
Houzez CRMSQL InjectionLow priority
File Manager Advanced ShortcodeDirectory TraversalLow priority
Blog, Posts and Category Filter for ElementorCross Site Scripting (XSS)Low priority
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)SQL InjectionLow priority
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)Cross Site Scripting (XSS)Low priority
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)Bypass VulnerabilityLow priority
Advanced AJAX Page LoaderCross Site Request Forgery (CSRF)Low priority
ScrollTo BottomCross Site Request Forgery (CSRF)Low priority
Attachment File IconsCross Site Request Forgery (CSRF)Low priority
Generate PDF using Contact Form 7Cross Site Request Forgery (CSRF)Low priority
Bit Form – Contact Form PluginArbitrary File UploadLow priority
Cliengo – ChatbotBroken Access ControlLow priority
Cliengo – ChatbotBroken Access ControlLow priority
Extensions for ElementorCross Site Scripting (XSS)Low priority
Genesis BlocksCross Site Scripting (XSS)Low priority
XPlainer – WooCommerce Product FAQBroken Access ControlLow priority
WP2Speed FasterBroken AuthenticationLow priority
Product DesignerBroken Access ControlLow priority
Webico Slider Flatsome AddonsCross Site Scripting (XSS)Low priority
OSM – OpenStreetMapSQL InjectionLow priority
Pricing TableCross Site Request Forgery (CSRF)Low priority
Pricing TableBroken Access ControlLow priority
Comment Images ReloadedBroken Access ControlLow priority
Simple Alert BoxesCross Site Scripting (XSS)Low priority
Panda VideoLocal File InclusionLow priority
Panda VideoCross Site Scripting (XSS)Low priority
LearnDash LMS – ReportsBroken Access ControlLow priority
WPBITS Addons For Elementor Page BuilderCross Site Scripting (XSS)Low priority
oikCross Site Scripting (XSS)Low priority
DN Footer ContactsCross Site Scripting (XSS)Low priority
URL Shortener by MyThemeShopCross Site Scripting (XSS)Low priority
Easy Table of ContentsCross Site Scripting (XSS)Low priority
KiwiSensitive Data ExposureLow priority
Just Custom FieldsBroken Access ControlLow priority
Just Custom FieldsCross Site Request Forgery (CSRF)Low priority
Squelch Tabs and Accordions ShortcodesCross Site Scripting (XSS)Low priority

How does Patchstack make WordPress safer?

Patchstack protects WordPress websites against vulnerable plugins. As the #1 vulnerability processor (CNA) globally, we maintain a database of over 18,000 vulnerabilities. Our users receive 48-hour early warning for new vulnerabilities and real-time vPatching to protect their websites until the vulnerabilities are resolved.

Start getting tailored notifications for the plugins installed on your site for free. Sign up today!

The latest in Weekly vulnerability overview

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu