Patchstack’s Weekly WordPress Vulnerability Overview – June 26 to July 2, 2024

Published 3 July 2024
Mart Virkus
Head of Marketing
Table of Contents

Welcome to Patchstack’s WordPress vulnerability overview for the week of June 26 – July 2, 2024.

As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).

The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.

Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers are able to issue an update.

WordPress vulnerability landscape (June 26 – July 2, 2024)

  • New WordPress vulnerabilities added to Patchstack’s database: 195
  • Vulnerabilities discovered by Patchstack: 120
  • Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 48

3 vulnerabilities fixed in WordPress core

On the 24th of June 2024, WordPress.org released a security update and recommended users update their sites as soon as possible. This WordPress core 6.5.5 security release addresses 3 different security vulnerabilities that affect multiple WordPress core versions.

For most users, the update would have been automatic, but if not, then it is advised to update your WordPress core to the latest version.

Info on the vulnerabilities is below, but you can also read our technical advisory on them here.

How severe were this week’s vulnerabilities?

WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.

Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.

Low-severity vulnerabilities this weekMedium-severity vulnerabilitiesHigh-severity vulnerabilities
1302711

What are the most dangerous vulnerabilities?

If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:

WordPress vulnerabilities discovered from June 26 to July 2, 2024

Vulnerable plugins with 100K+ installs

Contact Form 7 plugin

Unauthenticated Open Redirect vulnerability. Update the WordPress Contact Form 7 plugin to the latest available version (at least 5.9.5).

10M
CVSS 4.7

WordPress WooCommerce plugin

Content Injection vulnerability. Update the WordPress WooCommerce plugin to the latest available version (at least 9.0.0)

7M
CVSS 3.5

WordPress Elementor Pro

Reflected Cross Site Scripting (XSS) vulnerability. Update the WordPress Elementor Pro plugin to the latest available version (at least 3.21.3).

5M
CVSS 7.1

Elementor Website Builder plugin

Arbitrary SVG File Download vulnerability. Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.22.2).

5M
CVSS 5.5

Rank Math SEO plugin

Authenticated Stored XSS vulnerability. Update the WordPress Rank Math SEO plugin to the latest available version (at least 1.0.219).

2M
CVSS 5.9

WordPress ElementsKit Lite plugin

Unauthenticated Broken Access Control vulnerability. Update the WordPress Elements kit Elementor addons plugin to the latest available version (at least 3.2.0).

1M
CVSS 5.3

WP File Manager plugin

Broken Access Control vulnerability. Update the WordPress File Manager plugin to the latest available version (at least 7.2.8).

1M
CVSS 4.3

Slider Revolution plugin

Cross Site Scripting (XSS) vulnerability. Update the WordPress Slider Revolution plugin to the latest available version (at least 6.7.14).

920K
CVSS 5.9

Easy Table of Contents plugin

Admin+ Stored XSS vulnerability. Update the WordPress Easy Table of Contents plugin to the latest available version (at least 2.0.66).

500K
CVSS 5.9

Happy Addons for Elementor plugin

Authenticated (Contributor+) Stored Cross-Site Scripting via Gradient Heading Widget vulnerability. Update the WordPress Happy Addons for Elementor plugin to the latest available version (at least 3.11.2).

400K
CVSS 6.5

Gutenberg Blocks with AI by Kadence WP plugin

Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes vulnerability. Update the WordPress Gutenberg Blocks by Kadence Blocks plugin to the latest available version (at least 3.2.46).

400K
CVSS 6.5

Gutenberg Blocks with AI by Kadence WP plugin

Contributor+ Stored Cross-Site Scripting in Google Maps Widget vulnerability. Update the WordPress Gutenberg Blocks by Kadence Blocks plugin to the latest available version (at least 3.2.43).

400K
CVSS 6.5

WordPress PixelYourSite plugin

Cross Site Scripting (XSS) vulnerability. Update the WordPress PixelYourSite – Your smart PIXEL (TAG) Manager plugin to the latest available version (at least 9.6.2).

400K
CVSS 5.9

WordPress PDF Embedder plugin

Cross Site Scripting (XSS) vulnerability. Update the WordPress PDF Embedder plugin to the latest available version (at least 4.8.0).

300K
CVSS 6.5

WordPress Pods plugin

Injected Backdoor vulnerability. Update the WordPress Pods plugin to a version other than 3.2.3, be it an older or newer version.

100K
CVSS 10.0

HT Mega – Absolute Addons For Elementor

Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability. Update the WordPress HT Mega plugin to the latest available version (at least 2.5.6).

100K
CVSS 6.5

Elementor Addon Elements plugin

Contributor+ Stored Cross-Site Scripting vulnerability. Update the WordPress Elementor Addon Elements plugin to the latest available version (at least 1.13.6).

100K
CVSS 6.5

The Plus Addons for Elementor

Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability. Update the WordPress The Plus Addons for Elementor Page Builder Lite plugin to the latest available version (at least 5.6.1).

100K
CVSS 6.5

Stackable – Page Builder Gutenberg Blocks plugin

Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability. Update the WordPress Stackable – Page Builder Gutenberg Blocks plugin to the latest available version (at least 3.13.2).

100K
CVSS 6.5

WP Chat App plugin

Admin+ Stored XSS vulnerability. Update the WordPress WP Chat App plugin to the latest available version (at least 3.6.5).

100K
CVSS 5.9

Advanced File Manager plugin

Sensitive Information Exposure via Directory Listing vulnerability. Update the WordPress Advanced File Manager plugin to the latest available version (at least 5.2.5).

100K
CVSS 5.3

WP Mobile Menu plugin

Cross Site Request Forgery (CSRF) vulnerability. Update the WordPress WP Mobile Menu plugin to the latest available version (at least 2.8.4.4).

100K
CVSS 4.3

Vulnerable plugins with up to 100K+ installs

WordPress Email Subscribers by Icegram Express plugin <= 5.7.25 – Unauthenticated SQL Injection vulnerability
WordPress Paid Memberships Pro plugin <= 3.0.4 – Insecure Direct Object References (IDOR) vulnerability
WordPress Events Manager plugin <= 6.4.8 – Reflected Cross-Site Scripting vulnerability
WordPress The Post Grid plugin <= 7.7.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via section title tag vulnerability
WordPress LearnPress plugin <= 4.2.6.8.1 – Unauthenticated Bypass to User Registration vulnerability
WordPress LearnPress plugin <= 4.2.6.8.1 – Missing Authorization to Unauthenticated User Registration Bypass vulnerability
WordPress Featured Image from URL (FIFU) plugin <= 4.8.1 – Broken Access Control vulnerability
WordPress Defender plugin <= 4.7.1 – Broken Access Control vulnerability
WordPress Embedpress plugin <= 4.0.2 – Cross Site Scripting (XSS) vulnerability
WordPress Permalink Manager Lite plugin <= 2.4.3.3 – Reflected Cross Site Scripting (XSS) vulnerability
WordPress WordPress Plugin for Google Maps plugin <= 4.6.1 – Authenticated (Contributor+) SQL Injection vulnerability
WordPress Tutor LMS plugin <= 2.7.1 – SQL Injection vulnerability
WordPress Depicter Slider plugin <= 3.0.2 – Cross Site Scripting (XSS) vulnerability
WordPress Tutor LMS plugin <= 2.7.1 – Path Traversal vulnerability
WordPress OnePress theme <= 2.3.6 – Cross Site Request Forgery (CSRF) vulnerability
WordPress Media Library Assistant plugin <= 3.17 – Reflected Cross-Site Scripting vulnerability
WordPress 3D FlipBook – PDF Flipbook WordPress plugin <= 1.15.5 – Cross Site Scripting (XSS) vulnerability
WordPress Page and Post Clone plugin <= 6.0 – Insecure Direct Object Reference to Authenticated (Author+) Sensitive Information Exposure vulnerability
WordPress Exclusive Addons for Elementor plugin <= 2.6.9.8 – Contributor+ Stored Cross-Site Scripting via Card Widget vulnerability
WordPress NextScripts plugin <= 4.4.6 – Reflected Cross Site Scripting (XSS) vulnerability
WordPress Sina Extension for Elementor plugin <= 3.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via read_more_text Parameter vulnerability
WordPress Form Maker by 10Web plugin < 1.15.26 – Admin+ Stored XSS vulnerability
WordPress PDF Viewer for Elementor plugin <= 2.9.3 – Cross Site Scripting (XSS) vulnerability
WordPress Quiz And Survey Master plugin < 9.0.2 – Contributor+ Stored XSS vulnerability
WordPress DethemeKit For Elementor plugin <= 2.1.5 – Contributor+ Stored Cross-Site Scripting via URL Parameter of the De Gallery Widget vulnerability
WordPress H5P plugin < 1.15.8 – Contributor+ Stored XSS vulnerability
WordPress Twenty20 Image Before After plugin 1.5.4, 1.6.2, 1.6.3 – Injected Backdoor vulnerability
WordPress Void Contact Form 7 Widget For Elementor Page Builder plugin <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via cf7_redirect_page Attribute vulnerability
WordPress Easy Google Maps plugin <= 1.11.15 – Authenticated (Author+) Stored Cross-Site Scripting vulnerability
WordPress Rife Elementor Extensions & Templates plugin <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Widget vulnerability
WordPress Portfolio Gallery – Image Gallery Plugin plugin <= 1.6.4 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability
WordPress Gallery Blocks with Lightbox plugin <= 3.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via galleryID and className Parameters vulnerability
WordPress Cost Calculator Builder plugin <= 3.2.12 – Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
WordPress Cost Calculator Builder plugin <= 3.2.12 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Creation vulnerability
WordPress Mesmerize theme <= 1.6.120 – Cross Site Request Forgery (CSRF) vulnerability
WordPress PDF Poster plugin <= 2.1.21 – Cross Site Scripting (XSS) vulnerability
WordPress UsersWP plugin <= 1.2.10 – Unauthenticated SQL Injection via ‘uwp_sort_by’ vulnerability
WordPress Masterstudy Elementor Widgets plugin <= 1.2.2 – Remote Code Execution (RCE) vulnerability
WordPress Striking theme <= 2.3.4 – Reflected Cross Site Scripting (XSS) vulnerability
WordPress Conversios.io plugin <= 7.1.0 – Reflected Cross-Site Scripting vulnerability
WordPress Striking theme <= 2.3.4 – Local File Inclusion vulnerability
WordPress Masterstudy Elementor Widgets plugin <= 1.2.2 – SQL Injection vulnerability
WordPress PDF.js Viewer plugin <= 2.1.8.1 – Cross Site Scripting (XSS) vulnerability
WordPress Ultimate Post Kit Addons For Elementor plugin <= 3.11.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Social Count (Static) Widget vulnerability
WordPress Funnel Builder for WordPress by FunnelKit plugin <= 3.3.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload vulnerability
WordPress Branda plugin <= 3.4.17 – Cross Site Scripting (XSS) vulnerability
WordPress Masterstudy Elementor Widgets plugin <= 1.2.2 – Unauthenticated Broken Access Control vulnerability
WordPress WP Photo Album Plus plugin <= 8.8.00.002 – Reflected Cross Site Scripting (XSS) vulnerability
WordPress Mailster plugin <= 4.0.9 – Reflected Cross Site Scripting (XSS) vulnerability
WordPress LA-Studio Element Kit for Elementor plugin <= 1.3.8.1 – Local File Inclusion vulnerability
WordPress All-in-One Addons for Elementor – WidgetKit plugin <= 2.5.0 – Cross Site Scripting (XSS) vulnerability
WordPress HTML5 Audio Player plugin <= 2.2.23 – Cross Site Scripting (XSS) vulnerability
WordPress E2Pdf plugin <= 1.20.27 – Broken Access Control vulnerability
WordPress Easy Affiliate Links plugin <= 3.7.3 – Missing Authorization to Authenticated (Subscriber+) Settings Reset vulnerability
WordPress PDF Viewer plugin <= 1.1.0 – Cross Site Scripting (XSS) vulnerability
WordPress Wonder PDF Embed plugin <= 2.7 – Cross Site Scripting (XSS) vulnerability
WordPress E2Pdf plugin <= 1.24.00 – Cross Site Scripting (XSS) vulnerability
WordPress BSK PDF Manager plugin <= 3.6 – Cross Site Scripting (XSS) vulnerability
WordPress ARI Fancy Lightbox plugin <= 1.3.14 – Cross Site Scripting (XSS) vulnerability
WordPress PowerPack Lite for Beaver Builder plugin <= 1.3.0.4 – Cross Site Scripting (XSS) vulnerability
WordPress Motors – Car Dealer, Classifieds & Listing plugin <= 1.4.9 – Missing Authorization vulnerability
WordPress PowerPack Lite for Beaver Builder plugin <= 1.3.0.3 – Local File Inclusion vulnerability
WordPress Advanced Custom Fields Pro plugin < 6.3.2 – Subscriber+ Broken Access Control vulnerability
WordPress Advanced Custom Fields Pro plugin < 6.3.2 – Contributor+ Broken Access Control vulnerability
WordPress Advanced Custom Fields Pro plugin < 6.3.2 – Cross-Site Request Forgery (CSRF) vulnerability
WordPress Create by Mediavine plugin <= 1.9.7 – Contributor+ Stored Cross-Site Scripting via Schema Meta Shortcode vulnerability
WordPress Print My Blog plugin <= 3.27.0 – Cross Site Scripting (XSS) vulnerability
WordPress Easy Image Collage plugin <= 1.13.5 – Missing Authorization to Authenticated (Contributor+) Arbitrary Post Content Deletion vulnerability
WordPress Foxiz Theme theme <= 2.3.5 – Server Side Request Forgery (SSRF) vulnerability
WordPress Esteem theme <= 1.5.0 – Cross Site Scripting (XSS) vulnerability
WordPress Patreon WordPress plugin <= 1.9.0 – Image Protection Bypass vulnerability
WordPress Schema Lite theme <= 1.2.2 – Cross Site Request Forgery (CSRF) vulnerability
WordPress Social Rocket plugin <= 1.3.3 – Reflected Cross Site Scripting (XSS) vulnerability
WordPress Online Booking & Scheduling Calendar plugin <= 4.4.2 – Reflected Cross Site Scripting (XSS) vulnerability
WordPress Stock Ticker plugin <= 3.24.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via stock_ticker Shortcode vulnerability
WordPress Perfect Portfolio theme <= 1.2.0 – Cross Site Request Forgery (CSRF) vulnerability
WordPress Travel Agency theme <= 1.4.9 – Cross Site Request Forgery (CSRF) vulnerability
WordPress WPDirectoryKit plugin <= 1.3.6 – HTML Injection vulnerability
WordPress Zita Elementor Site Library plugin <= 1.6.1 – Arbitrary Code Execution vulnerability
WordPress Groundhogg plugin <= 3.4.2.3 – Reflected Cross Site Scripting (XSS) vulnerability
WordPress Cowidgets – Elementor Addons plugin <= 1.1.1 – Local File Inclusion vulnerability
WordPress EazyDocs plugin < 2.5.0 – Admin+ Stored XSS vulnerability
WordPress Cards for Beaver Builder plugin <= 1.1.4 – Cross Site Scripting (XSS) vulnerability
WordPress Atarim plugin <= 3.31 – Authenticated Cross Site Scripting (XSS) vulnerability
WordPress Chained Quiz plugin <= 1.3.2.8 – Cross Site Scripting (XSS) vulnerability
WordPress Blossom Shop theme <= 1.1.7 – Cross Site Request Forgery (CSRF) vulnerability
WordPress Preschool and Kindergarten theme <= 1.2.1 – Cross Site Request Forgery (CSRF) vulnerability
WordPress JobScout theme <= 1.1.4 – Cross Site Request Forgery (CSRF) vulnerability
WordPress PayPlus Payment Gateway plugin <= 6.6.8 – Unauthenticated SQL Injection vulnerability
WordPress Newspack Blocks plugin <= 3.0.8 – Arbitrary File Upload vulnerability
WordPress Newspack Blocks plugin <= 3.0.8 – Contributor+ Arbitrary Directory Deletion vulnerability
WordPress Goya theme <= 1.0.8.7 – Unauthenticated Reflected Cross-Site Scripting via Multiple Parameters vulnerability
WordPress WP Extended plugin <= 2.4.7 – Cross Site Scripting (XSS) vulnerability
WordPress WP-Lister Lite for Amazon plugin <= 2.6.16 – Reflected Cross Site Scripting (XSS) vulnerability
WordPress IdeaPush plugin <= 8.60 – Cross Site Scripting (XSS) vulnerability
WordPress Extensions for Elementor plugin <= 2.0.30 – Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter vulnerability
WordPress Boot Store theme <= 1.6.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode vulnerability
WordPress Post Meta Data Manager plugin <= 1.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
WordPress Enter Addons – Ultimate Template Builder for Elementor plugin <= 2.1.6 – Cross Site Scripting (XSS) vulnerability
WordPress Tainacan plugin <= 0.21.5 – Cross Site Scripting (XSS) vulnerability
WordPress Login with phone number plugin <= 1.7.35 – Admin+ Cross Site Scripting (XSS) vulnerability
WordPress Newspack Blocks plugin <= 3.0.8 – Broken Access Control vulnerability
WordPress Timetics plugin <= 1.0.21 – Broken Access Control vulnerability
WordPress Travel Monster theme <= 1.1.2 – Cross Site Request Forgery (CSRF) vulnerability
WordPress Coachify theme <= 1.0.7 – Cross Site Request Forgery (CSRF) vulnerability
WordPress Elegant Pink theme 1.3.0 – Cross Site Request Forgery (CSRF) vulnerability
WordPress NewsMash theme <= 1.0.34 – Cross Site Request Forgery (CSRF) vulnerability
WordPress Church Admin plugin <= 4.4.4 – Broken Access Control vulnerability
WordPress WP Job Manager plugin <= 2.1.0 – Broken Access Control vulnerability
WordPress Benevolent theme <= 1.3.4 – Cross Site Request Forgery (CSRF) vulnerability
WordPress Photo Gallery by Ays – Responsive Image Gallery plugin < 5.7.1 – HTML Injection vulnerability
WordPress Uncanny Automator Pro plugin < 5.3.0.1 – Cross Site Request Forgery (CSRF) Leading to License Settings Reset vulnerability
WordPress Uncanny Automator Pro plugin < 5.3.0.1 – Unauthenticated License Settings Reset vulnerability
WordPress Simple Photoswipe plugin <= 0.1 – Subscriber+ Arbitrary Settings Update vulnerability
WordPress Pagerank Tools plugin <= 1.1.5 – Reflected XSS vulnerability
WordPress Progress Planner plugin <= 0.9.2 – Cross Site Scripting (XSS) vulnerability
WordPress Widget4Call plugin <= 1.0.7 – Reflected XSS vulnerability
WordPress Animated AL List plugin <= 1.0.6 – Reflected XSS vulnerability
WordPress Simple AL Slider plugin <= 1.2.10 – Reflected XSS vulnerability
WordPress Progress Planner plugin <= 0.9.1 – Broken Access Control vulnerability

How does Patchstack make WordPress safer?

The latest in Weekly vulnerability overview

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu