Welcome to Patchstack’s WordPress vulnerability overview for the week of June 26 – July 2, 2024.
As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).
The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.
Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers are able to issue an update.
WordPress vulnerability landscape (June 26 – July 2, 2024)
- New WordPress vulnerabilities added to Patchstack’s database: 195
- Vulnerabilities discovered by Patchstack: 120
- Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 48
3 vulnerabilities fixed in WordPress core
On the 24th of June 2024, WordPress.org released a security update and recommended users update their sites as soon as possible. This WordPress core 6.5.5 security release addresses 3 different security vulnerabilities that affect multiple WordPress core versions.
For most users, the update would have been automatic, but if not, then it is advised to update your WordPress core to the latest version.
Info on the vulnerabilities is below, but you can also read our technical advisory on them here.
- WordPress core < 6.5.5 – Contributor+ Path Traversal (Windows Only) vulnerability
- WordPress Core < 6.5.5 – Cross Site Scripting (XSS) via template-part vulnerability
- WordPress Core < 6.5.5 – Contributor+ Stored Cross-Site Scripting via HTML API
How severe were this week’s vulnerabilities?
WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.
Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.
| Low-severity vulnerabilities this week | Medium-severity vulnerabilities | High-severity vulnerabilities |
| 130 | 27 | 11 |
What are the most dangerous vulnerabilities?
If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:
- WordPress Zita Elementor Site Library plugin <= 1.6.1 – Arbitrary Code Execution vulnerability
WordPress vulnerabilities discovered from June 26 to July 2, 2024
Vulnerable plugins with 100K+ installs
Vulnerable plugins with up to 100K+ installs
| WordPress Email Subscribers by Icegram Express plugin <= 5.7.25 – Unauthenticated SQL Injection vulnerability |
| WordPress Paid Memberships Pro plugin <= 3.0.4 – Insecure Direct Object References (IDOR) vulnerability |
| WordPress Events Manager plugin <= 6.4.8 – Reflected Cross-Site Scripting vulnerability |
| WordPress The Post Grid plugin <= 7.7.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via section title tag vulnerability |
| WordPress LearnPress plugin <= 4.2.6.8.1 – Unauthenticated Bypass to User Registration vulnerability |
| WordPress LearnPress plugin <= 4.2.6.8.1 – Missing Authorization to Unauthenticated User Registration Bypass vulnerability |
| WordPress Featured Image from URL (FIFU) plugin <= 4.8.1 – Broken Access Control vulnerability |
| WordPress Defender plugin <= 4.7.1 – Broken Access Control vulnerability |
| WordPress Embedpress plugin <= 4.0.2 – Cross Site Scripting (XSS) vulnerability |
| WordPress Permalink Manager Lite plugin <= 2.4.3.3 – Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress WordPress Plugin for Google Maps plugin <= 4.6.1 – Authenticated (Contributor+) SQL Injection vulnerability |
| WordPress Tutor LMS plugin <= 2.7.1 – SQL Injection vulnerability |
| WordPress Depicter Slider plugin <= 3.0.2 – Cross Site Scripting (XSS) vulnerability |
| WordPress Tutor LMS plugin <= 2.7.1 – Path Traversal vulnerability |
| WordPress OnePress theme <= 2.3.6 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Media Library Assistant plugin <= 3.17 – Reflected Cross-Site Scripting vulnerability |
| WordPress 3D FlipBook – PDF Flipbook WordPress plugin <= 1.15.5 – Cross Site Scripting (XSS) vulnerability |
| WordPress Page and Post Clone plugin <= 6.0 – Insecure Direct Object Reference to Authenticated (Author+) Sensitive Information Exposure vulnerability |
| WordPress Exclusive Addons for Elementor plugin <= 2.6.9.8 – Contributor+ Stored Cross-Site Scripting via Card Widget vulnerability |
| WordPress NextScripts plugin <= 4.4.6 – Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Sina Extension for Elementor plugin <= 3.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via read_more_text Parameter vulnerability |
| WordPress Form Maker by 10Web plugin < 1.15.26 – Admin+ Stored XSS vulnerability |
| WordPress PDF Viewer for Elementor plugin <= 2.9.3 – Cross Site Scripting (XSS) vulnerability |
| WordPress Quiz And Survey Master plugin < 9.0.2 – Contributor+ Stored XSS vulnerability |
| WordPress DethemeKit For Elementor plugin <= 2.1.5 – Contributor+ Stored Cross-Site Scripting via URL Parameter of the De Gallery Widget vulnerability |
| WordPress H5P plugin < 1.15.8 – Contributor+ Stored XSS vulnerability |
| WordPress Twenty20 Image Before After plugin 1.5.4, 1.6.2, 1.6.3 – Injected Backdoor vulnerability |
| WordPress Void Contact Form 7 Widget For Elementor Page Builder plugin <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via cf7_redirect_page Attribute vulnerability |
| WordPress Easy Google Maps plugin <= 1.11.15 – Authenticated (Author+) Stored Cross-Site Scripting vulnerability |
| WordPress Rife Elementor Extensions & Templates plugin <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Widget vulnerability |
| WordPress Portfolio Gallery – Image Gallery Plugin plugin <= 1.6.4 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability |
| WordPress Gallery Blocks with Lightbox plugin <= 3.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via galleryID and className Parameters vulnerability |
| WordPress Cost Calculator Builder plugin <= 3.2.12 – Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability |
| WordPress Cost Calculator Builder plugin <= 3.2.12 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Creation vulnerability |
| WordPress Mesmerize theme <= 1.6.120 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress PDF Poster plugin <= 2.1.21 – Cross Site Scripting (XSS) vulnerability |
| WordPress UsersWP plugin <= 1.2.10 – Unauthenticated SQL Injection via ‘uwp_sort_by’ vulnerability |
| WordPress Masterstudy Elementor Widgets plugin <= 1.2.2 – Remote Code Execution (RCE) vulnerability |
| WordPress Striking theme <= 2.3.4 – Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Conversios.io plugin <= 7.1.0 – Reflected Cross-Site Scripting vulnerability |
| WordPress Striking theme <= 2.3.4 – Local File Inclusion vulnerability |
| WordPress Masterstudy Elementor Widgets plugin <= 1.2.2 – SQL Injection vulnerability |
| WordPress PDF.js Viewer plugin <= 2.1.8.1 – Cross Site Scripting (XSS) vulnerability |
| WordPress Ultimate Post Kit Addons For Elementor plugin <= 3.11.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Social Count (Static) Widget vulnerability |
| WordPress Funnel Builder for WordPress by FunnelKit plugin <= 3.3.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload vulnerability |
| WordPress Branda plugin <= 3.4.17 – Cross Site Scripting (XSS) vulnerability |
| WordPress Masterstudy Elementor Widgets plugin <= 1.2.2 – Unauthenticated Broken Access Control vulnerability |
| WordPress WP Photo Album Plus plugin <= 8.8.00.002 – Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Mailster plugin <= 4.0.9 – Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress LA-Studio Element Kit for Elementor plugin <= 1.3.8.1 – Local File Inclusion vulnerability |
| WordPress All-in-One Addons for Elementor – WidgetKit plugin <= 2.5.0 – Cross Site Scripting (XSS) vulnerability |
| WordPress HTML5 Audio Player plugin <= 2.2.23 – Cross Site Scripting (XSS) vulnerability |
| WordPress E2Pdf plugin <= 1.20.27 – Broken Access Control vulnerability |
| WordPress Easy Affiliate Links plugin <= 3.7.3 – Missing Authorization to Authenticated (Subscriber+) Settings Reset vulnerability |
| WordPress PDF Viewer plugin <= 1.1.0 – Cross Site Scripting (XSS) vulnerability |
| WordPress Wonder PDF Embed plugin <= 2.7 – Cross Site Scripting (XSS) vulnerability |
| WordPress E2Pdf plugin <= 1.24.00 – Cross Site Scripting (XSS) vulnerability |
| WordPress BSK PDF Manager plugin <= 3.6 – Cross Site Scripting (XSS) vulnerability |
| WordPress ARI Fancy Lightbox plugin <= 1.3.14 – Cross Site Scripting (XSS) vulnerability |
| WordPress PowerPack Lite for Beaver Builder plugin <= 1.3.0.4 – Cross Site Scripting (XSS) vulnerability |
| WordPress Motors – Car Dealer, Classifieds & Listing plugin <= 1.4.9 – Missing Authorization vulnerability |
| WordPress PowerPack Lite for Beaver Builder plugin <= 1.3.0.3 – Local File Inclusion vulnerability |
| WordPress Advanced Custom Fields Pro plugin < 6.3.2 – Subscriber+ Broken Access Control vulnerability |
| WordPress Advanced Custom Fields Pro plugin < 6.3.2 – Contributor+ Broken Access Control vulnerability |
| WordPress Advanced Custom Fields Pro plugin < 6.3.2 – Cross-Site Request Forgery (CSRF) vulnerability |
| WordPress Create by Mediavine plugin <= 1.9.7 – Contributor+ Stored Cross-Site Scripting via Schema Meta Shortcode vulnerability |
| WordPress Print My Blog plugin <= 3.27.0 – Cross Site Scripting (XSS) vulnerability |
| WordPress Easy Image Collage plugin <= 1.13.5 – Missing Authorization to Authenticated (Contributor+) Arbitrary Post Content Deletion vulnerability |
| WordPress Foxiz Theme theme <= 2.3.5 – Server Side Request Forgery (SSRF) vulnerability |
| WordPress Esteem theme <= 1.5.0 – Cross Site Scripting (XSS) vulnerability |
| WordPress Patreon WordPress plugin <= 1.9.0 – Image Protection Bypass vulnerability |
| WordPress Schema Lite theme <= 1.2.2 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Social Rocket plugin <= 1.3.3 – Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Online Booking & Scheduling Calendar plugin <= 4.4.2 – Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Stock Ticker plugin <= 3.24.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via stock_ticker Shortcode vulnerability |
| WordPress Perfect Portfolio theme <= 1.2.0 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Travel Agency theme <= 1.4.9 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress WPDirectoryKit plugin <= 1.3.6 – HTML Injection vulnerability |
| WordPress Zita Elementor Site Library plugin <= 1.6.1 – Arbitrary Code Execution vulnerability |
| WordPress Groundhogg plugin <= 3.4.2.3 – Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress Cowidgets – Elementor Addons plugin <= 1.1.1 – Local File Inclusion vulnerability |
| WordPress EazyDocs plugin < 2.5.0 – Admin+ Stored XSS vulnerability |
| WordPress Cards for Beaver Builder plugin <= 1.1.4 – Cross Site Scripting (XSS) vulnerability |
| WordPress Atarim plugin <= 3.31 – Authenticated Cross Site Scripting (XSS) vulnerability |
| WordPress Chained Quiz plugin <= 1.3.2.8 – Cross Site Scripting (XSS) vulnerability |
| WordPress Blossom Shop theme <= 1.1.7 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Preschool and Kindergarten theme <= 1.2.1 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress JobScout theme <= 1.1.4 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress PayPlus Payment Gateway plugin <= 6.6.8 – Unauthenticated SQL Injection vulnerability |
| WordPress Newspack Blocks plugin <= 3.0.8 – Arbitrary File Upload vulnerability |
| WordPress Newspack Blocks plugin <= 3.0.8 – Contributor+ Arbitrary Directory Deletion vulnerability |
| WordPress Goya theme <= 1.0.8.7 – Unauthenticated Reflected Cross-Site Scripting via Multiple Parameters vulnerability |
| WordPress WP Extended plugin <= 2.4.7 – Cross Site Scripting (XSS) vulnerability |
| WordPress WP-Lister Lite for Amazon plugin <= 2.6.16 – Reflected Cross Site Scripting (XSS) vulnerability |
| WordPress IdeaPush plugin <= 8.60 – Cross Site Scripting (XSS) vulnerability |
| WordPress Extensions for Elementor plugin <= 2.0.30 – Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter vulnerability |
| WordPress Boot Store theme <= 1.6.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode vulnerability |
| WordPress Post Meta Data Manager plugin <= 1.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability |
| WordPress Enter Addons – Ultimate Template Builder for Elementor plugin <= 2.1.6 – Cross Site Scripting (XSS) vulnerability |
| WordPress Tainacan plugin <= 0.21.5 – Cross Site Scripting (XSS) vulnerability |
| WordPress Login with phone number plugin <= 1.7.35 – Admin+ Cross Site Scripting (XSS) vulnerability |
| WordPress Newspack Blocks plugin <= 3.0.8 – Broken Access Control vulnerability |
| WordPress Timetics plugin <= 1.0.21 – Broken Access Control vulnerability |
| WordPress Travel Monster theme <= 1.1.2 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Coachify theme <= 1.0.7 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Elegant Pink theme 1.3.0 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress NewsMash theme <= 1.0.34 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Church Admin plugin <= 4.4.4 – Broken Access Control vulnerability |
| WordPress WP Job Manager plugin <= 2.1.0 – Broken Access Control vulnerability |
| WordPress Benevolent theme <= 1.3.4 – Cross Site Request Forgery (CSRF) vulnerability |
| WordPress Photo Gallery by Ays – Responsive Image Gallery plugin < 5.7.1 – HTML Injection vulnerability |
| WordPress Uncanny Automator Pro plugin < 5.3.0.1 – Cross Site Request Forgery (CSRF) Leading to License Settings Reset vulnerability |
| WordPress Uncanny Automator Pro plugin < 5.3.0.1 – Unauthenticated License Settings Reset vulnerability |
| WordPress Simple Photoswipe plugin <= 0.1 – Subscriber+ Arbitrary Settings Update vulnerability |
| WordPress Pagerank Tools plugin <= 1.1.5 – Reflected XSS vulnerability |
| WordPress Progress Planner plugin <= 0.9.2 – Cross Site Scripting (XSS) vulnerability |
| WordPress Widget4Call plugin <= 1.0.7 – Reflected XSS vulnerability |
| WordPress Animated AL List plugin <= 1.0.6 – Reflected XSS vulnerability |
| WordPress Simple AL Slider plugin <= 1.2.10 – Reflected XSS vulnerability |
| WordPress Progress Planner plugin <= 0.9.1 – Broken Access Control vulnerability |
How does Patchstack make WordPress safer?
Patchstack protects WordPress websites against vulnerable plugins. As the #1 vulnerability processor (CNA) globally, we maintain a database of over 18,000 vulnerabilities. Our users receive 48-hour early warning for new vulnerabilities and real-time vPatching to protect their websites until the vulnerabilities are resolved.
Start getting tailored notifications for the plugins installed on your site for free. Sign up today!
