Patchstack’s Weekly WordPress Vulnerability Overview – June 19 to 25, 2024

Welcome to Patchstack’s WordPress vulnerability overview for the week of June 19 – 25, 2024.

As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).

The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.

Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers are able to issue an update.

WordPress vulnerability landscape (June 19 – 25, 2024)

• New WordPress vulnerabilities added to Patchstack’s database: 174
• Vulnerabilities discovered by Patchstack: 96
• Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 84

How severe were this week’s vulnerabilities?

WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.

Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.

What are the most dangerous vulnerabilities?

If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:

• WordPress Lifeline Donation plugin <= 1.2.6 – Authentication Bypass vulnerability
• WordPress InstaWP Connect plugin <= 0.1.0.38 – Arbitrary File Upload vulnerability
• WordPress WishList Member X plugin <= 3.25.1 – 4 vulnerability types
• WordPress Salon booking system plugin <= 9.9 – Arbitrary File Deletion vulnerability

WordPress vulnerabilities discovered from June 19 to 25, 2024

Vulnerable plugins with 100K+ installs

Smush Image Compression and Optimization

Broken Access Control. Update the WordPress Smush Image Compression and Optimization plugin to the latest available version (at least 3.16.5).

1M

CVSS 5.4

Loco Translate

Cross Site Request Forgery (CSRF). Update the WordPress Loco Translate plugin to the latest available version (at least 2.6.10).

1M

CVSS 4.3

Solid Security

Denial of Service Attack. Update the WordPress Solid Security plugin to the latest available version (at least 9.3.2).

1M

CVSS 3.7

Flatsome

Cross Site Scripting (XSS). Update the WordPress Flatsome theme to the latest available version (at least 3.19.0).

600K

CVSS 6.5

Enfold

Cross Site Scripting (XSS). Update the WordPress Enfold theme to the latest available version (at least 5.6.10).

374K

CVSS 7.1

SEOPress

Cross Site Scripting (XSS). Update the WordPress SEOPress plugin to the latest available version (at least 7.9.1).

300K

CVSS 6.5

Funnel Builder by CartFlows

Cross Site Scripting (XSS). Update the WordPress Funnel Builder by CartFlows plugin to the latest available version (at least 2.0.8).

200K

CVSS 6.5

Orbit Fox by ThemeIsle

Cross Site Scripting (XSS). Update the WordPress Orbit Fox by ThemeIsle plugin to the latest available version (at least 2.10.35).

200K

CVSS 6.5

Master Slider

Cross Site Request Forgery (CSRF). No patched version is available. This plugin has been closed as of June 15, 2024 and is not available for download. This closure is temporary, pending a full review.

100K

CVSS 7.1

Envira Photo Gallery

Cross Site Request Forgery (CSRF). Update the WordPress Envira Photo Gallery plugin to the latest available version (at least 1.8.8).

100K

CVSS 4.3

Vulnerable plugins with up to 100K+ installs

How does Patchstack make WordPress safer?

Patchstack protects WordPress websites against vulnerable plugins. As the #1 vulnerability processor (CNA) globally, we maintain a database of over 18,000 vulnerabilities. Our users receive 48-hour early warning for new vulnerabilities and real-time vPatching to protect their websites until the vulnerabilities are resolved.

Start getting tailored notifications for the plugins installed on your site for free. Sign up today!