Patchstack’s Weekly WordPress Vulnerability Overview – May 29 to June 04 2024

Published 5 June 2024
Updated 17 July 2024
Table of Contents

Welcome to Patchstack’s WordPress vulnerability overview for the week of May 29 to June 04 2024.

As the #1 vulnerability processor in the world, Patchstack brings you this report so you can stay safe even if you don’t use the Patchstack app (yet).

The first part of the report outlines the most popular plugins you likely have installed on your sites. Then, explore the rest of our list for other plugins you may have installed, and which have vulnerabilities.

Update them to the most recent versions or, in case the update is not official yet, get real-time Patchstack protection to reduce the risk of getting attacked before the plugin developers are able to issue an update.

WordPress vulnerability landscape (May 29 – June 04 2024)

  • New WordPress vulnerabilities added to Patchstack’s database: 116
  • Vulnerabilities discovered by Patchstack: 40
  • Currently undisclosed vulnerabilities due to 48hr early warning available to Patchstack users: 27

How severe were this week’s vulnerabilities?

WordPress vulnerabilities are categorized according to Patchstack’s Patch Priority Score (i.e., likelihood of resulting in significant exploits), ranging from low-severity vulnerabilities to high-severity, which should be updated as soon as possible.

Patchstack offers the vPatching functionality to keep you safe before you can apply the plugin/theme update.

Low-severity vulnerabilities this weekMedium-severity vulnerabilitiesHigh-severity vulnerabilities
95138

What are the most dangerous vulnerabilities?

If you have the following plugins installed, check for the update immediately or get real-time protection with Patchstack. The highest-severity vulnerabilities are the ones most likely to be used by attackers in exploits:

  • AppPresser plugin <= 4.3.2
  • Atarim plugin <= 3.30
  • Comparison Slider plugin <= 1.0.5 [Deactivate and delete the plugin – it’s pending full closure.]
  • HTML5 Video Player plugin < 2.5.27
  • Swiss Toolkit For WP plugin <= 1.0.7
  • Unlimited Elements for Elementor plugin <= 1.5.89

WordPress vulnerabilities discovered from May 29 to June 04 2024

Vulnerable plugins with 100K+ installs

Vulnerable plugins with up to 100K+ installs

  • ActiveDEMAND plugin <= 0.2.43 – Cross Site Request Forgery (CSRF) vulnerability
  • AffiEasy plugin <= 1.1.7 – Cross-Site Request Forgery to Various Actions vulnerability
  • AppPresser plugin <= 4.3.2 – Improper Missing Encryption Exception Handling to Authentication Bypass vulnerability
  • Atarim plugin <= 3.30 – Unauthenticated Stored Cross-Site Scripting vulnerability
  • Church Admin plugin <= 4.3.6 – Server Side Request Forgery (SSRF) vulnerability
  • Comparison Slider plugin <= 1.0.5 – Cross-Site Request Forgery, Missing Authorization, and Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerabilities
  • DethemeKit For Elementor plugin <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via slitems Attribute vulnerability
  • Fetch JFT plugin <= 1.8.3 – Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
  • Gianism plugin <= 5.1.0 – Admin+ Stored XSS vulnerability
  • Global Notification Bar plugin <= 1.0.1 – Cross Site Scripting (XSS) vulnerability
  • Gum Elementor Addon plugin <= 1.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Price Table and Post Slider Widgets vulnerability
  • HTML5 Video Player plugin < 2.5.27 – Unauthenticated SQLi vulnerability
  • Just Writing Statistics plugin <= 4.5 – Cross Site Scripting (XSS) vulnerability
  • List categories plugin <= 0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
  • Ninja Tables plugin <= 5.0.9 – Server Side Request Forgery (SSRF) vulnerability
  • Playlist for Youtube plugin <= 1.32 – Editor+ Stored XSS vulnerability
  • POST SMTP Mailer plugin <= 2.9.3 – Authenticated SQL Injection vulnerability
  • PostX plugin <= 4.1.1 – Authenticated (Author+) Stored Cross-Site Scripting vulnerability
  • Preferred Languages plugin <= 2.2.2 – Cross Site Scripting (XSS) vulnerability
  • Random Banner plugin <= 4.2.8 – Cross Site Scripting (XSS) vulnerability
  • Remote Content Shortcode plugin <= 1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
  • Responsive Owl Carousel for Elementor plugin <= 1.2.0 – Local File Inclusion vulnerability
  • Safety Exit plugin <= 1.7.0 – Cross Site Scripting (XSS) vulnerability
  • Simple Like Page Plugin <= 1.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
  • Simple Spoiler plugin <= 1.2 – Cross Site Scripting (XSS) vulnerability
  • Site Favicon plugin <= 0.2 – Cross Site Scripting (XSS) vulnerability
  • Site Reviews plugin < 7.0.0 – IP Spoofing vulnerability
  • Smartarget Message Bar plugin <= 1.3 – Cross Site Scripting (XSS) vulnerability
  • StopBadBots plugin <= 10.24 – Missing Authorization to Information Expsoure vulnerability
  • Swiss Toolkit For WP plugin <= 1.0.7 – Authenticated (Contributor+) Authentication Bypass vulnerability
  • Testimonial Carousel For Elementor plugin <= 10.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
  • The Plus Addons for Elementor Pro plugin <= 5.5.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Heading Title Widget vulnerability
  • Uploadcare File Uploader and Adaptive Delivery plugin <= 3.0.11 – Cross Site Request Forgery (CSRF) vulnerability
  • WP Back Button plugin <= 1.1.3 – Cross Site Scripting (XSS) vulnerability
  • WPCafe plugin <= 2.2.24 – Authenticated (Contributor+) Stored Cross-Site Scripting via Reservation Form Shortcode vulnerability
  • WpTravelly plugin <= 1.7.1 – Missing Authorization via ttbm_new_place_save vulnerability
  • WP To Do plugin <= 1.3.0 – Authenticated (Admin+) Stored Cross-Site Scripting via Settings vulnerability and Multiple CSRF vulnerability
  • Yumpu ePaper publishing plugin <= 2.0.24 – Missing Authorization to PDF Upload, Publishing, and API Key Modification vulnerability

How does Patchstack make WordPress safer?

Patchstack protects WordPress websites against vulnerable plugins. As the #1 vulnerability processor (CNA) globally, we maintain a database of over 18,000 vulnerabilities. Our users receive 48-hour early warning for new vulnerabilities and real-time vPatching to protect their websites until the vulnerabilities are resolved.

Start getting tailored notifications for the plugins installed on your site for free. Sign up today!

The latest in Weekly vulnerability overview

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu