Patchstack’s Weekly WordPress Vulnerability Overview – June 11 to 18, 2024

Published 19 June 2024
Updated 17 July 2024
Table of Contents

Welcome to Patchstack’s WordPress vulnerability overview for the week of June 11 – 18, 2024.

As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).

And in addition to this week’s vulnerabilities, we’re happy to say that, on June 14th, we officially surpassed 2,000 vulnerabilities added to the CVE database this year! In comparison, in 2023, we added around 2,500 vulnerabilities throughout the whole year. This puts us on the trajectory of adding over 4,000 vulnerabilities.

The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.

Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers are able to issue an update.

WordPress vulnerability landscape (June 11 – 18, 2024)

  • New WordPress vulnerabilities added to Patchstack’s database: 108
  • Vulnerabilities discovered by Patchstack: 16
  • Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 16
  • Vulnerabilities reported to the WordPress Review team: 11 plugins, 27 themes

How severe were this week’s vulnerabilities?

WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.

Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.

Low-severity vulnerabilities this weekMedium-severity vulnerabilitiesHigh-severity vulnerabilities
88128

What are the most dangerous vulnerabilities?

If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:

  • CoDesigner WooCommerce Builder for Elementor plugin <= 4.4.1
  • Dokan Pro plugin <= 3.10.3
  • Icegram Express plugin <= 5.7.22
  • InstaWP Connect <= 0.1.0.38
  • Timetics plugin <= 1.0.21
  • Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin <= 1.3.13
  • WooCommerce Social Login plugin <= 2.6.2
  • Wp Staging Pro plugin <= 5.6.0

WordPress vulnerabilities discovered from June 11 to 18, 2024

Vulnerable plugins with 100K+ installs

WooCommerce plugin

Cross Site Scripting (XSS). Update the WordPress WooCommerce plugin to the latest available version (at least 8.9.3).

7M
CVSS 7.1

Elementor – Header, Footer & Blocks Template

Cross Site Scripting (XSS). Update the WordPress Elementor – Header, Footer & Blocks Template plugin to the latest available version (at least 1.6.36).

2M
CVSS 6.5

Premium Addons for Elementor

Cross Site Scripting (XSS). Update the WordPress Premium Addons for Elementor plugin to the latest available version (at least 4.10.34).

700K
CVSS 6.5

Gutenberg Blocks by Kadence Blocks

Cross Site Scripting (XSS). Update the WordPress Gutenberg Blocks by Kadence Blocks plugin to the latest available version (at least 3.2.39).

400K
CVSS 6.5

WP Google Maps

Cross Site Scripting (XSS). Update the WordPress WP Google Maps plugin to the latest available version (at least 9.0.39).

300K
CVSS 6.5

Popup Builder

Broken Access Control. Update the WordPress Popup Builder plugin to the latest available version (at least 4.3.2).

200K
CVSS 6.3

Chaty

Cross Site Scripting (XSS). Update the WordPress Chaty plugin to the latest available version (at least 3.2.3).

200K
CVSS 5.9

Jeg Elementor Kit

Cross Site Scripting (XSS). Update the WordPress Jeg Elementor Kit plugin to the latest available version (at least 2.6.6).

200K
CVSS 6.5

Download Manager

Broken Access Control. Update the WordPress Download Manager plugin to the latest available version (at least 3.2.90).

100K
CVSS 5.3

PowerPack Addons for Elementor

Cross Site Scripting (XSS). Update the WordPress PowerPack Addons for Elementor plugin to the latest available version (at least 2.7.21).

100K
CVSS 6.5

Sassy Social Share

Cross Site Scripting (XSS). Update the WordPress Sassy Social Share plugin to the latest available version (at least 3.3.63)..

100K
CVSS 5.9

Search & Replace

SQL Injection. Update the WordPress Search & Replace plugin to the latest available version (at least 3.2.2)..

100K
CVSS 7.6

ElementsKit Pro

Server Side Request Forgery (SSRF). Update the WordPress ElementsKit Pro plugin to the latest available version (at least 3.6.3).

100K
CVSS 6.3

FooGallery

Cross Site Scripting (XSS). Update the WordPress FooGallery plugin to the latest available version (at least 2.4.16).

100K
CVSS 6.5

Vulnerable plugins with up to 100K+ installs

How does Patchstack make WordPress safer?

Patchstack protects WordPress websites against vulnerable plugins. As the #1 vulnerability processor (CNA) globally, we maintain a database of over 18,000 vulnerabilities. Our users receive 48-hour early warning for new vulnerabilities and real-time vPatching to protect their websites until the vulnerabilities are resolved.

Start getting tailored notifications for the plugins installed on your site for free. Sign up today!

The latest in Weekly vulnerability overview

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu