Patchstack's Weekly WordPress Vulnerability Overview - May 29 to June 04 2024

Welcome to Patchstack's WordPress vulnerability overview for the week of May 29 to June 04 2024.

As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don't use the Patchstack app (yet).

The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.

Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers are able to issue an update.

WordPress vulnerability landscape (May 29 - June 04 2024)

• New WordPress vulnerabilities added to Patchstack's database: 116
• Vulnerabilities discovered by Patchstack: 40
• Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 27

How severe were this week's vulnerabilities?

WordPress vulnerabilities are categorized according to Patchstack's Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.

Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.

What are the most dangerous vulnerabilities?

If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:

• AppPresser plugin <= 4.3.2
• Atarim plugin <= 3.30
• Comparison Slider plugin <= 1.0.5 [Deactivate and delete the plugin - it's pending full closure.]
• HTML5 Video Player plugin < 2.5.27
• Swiss Toolkit For WP plugin <= 1.0.7
• Unlimited Elements for Elementor plugin <= 1.5.89

WordPress vulnerabilities discovered from May 29 to June 04 2024

Vulnerable plugins with 100K+ installs

Essential Addons for Elementor <= 5.9.21

Cross-Site Scripting (XSS)

2M

YITH WooCommerce Wishlist <= 3.32.0

Cross-Site Scripting (XSS)

900K

Premium Addons for Elementor <= 4.10.31

Broken Access Control

700K

Happy Addons for Elementor <= 3.10.9

Cross-Site Scripting (XSS)

400K

Unlimited Elements for Elementor plugin <= 1.5.107

Remote Code Execution (RCE) and Cross-Site Scripting (XSS)

200K

Blocksy Companion plugin <= 2.0.42

Server-Side Request Forgery (SSRF)

200K

WP STAGING plugin <= 3.5.0

Arbitrary File Upload and Server-Side Request Forgery (SSRF)

100K

HUSKY plugin <= 1.3.5.3

Cross-Site Scripting (XSS)

100K

Download Monitor plugin <= 4.9.13

Broken Access Control

100K

PowerPack Addons for Elementor plugin <= 2.7.19

Cross-Site Scripting (XSS)

100K

Download Manager plugin <= 3.2.90

Cross-Site Scripting (XSS)

100K

Vulnerable plugins with up to 100K+ installs

• ActiveDEMAND plugin <= 0.2.43 - Cross Site Request Forgery (CSRF) vulnerability
• AffiEasy plugin <= 1.1.7 - Cross-Site Request Forgery to Various Actions vulnerability
• AppPresser plugin <= 4.3.2 - Improper Missing Encryption Exception Handling to Authentication Bypass vulnerability
• Atarim plugin <= 3.30 - Unauthenticated Stored Cross-Site Scripting vulnerability
• Church Admin plugin <= 4.3.6 - Server Side Request Forgery (SSRF) vulnerability
• Comparison Slider plugin <= 1.0.5 - Cross-Site Request Forgery, Missing Authorization, and Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerabilities
• DethemeKit For Elementor plugin <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via slitems Attribute vulnerability
• Fetch JFT plugin <= 1.8.3 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
• Gianism plugin <= 5.1.0 - Admin+ Stored XSS vulnerability
• Global Notification Bar plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability
• Gum Elementor Addon plugin <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Price Table and Post Slider Widgets vulnerability
• HTML5 Video Player plugin < 2.5.27 - Unauthenticated SQLi vulnerability
• Just Writing Statistics plugin <= 4.5 - Cross Site Scripting (XSS) vulnerability
• List categories plugin <= 0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
• Ninja Tables plugin <= 5.0.9 - Server Side Request Forgery (SSRF) vulnerability
• Playlist for Youtube plugin <= 1.32 - Editor+ Stored XSS vulnerability
• POST SMTP Mailer plugin <= 2.9.3 - Authenticated SQL Injection vulnerability
• PostX plugin <= 4.1.1 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability
• Preferred Languages plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability
• Random Banner plugin <= 4.2.8 - Cross Site Scripting (XSS) vulnerability
• Remote Content Shortcode plugin <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
• Responsive Owl Carousel for Elementor plugin <= 1.2.0 - Local File Inclusion vulnerability
• Safety Exit plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability
• Simple Like Page Plugin <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
• Simple Spoiler plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability
• Site Favicon plugin <= 0.2 - Cross Site Scripting (XSS) vulnerability
• Site Reviews plugin < 7.0.0 - IP Spoofing vulnerability
• Smartarget Message Bar plugin <= 1.3 - Cross Site Scripting (XSS) vulnerability
• StopBadBots plugin <= 10.24 - Missing Authorization to Information Expsoure vulnerability
• Swiss Toolkit For WP plugin <= 1.0.7 - Authenticated (Contributor+) Authentication Bypass vulnerability
• Testimonial Carousel For Elementor plugin <= 10.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
• The Plus Addons for Elementor Pro plugin <= 5.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Heading Title Widget vulnerability
• Uploadcare File Uploader and Adaptive Delivery plugin <= 3.0.11 - Cross Site Request Forgery (CSRF) vulnerability
• WP Back Button plugin <= 1.1.3 - Cross Site Scripting (XSS) vulnerability
• WPCafe plugin <= 2.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Reservation Form Shortcode vulnerability
• WpTravelly plugin <= 1.7.1 - Missing Authorization via ttbm_new_place_save vulnerability
• WP To Do plugin <= 1.3.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings vulnerability and Multiple CSRF vulnerability
• Yumpu ePaper publishing plugin <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification vulnerability

Start getting tailored vulnerability notifications (free).

Sign up

Explore the database for vulnerability details.

Browse

How does Patchstack make WordPress safer?

Security SaaS

Identifies known vulnerabilities in WordPress core, plugins, and themes to provide automated protection (virtual patching) for your WordPress websites.

Alliance platform

Our bug-hunting platform connects ethical hackers with open-source vendors and helps keep open-source secure.

Database

We manage the world's biggest free WordPress vulnerability database which hosting companies and enterprises can leverage to protect their customers.

Auditing

We provide professional code review and security auditing to open-source software such as WordPress plugins and themes.