Welcome to Patchstack's WordPress vulnerability overview for the week of June 26 - July 2, 2024.
As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don't use the Patchstack app (yet).
The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.
Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers are able to issue an update.
WordPress vulnerability landscape (June 26 - July 2, 2024)
- New WordPress vulnerabilities added to Patchstack's database: 195
- Vulnerabilities discovered by Patchstack: 120
- Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 48
3 vulnerabilities fixed in WordPress core
On the 24th of June 2024, WordPress.org released a security update and recommended users update their sites as soon as possible. This WordPress core 6.5.5 security release addresses 3 different security vulnerabilities that affect multiple WordPress core versions.
For most users, the update would have been automatic, but if not, then it is advised to update your WordPress core to the latest version.
Info on the vulnerabilities is below, but you can also read our technical advisory on them here.
- WordPress core < 6.5.5 - Contributor+ Path Traversal (Windows Only) vulnerability
- WordPress Core < 6.5.5 - Cross Site Scripting (XSS) via template-part vulnerability
- WordPress Core < 6.5.5 - Contributor+ Stored Cross-Site Scripting via HTML API
How severe were this week's vulnerabilities?
WordPress vulnerabilities are categorized according to Patchstack's Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.
Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.
| Low-severity vulnerabilities this week | Medium-severity vulnerabilities | High-severity vulnerabilities |
| 130 | 27 | 11 |
What are the most dangerous vulnerabilities?
If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:
- WordPress Zita Elementor Site Library plugin <= 1.6.1 - Arbitrary Code Execution vulnerability
WordPress vulnerabilities discovered from June 26 to July 2, 2024
Vulnerable plugins with 100K+ installs
Contact Form 7 plugin
Unauthenticated Open Redirect vulnerability. Update the WordPress Contact Form 7 plugin to the latest available version (at least 5.9.5).
WordPress WooCommerce plugin
Content Injection vulnerability. Update the WordPress WooCommerce plugin to the latest available version (at least 9.0.0)
WordPress Elementor Pro
Reflected Cross Site Scripting (XSS) vulnerability. Update the WordPress Elementor Pro plugin to the latest available version (at least 3.21.3).
Elementor Website Builder plugin
Arbitrary SVG File Download vulnerability. Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.22.2).
Rank Math SEO plugin
Authenticated Stored XSS vulnerability. Update the WordPress Rank Math SEO plugin to the latest available version (at least 1.0.219).
WordPress ElementsKit Lite plugin
Unauthenticated Broken Access Control vulnerability. Update the WordPress Elements kit Elementor addons plugin to the latest available version (at least 3.2.0).
WP File Manager plugin
Broken Access Control vulnerability. Update the WordPress File Manager plugin to the latest available version (at least 7.2.8).
Slider Revolution plugin
Cross Site Scripting (XSS) vulnerability. Update the WordPress Slider Revolution plugin to the latest available version (at least 6.7.14).
Easy Table of Contents plugin
Admin+ Stored XSS vulnerability. Update the WordPress Easy Table of Contents plugin to the latest available version (at least 2.0.66).
Happy Addons for Elementor plugin
Authenticated (Contributor+) Stored Cross-Site Scripting via Gradient Heading Widget vulnerability. Update the WordPress Happy Addons for Elementor plugin to the latest available version (at least 3.11.2).
Gutenberg Blocks with AI by Kadence WP plugin
Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes vulnerability. Update the WordPress Gutenberg Blocks by Kadence Blocks plugin to the latest available version (at least 3.2.46).
Gutenberg Blocks with AI by Kadence WP plugin
Contributor+ Stored Cross-Site Scripting in Google Maps Widget vulnerability. Update the WordPress Gutenberg Blocks by Kadence Blocks plugin to the latest available version (at least 3.2.43).
WordPress PixelYourSite plugin
Cross Site Scripting (XSS) vulnerability. Update the WordPress PixelYourSite – Your smart PIXEL (TAG) Manager plugin to the latest available version (at least 9.6.2).
WordPress PDF Embedder plugin
Cross Site Scripting (XSS) vulnerability. Update the WordPress PDF Embedder plugin to the latest available version (at least 4.8.0).
WordPress Pods plugin
Injected Backdoor vulnerability. Update the WordPress Pods plugin to a version other than 3.2.3, be it an older or newer version.
HT Mega – Absolute Addons For Elementor
Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability. Update the WordPress HT Mega plugin to the latest available version (at least 2.5.6).
Elementor Addon Elements plugin
Contributor+ Stored Cross-Site Scripting vulnerability. Update the WordPress Elementor Addon Elements plugin to the latest available version (at least 1.13.6).
The Plus Addons for Elementor
Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability. Update the WordPress The Plus Addons for Elementor Page Builder Lite plugin to the latest available version (at least 5.6.1).
Stackable – Page Builder Gutenberg Blocks plugin
Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability. Update the WordPress Stackable – Page Builder Gutenberg Blocks plugin to the latest available version (at least 3.13.2).
WP Chat App plugin
Admin+ Stored XSS vulnerability. Update the WordPress WP Chat App plugin to the latest available version (at least 3.6.5).
Advanced File Manager plugin
Sensitive Information Exposure via Directory Listing vulnerability. Update the WordPress Advanced File Manager plugin to the latest available version (at least 5.2.5).
WP Mobile Menu plugin
Cross Site Request Forgery (CSRF) vulnerability. Update the WordPress WP Mobile Menu plugin to the latest available version (at least 2.8.4.4).
Vulnerable plugins with up to 100K+ installs
| WordPress Email Subscribers by Icegram Express plugin <= 5.7.25 - Unauthenticated SQL Injection vulnerability |
| WordPress Paid Memberships Pro plugin <= 3.0.4 - Insecure Direct Object References (IDOR) vulnerability |
| WordPress Events Manager plugin <= 6.4.8 - Reflected Cross-Site Scripting vulnerability |
| WordPress The Post Grid plugin <= 7.7.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via section title tag vulnerability |
| WordPress LearnPress plugin <= 4.2.6.8.1 - Unauthenticated Bypass to User Registration vulnerability |
| WordPress LearnPress plugin <= 4.2.6.8.1 - Missing Authorization to Unauthenticated User Registration Bypass vulnerability |
| WordPress Featured Image from URL (FIFU) plugin <= 4.8.1 - Broken Access Control vulnerability |
| WordPress Defender plugin <= 4.7.1 - Broken Access Control vulnerability |
| WordPress Embedpress plugin <= 4.0.2 - Cross Site Scripting (XSS) vulnerability |
| WordPress Permalink Manager Lite plugin <= 2.4.3.3 - Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress WordPress Plugin for Google Maps plugin <= 4.6.1 - Authenticated (Contributor+) SQL Injection vulnerability |
| WordPress Tutor LMS plugin <= 2.7.1 - SQL Injection vulnerability |
| WordPress Depicter Slider plugin <= 3.0.2 - Cross Site Scripting (XSS) vulnerability |
| WordPress Tutor LMS plugin <= 2.7.1 - Path Traversal vulnerability |
| WordPress OnePress theme <= 2.3.6 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Media Library Assistant plugin <= 3.17 - Reflected Cross-Site Scripting vulnerability |
| WordPress 3D FlipBook – PDF Flipbook WordPress plugin <= 1.15.5 - Cross Site Scripting (XSS) vulnerability |
| WordPress Page and Post Clone plugin <= 6.0 - Insecure Direct Object Reference to Authenticated (Author+) Sensitive Information Exposure vulnerability |
| WordPress Exclusive Addons for Elementor plugin <= 2.6.9.8 - Contributor+ Stored Cross-Site Scripting via Card Widget vulnerability |
| WordPress NextScripts plugin <= 4.4.6 - Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Sina Extension for Elementor plugin <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via read_more_text Parameter vulnerability |
| WordPress Form Maker by 10Web plugin < 1.15.26 - Admin+ Stored XSS vulnerability |
| WordPress PDF Viewer for Elementor plugin <= 2.9.3 - Cross Site Scripting (XSS) vulnerability |
| WordPress Quiz And Survey Master plugin < 9.0.2 - Contributor+ Stored XSS vulnerability |
| WordPress DethemeKit For Elementor plugin <= 2.1.5 - Contributor+ Stored Cross-Site Scripting via URL Parameter of the De Gallery Widget vulnerability |
| WordPress H5P plugin < 1.15.8 - Contributor+ Stored XSS vulnerability |
| WordPress Twenty20 Image Before After plugin 1.5.4, 1.6.2, 1.6.3 - Injected Backdoor vulnerability |
| WordPress Void Contact Form 7 Widget For Elementor Page Builder plugin <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via cf7_redirect_page Attribute vulnerability |
| WordPress Easy Google Maps plugin <= 1.11.15 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability |
| WordPress Rife Elementor Extensions & Templates plugin <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Widget vulnerability |
| WordPress Portfolio Gallery – Image Gallery Plugin plugin <= 1.6.4 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability |
| WordPress Gallery Blocks with Lightbox plugin <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via galleryID and className Parameters vulnerability |
| WordPress Cost Calculator Builder plugin <= 3.2.12 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability |
| WordPress Cost Calculator Builder plugin <= 3.2.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Creation vulnerability |
| WordPress Mesmerize theme <= 1.6.120 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress PDF Poster plugin <= 2.1.21 - Cross Site Scripting (XSS) vulnerability |
| WordPress UsersWP plugin <= 1.2.10 - Unauthenticated SQL Injection via 'uwp_sort_by' vulnerability |
| WordPress Masterstudy Elementor Widgets plugin <= 1.2.2 - Remote Code Execution (RCE) vulnerability |
| WordPress Striking theme <= 2.3.4 - Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Conversios.io plugin <= 7.1.0 - Reflected Cross-Site Scripting vulnerability |
| WordPress Striking theme <= 2.3.4 - Local File Inclusion vulnerability |
| WordPress Masterstudy Elementor Widgets plugin <= 1.2.2 - SQL Injection vulnerability |
| WordPress PDF.js Viewer plugin <= 2.1.8.1 - Cross Site Scripting (XSS) vulnerability |
| WordPress Ultimate Post Kit Addons For Elementor plugin <= 3.11.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Count (Static) Widget vulnerability |
| WordPress Funnel Builder for WordPress by FunnelKit plugin <= 3.3.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload vulnerability |
| WordPress Branda plugin <= 3.4.17 - Cross Site Scripting (XSS) vulnerability |
| WordPress Masterstudy Elementor Widgets plugin <= 1.2.2 - Unauthenticated Broken Access Control vulnerability |
| WordPress WP Photo Album Plus plugin <= 8.8.00.002 - Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Mailster plugin <= 4.0.9 - Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress LA-Studio Element Kit for Elementor plugin <= 1.3.8.1 - Local File Inclusion vulnerability |
| WordPress All-in-One Addons for Elementor – WidgetKit plugin <= 2.5.0 - Cross Site Scripting (XSS) vulnerability |
| WordPress HTML5 Audio Player plugin <= 2.2.23 - Cross Site Scripting (XSS) vulnerability |
| WordPress E2Pdf plugin <= 1.20.27 - Broken Access Control vulnerability |
| WordPress Easy Affiliate Links plugin <= 3.7.3 - Missing Authorization to Authenticated (Subscriber+) Settings Reset vulnerability |
| WordPress PDF Viewer plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability |
| WordPress Wonder PDF Embed plugin <= 2.7 - Cross Site Scripting (XSS) vulnerability |
| WordPress E2Pdf plugin <= 1.24.00 - Cross Site Scripting (XSS) vulnerability |
| WordPress BSK PDF Manager plugin <= 3.6 - Cross Site Scripting (XSS) vulnerability |
| WordPress ARI Fancy Lightbox plugin <= 1.3.14 - Cross Site Scripting (XSS) vulnerability |
| WordPress PowerPack Lite for Beaver Builder plugin <= 1.3.0.4 - Cross Site Scripting (XSS) vulnerability |
| WordPress Motors – Car Dealer, Classifieds & Listing plugin <= 1.4.9 - Missing Authorization vulnerability |
| WordPress PowerPack Lite for Beaver Builder plugin <= 1.3.0.3 - Local File Inclusion vulnerability |
| WordPress Advanced Custom Fields Pro plugin < 6.3.2 - Subscriber+ Broken Access Control vulnerability |
| WordPress Advanced Custom Fields Pro plugin < 6.3.2 - Contributor+ Broken Access Control vulnerability |
| WordPress Advanced Custom Fields Pro plugin < 6.3.2 - Cross-Site Request Forgery (CSRF) vulnerability |
| WordPress Create by Mediavine plugin <= 1.9.7 - Contributor+ Stored Cross-Site Scripting via Schema Meta Shortcode vulnerability |
| WordPress Print My Blog plugin <= 3.27.0 - Cross Site Scripting (XSS) vulnerability |
| WordPress Easy Image Collage plugin <= 1.13.5 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Content Deletion vulnerability |
| WordPress Foxiz Theme theme <= 2.3.5 - Server Side Request Forgery (SSRF) vulnerability |
| WordPress Esteem theme <= 1.5.0 - Cross Site Scripting (XSS) vulnerability |
| WordPress Patreon WordPress plugin <= 1.9.0 - Image Protection Bypass vulnerability |
| WordPress Schema Lite theme <= 1.2.2 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Social Rocket plugin <= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Online Booking & Scheduling Calendar plugin <= 4.4.2 - Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Stock Ticker plugin <= 3.24.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via stock_ticker Shortcode vulnerability |
| WordPress Perfect Portfolio theme <= 1.2.0 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Travel Agency theme <= 1.4.9 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress WPDirectoryKit plugin <= 1.3.6 - HTML Injection vulnerability |
| WordPress Zita Elementor Site Library plugin <= 1.6.1 - Arbitrary Code Execution vulnerability |
| WordPress Groundhogg plugin <= 3.4.2.3 - Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Cowidgets – Elementor Addons plugin <= 1.1.1 - Local File Inclusion vulnerability |
| WordPress EazyDocs plugin < 2.5.0 - Admin+ Stored XSS vulnerability |
| WordPress Cards for Beaver Builder plugin <= 1.1.4 - Cross Site Scripting (XSS) vulnerability |
| WordPress Atarim plugin <= 3.31 - Authenticated Cross Site Scripting (XSS) vulnerability |
| WordPress Chained Quiz plugin <= 1.3.2.8 - Cross Site Scripting (XSS) vulnerability |
| WordPress Blossom Shop theme <= 1.1.7 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Preschool and Kindergarten theme <= 1.2.1 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress JobScout theme <= 1.1.4 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress PayPlus Payment Gateway plugin <= 6.6.8 - Unauthenticated SQL Injection vulnerability |
| WordPress Newspack Blocks plugin <= 3.0.8 - Arbitrary File Upload vulnerability |
| WordPress Newspack Blocks plugin <= 3.0.8 - Contributor+ Arbitrary Directory Deletion vulnerability |
| WordPress Goya theme <= 1.0.8.7 - Unauthenticated Reflected Cross-Site Scripting via Multiple Parameters vulnerability |
| WordPress WP Extended plugin <= 2.4.7 - Cross Site Scripting (XSS) vulnerability |
| WordPress WP-Lister Lite for Amazon plugin <= 2.6.16 - Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress IdeaPush plugin <= 8.60 - Cross Site Scripting (XSS) vulnerability |
| WordPress Extensions for Elementor plugin <= 2.0.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter vulnerability |
| WordPress Boot Store theme <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode vulnerability |
| WordPress Post Meta Data Manager plugin <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability |
| WordPress Enter Addons – Ultimate Template Builder for Elementor plugin <= 2.1.6 - Cross Site Scripting (XSS) vulnerability |
| WordPress Tainacan plugin <= 0.21.5 - Cross Site Scripting (XSS) vulnerability |
| WordPress Login with phone number plugin <= 1.7.35 - Admin+ Cross Site Scripting (XSS) vulnerability |
| WordPress Newspack Blocks plugin <= 3.0.8 - Broken Access Control vulnerability |
| WordPress Timetics plugin <= 1.0.21 - Broken Access Control vulnerability |
| WordPress Travel Monster theme <= 1.1.2 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Coachify theme <= 1.0.7 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Elegant Pink theme 1.3.0 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress NewsMash theme <= 1.0.34 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Church Admin plugin <= 4.4.4 - Broken Access Control vulnerability |
| WordPress WP Job Manager plugin <= 2.1.0 - Broken Access Control vulnerability |
| WordPress Benevolent theme <= 1.3.4 - Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Photo Gallery by Ays – Responsive Image Gallery plugin < 5.7.1 - HTML Injection vulnerability |
| WordPress Uncanny Automator Pro plugin < 5.3.0.1 - Cross Site Request Forgery (CSRF) Leading to License Settings Reset vulnerability |
| WordPress Uncanny Automator Pro plugin < 5.3.0.1 - Unauthenticated License Settings Reset vulnerability |
| WordPress Simple Photoswipe plugin <= 0.1 - Subscriber+ Arbitrary Settings Update vulnerability |
| WordPress Pagerank Tools plugin <= 1.1.5 - Reflected XSS vulnerability |
| WordPress Progress Planner plugin <= 0.9.2 - Cross Site Scripting (XSS) vulnerability |
| WordPress Widget4Call plugin <= 1.0.7 - Reflected XSS vulnerability |
| WordPress Animated AL List plugin <= 1.0.6 - Reflected XSS vulnerability |
| WordPress Simple AL Slider plugin <= 1.2.10 - Reflected XSS vulnerability |
| WordPress Progress Planner plugin <= 0.9.1 - Broken Access Control vulnerability |
How does Patchstack make WordPress safer?
