Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024)


🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000,  for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!


Last week, there were 122 vulnerabilities disclosed in 110 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 52 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 32
Patched 90

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 104
High Severity 12
Critical Severity 5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 34
Missing Authorization 29
Cross-Site Request Forgery (CSRF) 24
Information Exposure 9
Deserialization of Untrusted Data 5
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 4
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 3
Improper Authorization 3
Improper Access Control 3
Unrestricted Upload of File with Dangerous Type 2
Authentication Bypass by Spoofing 1
Improper Input Validation 1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 1
Server-Side Request Forgery (SSRF) 1
URL Redirection to Untrusted Site (‘Open Redirect’) 1
Client-Side Enforcement of Server-Side Security 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Francesco Carlucci 12
Yudistira Arya 8
Ngô Thiên An (ancorn_) 7
Nguyen Xuan Chien 7
Abdi Pranata 6
Dmitrii Ignatyev 5
Mika 5
Lucio Sá 4
Abu Hurayra (HurayraIIT) 4
emad 3
Webbernaut 3
Karl Emil Nikka 3
Dhabaleshwar Das 3
Huynh Tien Si 2
resecured.io 2
Krzysztof ZajÄ…c 2
Dave Jong 2
Muhammad Daffa 2
Akbar Kustirama 2
Revan Arifio 1
Joshua Martinelle 1
Dimas Maulana 1
István Márton
(Wordfence Vulnerability Researcher)
1
Yuhang Liu 1
Sean Murphy 1
Le Ngoc Anh 1
Skalucy 1
Bob Matyas 1
Steven Julian 1
wpdabh 1
Vulzap 1
stealthcopter 1
Nathaniel Oh (0x4n3) 1
Jeongwoo-Lee(Roronoa) 1
0x9567b 1
Elliot 1
Friday 1
isacaya 1
LVT-tholv2k 1
thiennv 1
Joshua Chan 1
Faizal Abroni 1
Marc-Alexandre Montpas 1
Savphill 1
Sh 1
Richard Telleng (stueotue) 1
Debangshu Kundu 1
Arpeet Rathi 1
kauenavarro 1
Daniel Ruf 1
Rob Stevens 1
Rafie Muhammad 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
A no-code page builder for beautiful performance-based content setka-editor
ACF Photo Gallery Field navz-photo-gallery
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup armember-membership
Accessibility accessibility
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store profit-products-tables-for-woocommerce
Add Customer for WooCommerce add-customer-for-woocommerce
Advanced iFrame advanced-iframe
Affiliates Manager affiliates-manager
Anonymous Restricted Content anonymous-restricted-content
Auto Listings – Car Listings & Car Dealership Plugin for WordPress auto-listings
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net woo-bulk-editor
Beds24 Online Booking beds24-online-booking
Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo biteship
BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More. print-google-cloud-print-gcp-woocommerce
Booking Calendar | Appointment Booking | BookIt bookit
CC BMI Calculator cc-bmi-calculator
CP Media Player – Audio Player and Video Player audio-and-video-player
Calculated Fields Form calculated-fields-form
CalculatorPro Calculators calculatorpro-calculators
Chartify – WordPress Chart Plugin chart-builder
Cincopa video and media plug-in video-playlist-and-gallery-plugin
Click To Tweet click-to-tweet
Cookie Information | Free GDPR Consent Solution wp-gdpr-compliance
Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce
Custom Order Status for WooCommerce custom-order-statuses-woocommerce
Database for Contact Form 7, WPforms, Elementor forms contact-form-entries
Debug debug
Don’t Muck My Markup dont-muck-my-markup
ERE Recently Viewed – Essential Real Estate Add-On ere-recently-viewed
Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) easy-digital-downloads
Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) bdthemes-element-pack-lite
Email Before Download email-before-download
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders essential-addons-for-elementor-lite
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin mage-eventpress
EventON Pro eventon
EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management
FG Drupal to WordPress fg-drupal-to-wp
FG Joomla to WordPress fg-joomla-to-wordpress
FG PrestaShop to WooCommerce fg-prestashop-to-woocommerce
Fatal Error Notify fatal-error-notify
Feed Them Social – Page, Post, Video, and Photo Galleries feed-them-social
Five Star Restaurant Reviews good-reviews-wp
Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms happyforms
GDPR Data Request Form gdpr-data-request-form
Happy Addons for Elementor happy-elementor-addons
Heateor Social Login WordPress heateor-social-login
Html5 Video Player UNKNOWN-CVE-2023-6485-1
Icons Font Loader icons-font-loader
Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels instant-images
JTRT Responsive Tables jtrt-responsive-tables
JetBackup – WP Backup, Migrate & Restore backup
Kikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce map-location-picker-at-checkout-for-woocommerce
Knowledge Base for Documentation, FAQs with AI Assistance echo-knowledge-base
LearnDash LMS sfwd-lms
Load More Anything ajax-load-more-anything
MW WP Form mw-wp-form
MapPress Maps for WordPress mappress-google-maps-for-wordpress
Mighty Addons for Elementor mighty-addons
MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution dc-woocommerce-multi-vendor
NEX-Forms – Ultimate Form Builder – Contact forms and much more nex-forms-express-wp-form-builder
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress ninja-forms
OWL Carousel – WordPress Owl Carousel Slider lgx-owl-carousel
Orbit Fox by ThemeIsle themeisle-companion
Order Delivery Date for WP e-Commerce order-delivery-date
PDF Flipbook, 3D Flipbook – DearFlip 3d-flipbook-dflip-lite
PT Sign Ups – Beautiful volunteer sign ups and management made easy ptoffice-sign-ups
Page Builder: Pagelayer – Drag and Drop website builder pagelayer
Page Restrict pagerestrict
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress wp-user-avatar
Persian Fonts persian-fonts
PilotPress pilotpress
Popup More Popups, Lightboxes, and more popup modules popup-more
PopupAlly popupally
Post Thumbnail Editor post-thumbnail-editor
PowerPack Pro for Elementor powerpack-elements
Premium Addons for Elementor premium-addons-for-elementor
ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks product-blocks
Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic shareaholic
PropertyHive propertyhive
Quicksand Post Filter jQuery Plugin quicksand-jquery-post-filter
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator feedzy-rss-feeds
Relevanssi – A Better Search (Pro) relevanssi-premium
Restrict Usernames Emails Characters restrict-usernames-emails-characters
SEO Plugin by Squirrly SEO squirrly-seo
SP Project & Document Manager sp-client-document-manager
Scheduling Plugin – Online Booking for WordPress calendar-booking
Scroll Triggered Box dreamgrow-scroll-triggered-box
SiteOrigin Widgets Bundle so-widgets-bundle
SlimStat Analytics wp-slimstat
Starbox – the Author Box for Humans starbox
Structured Content (JSON-LD) #wpsc structured-content
TablePress – Tables in WordPress made easy tablepress
The Plus Addons for Elementor the-plus-addons-for-elementor-page-builder
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid boldgrid-backup
Ultra Companion – Companion plugin for WPoperation Themes ultra-companion
User Activity Tracking and Log user-activity-tracking-and-log
UserPro – Community and User Profile WordPress Plugin userpro
W3SPEEDSTER w3speedster-wp
WOLF – WordPress Posts Bulk Editor and Manager Professional bulk-editor
WP Dummy Content Generator wp-dummy-content-generator
WP Hotel Booking wp-hotel-booking
WP STAGING WordPress Backup Plugin – Migration Backup Restore wp-staging
WP Visitor Statistics (Real Time Traffic) wp-stats-manager
WP-CFM wp-cfm
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode coming-soon
WooCommerce Box Office woocommerce-box-office
WooCommerce Conversion Tracking woocommerce-conversion-tracking
Woostify Sites Library woostify-sites-library
WordPress Review & Structure Data Schema Plugin – Review Schema review-schema
WordPress Toolbar wordpress-toolbar

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Knowledge Base for Documentation, FAQs with AI Assistance <= 11.30.2 – Unauthenticated PHP Object Injection in is_article_recently_viewed

Affected Software: Knowledge Base for Documentation, FAQs with AI Assistance
CVE ID: CVE-2024-24842
CVSS Score: 9.8 (Critical)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41cfe1d7-2fab-413c-80e5-40d77133d229

ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks <= 3.1.4 – PHP Object Injection via wopb_wishlist and wopb_compare

Affected Software: ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks
CVE ID: CVE-2024-23512
CVSS Score: 9.8 (Critical)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/470285d6-b309-409c-b2c3-8766a0cf9e98

ERE Recently Viewed <= 1.3 – Unauthenticated PHP Object Injection

Affected Software: ERE Recently Viewed – Essential Real Estate Add-On
CVE ID: CVE-2024-24797
CVSS Score: 9.8 (Critical)
Researcher/s: Yudistira Arya
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7332fe2e-9bef-42b7-946e-4a2ee812ca26

JetBackup <= 2.0.9.7 – Sensitive Information Exposure via Directory Listing

Affected Software: JetBackup – WP Backup, Migrate & Restore
CVE ID: CVE-2023-7165
CVSS Score: 9.8 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd978ac0-42f2-4746-9430-37458375b588

Quicksand Post Filter jQuery Plugin <= 3.1.1 – Missing Authorization via quicksand_admin_ajax

Affected Software: Quicksand Post Filter jQuery Plugin
CVE ID: CVE-2024-24850
CVSS Score: 9.1 (Critical)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c6f3b765-396f-422f-864d-a48bee8c69cb

Instant Images <= 6.1.0 – Authenticated (Author+) Arbitrary Options Update


Cookie Information | Free GDPR Consent Solution <= 2.0.22 – Authenticated (Subscriber+) Arbitrary Options Update

Affected Software: Cookie Information | Free GDPR Consent Solution
CVE ID: CVE-2023-6700
CVSS Score: 8.8 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/42a4ef37-c842-4925-b06a-3e6423337567

Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently <= 4.1.1 – Authenticated (Contributor+) PHP Object Injection in mep_event_meta_save

Affected Software: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
CVE ID: CVE-2024-24796
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50812a8b-7d49-41fa-ba50-47d07a4b6caa

SP Project & Document Manager <= 4.69 – Authenticated (Contributor+) SQL Injection via Shortcode

Affected Software: SP Project & Document Manager
CVE ID: CVE-2024-24868
CVSS Score: 8.8 (High)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fcdeba37-ba65-400d-9c07-36503a03e857

MultiVendorX Marketplace <= 4.1.2 – Missing Authorization

Affected Software: MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution
CVE ID: CVE-2024-24703
CVSS Score: 8.6 (High)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26e07115-efee-4db5-ba24-25a063286e90

TablePress <= 2.2.4 – Authenticated(Author+) Server Side Request Forgery(SSRF) via _get_import_files

Affected Software: TablePress – Tables in WordPress made easy
CVE ID: CVE-2024-23825
CVSS Score: 8.5 (High)
Researcher/s: isacaya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8de52b68-c273-4561-98b0-e51afd6cd47b

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.15.21 – Missing Authorization via seedprod_lite_new_lpage


Woostify Sites Library

Affected Software: Woostify Sites Library
CVE ID: CVE-2023-6279
CVSS Score: 8.1 (High)
Researcher/s: Krzysztof ZajÄ…c
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/977ab23a-06b2-4f54-a2c2-3be2316eaceb

PropertyHive <= 2.0.5 – Unauthenticated PHP Object Injection via propertyhive_currency

Affected Software: PropertyHive
CVE ID: CVE-2024-23513
CVSS Score: 8.1 (High)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d8ee82cf-916c-41e9-82d2-f25cc7a632ae

Total Upkeep <= 1.15.8 – Improper Authorization to Unauthenticated Arbitrary File Download

Affected Software: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
CVE ID: CVE-2024-24869
CVSS Score: 7.5 (High)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/159e14fc-0512-421a-8bbe-d16c0b04ddf9

PowerPack Pro for Elementor <= 2.10.6 – Missing Authorization to Settings Reset

Affected Software: PowerPack Pro for Elementor
CVE ID: CVE-2024-24844
CVSS Score: 7.5 (High)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/883e1f3c-7e47-4522-ae8c-a9a6b4160be2

Contact Form Entries <= 1.3.2 – Authenticated (Administrator+) Arbitrary File Upload

Affected Software: Database for Contact Form 7, WPforms, Elementor forms
CVE ID: CVE-2024-1069
CVSS Score: 7.2 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/120313be-9f98-4448-9f5d-a77186a6ff08

Icons Font Loader <= 1.1.4 – Authenticated(Administrator+) Arbitrary File Upload

Affected Software: Icons Font Loader
CVE ID: CVE-2024-24714
CVSS Score: 6.6 (Medium)
Researcher/s: Vulzap
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37426991-7778-4dc4-8cae-2725584fb8b8

HTML5 Video Player <= 2.5.24 – Unauthenticated SQL Injection via id

Affected Software: Html5 Video Player
CVE ID: CVE-2024-1061
CVSS Score: 6.5 (Medium)
Researcher/s: Joshua Martinelle
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0abd2533-5cb3-4568-8ad2-f2852ab3a8db

Quicksand Post Filter jQuery Plugin <= 3.1.1 – Cross-Site Request Forgery via renderAdmin

Affected Software: Quicksand Post Filter jQuery Plugin
CVE ID: CVE-2024-24849
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dd63ea6-7821-42b8-9b52-e721a8b2382d

Order Delivery Date for WP e-Commerce <= 1.2 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Order Delivery Date for WP e-Commerce
CVE ID: CVE-2024-0678
CVSS Score: 6.5 (Medium)
Researcher/s: Krzysztof ZajÄ…c
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71fb90b6-a484-4a70-a9dc-795cbf2e275e

WP Hotel Booking <= 2.0.9.2 – Improper Authorization on Multiple REST API Routes

Affected Software: WP Hotel Booking
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86f15e94-6ca7-4eb2-8a38-b4add9251dab

Starbox <= 3.4.8 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Display Name and Social Settings

Affected Software: Starbox – the Author Box for Humans
CVE ID: CVE-2024-0256
CVSS Score: 6.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0eafe473-9177-47c4-aa1e-2350cb827447

Heateor Social Login <= 1.1.30 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Heateor Social Login WordPress
CVE ID: CVE-2024-24712
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a3ebfba-7523-48a4-a315-4395be2cebef

Advanced iFrame <= 2023.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Advanced iFrame
CVE ID: CVE-2023-7069
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e32c51d-2d96-4545-956f-64f65c54b33b

Five Star Restaurant Reviews <= 2.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Review URL

Affected Software: Five Star Restaurant Reviews
CVE ID: CVE-2024-24838
CVSS Score: 6.4 (Medium)
Researcher/s: Steven Julian
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fe44e46-dfbf-4286-889c-606280d62218

SlimStat Analytics <= 5.1.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: SlimStat Analytics
CVE ID: CVE-2024-1073
CVSS Score: 6.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33cba63c-4629-48fd-850f-f68dad626a67

Ultra Companion <= 1.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ultra Companion – Companion plugin for WPoperation Themes
CVE ID: CVE-2024-24803
CVSS Score: 6.4 (Medium)
Researcher/s: wpdabh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3639d0a6-6d9f-4f3e-bb25-85d4eb40b547

OWL Carousel <= 1.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: OWL Carousel – WordPress Owl Carousel Slider
CVE ID: CVE-2024-24801
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/511957c0-e4c3-4a50-b604-3b604d52d32f

SiteOrigin Widgets Bundle <= 1.58.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: SiteOrigin Widgets Bundle
CVE ID: CVE-2024-0961
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f7c164f-2f78-4857-94b9-077c2dea13df

Scheduling Plugin – Online Booking for WordPress <= 3.5.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Scheduling Plugin – Online Booking for WordPress
CVE ID: CVE-2024-23517
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71a0aa95-f2a9-4537-a8d1-d78336e36125

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.14.3 – Authenticated (Contributor+) Stored Cross-Site Scripting


Click To Tweet <= 2.0.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Click To Tweet
CVE ID: CVE-2024-23514
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7eee591c-2676-479c-ab15-96da10f51ae0

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting


Structured Content <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Classic Editor Shortcode

Affected Software: Structured Content (JSON-LD) #wpsc
CVE ID: CVE-2024-24839
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a013106b-4e2a-4dd9-a0ab-7e6c91e715dd

Auto Listings <= 2.6.5 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Auto Listings – Car Listings & Car Dealership Plugin for WordPress
CVE ID: CVE-2024-24713
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1a97776-03c7-403d-b803-023647b9d0f2

Calculated Fields Form <= 1.2.52 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Calculated Fields Form
CVE ID: CVE-2024-0963
CVSS Score: 6.4 (Medium)
Researcher/s: Richard Telleng (stueotue)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d870ff8d-ea4b-4777-9892-0d9982182b9f

The Plus Addons for Elementor <= 5.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: The Plus Addons for Elementor
CVE ID: CVE-2024-23511
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e66b5c12-3acb-41f7-ae5f-8a9130053e45

CC BMI Calculator <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: CC BMI Calculator
CVE ID: CVE-2024-23516
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed0e7717-d9ac-4333-8e79-fc030a410dab

GDPR Data Request Form <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: GDPR Data Request Form
CVE ID: CVE-2024-24836
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0b8fd44-75af-4fb8-bcc1-94cb5fc9e4eb

Premium Addons for Elementor <= 4.10.16 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Premium Addons for Elementor
CVE ID: CVE-2024-24831
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7222c7e-939a-4666-9d01-f715d2827954

MapPress <= 2.88.16 – Authenticated (Contributor+) Stored Cross-Site Scripting via Map Settings

Affected Software: MapPress Maps for WordPress
CVE ID: CVE-2023-7225
CVSS Score: 6.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fce76126-0cfd-464f-b644-45d4301e958d

CalculatorPro Calculators <= 1.1.7 – Reflected Cross-Site Scripting via CP_preview_calc

Affected Software: CalculatorPro Calculators
CVE ID: CVE-2024-24847
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0de79672-f0ba-42d3-a44a-01b93801d7de

Mighty Addons for Elementor <= 1.9.3 – Reflected Cross-Site Scripting

Affected Software: Mighty Addons for Elementor
CVE ID: CVE-2024-24846
CVSS Score: 6.1 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/484d8d14-049d-4fd5-adb8-ad9942bba794

Biteship <= 2.2.24 – Reflected Cross-Site Scripting via biteship_error and biteship_message

Affected Software: Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo
CVE ID: CVE-2024-24866
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0247ba6-d193-4b7d-969d-0cd239c57faa

PT Sign Ups <= 1.0.4 – Unauthenticated Stored Cross-Site Scripting

Affected Software: PT Sign Ups – Beautiful volunteer sign ups and management made easy
CVE ID: CVE-2024-24848
CVSS Score: 6.1 (Medium)
Researcher/s: Faizal Abroni
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b751191b-35a8-4331-ac3f-f6090221c65f

EventON <= 4.4.0 – Reflected Cross-Site Scripting

Affected Software: EventON Pro
CVE ID: CVE-2023-7200
CVSS Score: 6.1 (Medium)
Researcher/s: kauenavarro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0d5b1a5-0078-402b-b834-8091bfc02dd5

PowerPack Pro for Elementor < 2.10.8 – Cross-Site Request Forgery to Plugin Settings Modification and Cross-Site Scripting

Affected Software: PowerPack Pro for Elementor
CVE ID: CVE-2024-24843
CVSS Score: 6.1 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e68bbee2-1c1a-4751-988e-dde423f8aab3

Ninja Forms Contact Form <= 3.7.1 – Unauthenticated Second Order SQL Injection

Affected Software: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
CVE ID: CVE-2024-0685
CVSS Score: 5.9 (Medium)
Researcher/s: stealthcopter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cb73d5d-ca4a-4103-866d-f7bb369a8ce4

Easy Digital Downloads <= 3.2.6 – Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options

Affected Software: Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)
CVE ID: CVE-2024-0659
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ec207cd-cae5-4950-bbc8-d28f108b4ae7

BEAR <= 1.1.4 – Authenticated (Shop manager+) Stored Cross-Site Scripting via Plugin Options

Affected Software: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
CVE ID: CVE-2024-24834
CVSS Score: 5.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32682598-ad1c-4aa1-bdf2-a7966a4d1dbe

Scroll Triggered Box <= 2.3 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Scroll Triggered Box
CVE ID: CVE-2024-24865
CVSS Score: 5.5 (Medium)
Researcher/s: Savphill
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b92c3d68-2e3e-4500-8da9-f89373126445

MW WP Form <= 5.0.6 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: MW WP Form
CVE ID: CVE-2024-24804
CVSS Score: 5.5 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2126761-cbff-4d46-a6df-4566d15216d7

Accessibility <= 1.0.6 – Cross-Site Request Forgery

Affected Software: Accessibility
CVE ID: CVE-2024-24705
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/432effd4-5c94-4ef9-bc19-b4eacd082264

PilotPress <= 2.0.29 – Authenticated(Subscriber+) Missing Authorization via multiple AJAX functions

Affected Software: PilotPress
CVE ID: CVE-2024-23524
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a8d121d-434d-4445-874f-d3cf6b6e7233

WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.1 – Cross-Site Request Forgery

Affected Software: WOLF – WordPress Posts Bulk Editor and Manager Professional
CVE ID: CVE-2024-0790
CVSS Score: 5.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c48f94b-d193-429a-9383-628ae12bfdf3

Load More Anything <= 3.3.3 – Missing Authorization to Plugin Settings Modification

Affected Software: Load More Anything
CVE ID: CVE-2024-24704
CVSS Score: 5.4 (Medium)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/797554c9-7008-451a-8e8d-3242a207347e

PDF Flipbook, 3D Flipbook – DearFlip <= 2.2.26 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: PDF Flipbook, 3D Flipbook – DearFlip
CVE ID: CVE-2024-0895
CVSS Score: 5.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92e37b28-1a17-417a-b40f-cb4bbe6ec759

Happyforms <= 1.25.10 – Missing Authorization


User Activity Tracking and Log <= 4.1.3 – IP Spoofing

Affected Software: User Activity Tracking and Log
CVE ID: CVE-2024-0970
CVSS Score: 5.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e2268fc-5f29-4c69-9585-81240354ae77

EventPrime <= 3.3.9 – Improper Input Validation via save_event_booking

Affected Software: EventPrime – Events Calendar, Bookings and Tickets
CVE ID: CVE-2024-24832
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17cbcf67-f10d-41bc-acf7-98e5d99b50af

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 – Missing Authorization via restore_records()

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more
CVE ID: CVE-2024-0907
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4

WP Dummy Content Generator <= 3.1.2 – Missing Authorization

Affected Software: WP Dummy Content Generator
CVE ID: CVE-2024-24805
CVSS Score: 5.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b44d23c-4872-491f-8a91-b0feb888ac54

BEAR <= 1.1.4 – Missing Authorization via Several Functions

Affected Software: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
CVE ID: CVE-2024-24835
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/411b7889-c2c6-48cb-967d-091585705e17

BizPrint <= 4.5.1 – Missing Authorization in showTemplatePreview

Affected Software: BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More.
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fc76e1c-546f-4ecd-bd3b-a6f21b2c65bf

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 – Missing Authorization via set_starred()

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more
CVE ID: CVE-2024-1129
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53db0f72-3353-42bb-ad75-4c5aa32d7939

Relevanssi Pro < 2.25 – Unauthenticated Sensitive Information Exposure

Affected Software: Relevanssi – A Better Search (Pro)
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/550872c8-3663-48fa-ab3f-f90351f3e169

Orbit Fox by ThemeIsle <= 2.10.28 – Missing Authorization

Affected Software: Orbit Fox by ThemeIsle
CVE ID: CVE-2024-1047
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d

LearnDash LMS <= 4.10.1 – Sensitive Information Exposure via API

Affected Software: LearnDash LMS
CVE ID: CVE-2024-1210
CVSS Score: 5.3 (Medium)
Researcher/s: Karl Emil Nikka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61ca5ab6-5fe9-4313-9b0d-8736663d0e89

LearnDash LMS <= 4.10.1 – Sensitive Information Exposure via assignments

Affected Software: LearnDash LMS
CVE ID: CVE-2024-1209
CVSS Score: 5.3 (Medium)
Researcher/s: Karl Emil Nikka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7191955e-0db1-4ad1-878b-74f90ca59c91

PropertyHive <= 2.0.6 – Missing Authorization via activate_pro_feature

Affected Software: PropertyHive
CVE ID: CVE-2024-24718
CVSS Score: 5.3 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/84d55f24-c4de-4574-b0cc-cc1b4935d281

LearnDash LMS <= 4.10.2 – Sensitive Information Exposure via API

Affected Software: LearnDash LMS
CVE ID: CVE-2024-1208
CVSS Score: 5.3 (Medium)
Researcher/s: Karl Emil Nikka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae735117-e68b-448e-ad41-258d1be3aebc

Post Thumbnail Editor <= 2.4.8 – Sensitive Information Exposure

Affected Software: Post Thumbnail Editor
CVE ID: CVE-2024-24845
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b102af8f-2bc3-4548-9a90-d1280b058173

UserPro <= 5.1.6 – Disabled Membership Registration Bypass

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2024-0701
CVSS Score: 5.3 (Medium)
Researcher/s: Rob Stevens
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea070d9c-c04c-432f-a110-47b9eaa67614

ARMember <= 4.0.24 – Improper Access Control to Sensitive Information Exposure via REST API


NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 – Missing Authorization via set_read()

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more
CVE ID: CVE-2024-1130
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2c3b646-d865-4425-bc8f-00b3555a3d74

WP Visitor Statistics (Real Time Traffic) <= 6.9.4 – Sensitive Information Exposure via Log File

Affected Software: WP Visitor Statistics (Real Time Traffic)
CVE ID: CVE-2024-24867
CVSS Score: 5.3 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2d69d59-390d-4f3c-96ba-487707cac7a6

Anonymous Restricted Content <= 1.6.2 – Protection Mechanism Bypass

Affected Software: Anonymous Restricted Content
CVE ID: CVE-2024-0909
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f478ff7c-7193-4c59-a84f-c7cafff9b6c0

Email Before Download <= 6.9.7 – Cross-Site Request Forgery

Affected Software: Email Before Download
CVE ID: CVE-2024-23519
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa918a65-0021-4c32-9f6d-d978926c3ef3

WP STAGING WordPress Backup Plugin < 3.2.0 – Sensitive Information Exposure via cache files

Affected Software: WP STAGING WordPress Backup Plugin – Migration Backup Restore
CVE ID: CVE-2023-7204
CVSS Score: 5.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fe8816d8-1687-4a3c-9f2a-23f21d679cc5

BookIt <=2.4.0 – Price Bypass

Affected Software: Booking Calendar | Appointment Booking | BookIt
CVE ID: CVE-2024-24715
CVSS Score: 4.9 (Medium)
Researcher/s: Debangshu Kundu, Arpeet Rathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9938c7d-ef0d-45a2-900f-ac8bda9ce75a

Popup More <= 2.2.4 – Authenticated (Admin+) Directory Traversal to Limited Local File Inclusion

Affected Software: Popup More Popups, Lightboxes, and more popup modules
CVE ID: CVE-2024-0844
CVSS Score: 4.7 (Medium)
Researcher/s: 0x9567b
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7894a19c-b873-4c5b-8c82-6656cc306ee2

Restrict Usernames Emails Characters <= 3.1.3 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Restrict Usernames Emails Characters
CVE ID: CVE-2023-6165
CVSS Score: 4.4 (Medium)
Researcher/s: Yuhang Liu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12532f84-bc76-4968-a01f-f879ab41b901

Persian Fonts <= 1.6 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Persian Fonts
CVE ID: CVE-2023-7167
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a427b26-4a0d-4351-8a8b-ec5da1345ebd

Chartify <= 2.0.6 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Chartify – WordPress Chart Plugin
CVE ID: CVE-2023-47526
CVSS Score: 4.4 (Medium)
Researcher/s: Jeongwoo-Lee(Roronoa)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49d0315e-fcb2-4232-8797-0421cf5d3cd8

SEO Plugin by Squirrly SEO <= 12.3.15 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: SEO Plugin by Squirrly SEO
CVE ID: CVE-2024-0597
CVSS Score: 4.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a61a8d8b-f22f-4a16-95f6-6cf52cf545ad

Pagelayer <= 1.7.9 – Authenticated(Administrator+) Stored Cross-Site Scripting via Header/Footer code

Affected Software: Page Builder: Pagelayer – Drag and Drop website builder
CVE ID: CVE-2023-5124
CVSS Score: 4.4 (Medium)
Researcher/s: Marc-Alexandre Montpas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8bd08d0-5c78-40a8-abc1-de387908df9d

Add Customer for WooCommerce <= 1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Add Customer for WooCommerce
CVE ID: CVE-2024-24841
CVSS Score: 4.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba08695e-009e-434a-9db0-06aa1dd6d57a

Beds24 Online Booking <= 2.0.23 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Beds24 Online Booking
CVE ID: CVE-2024-24717
CVSS Score: 4.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca5bc2af-394b-4fc1-b6c3-ed9ff0a5959a

Fatal Error Notify <= 1.5.2 – Cross-Site Request Forgery to Test Error Email Sending

Affected Software: Fatal Error Notify
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08b75cac-7b1d-4bed-a1b7-bd1e872f2b4f

Active Products Tables for WooCommerce. Professional products tables for WooCommerce store <= 1.0.6.1 – Missing Authorization


WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.1 – Missing Authorization

Affected Software: WOLF – WordPress Posts Bulk Editor and Manager Professional
CVE ID: CVE-2024-0791
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13c66a8f-b35f-4943-8880-0799b0d150f7

Element Pack Elementor Addons <= 5.4.11 – Missing Authorization via bdt_duplicate_as_draft


Happy Addons for Elementor <= 3.10.1 – Missing Authorization via add_row_actions

Affected Software: Happy Addons for Elementor
CVE ID: CVE-2024-24833
CVSS Score: 4.3 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b25df18-dd9a-4b24-8187-283d5f3f334e

Post Video Players <= 1.158 – Cross-Site Request Forgery via cincopa_mp_mt_options_page

Affected Software: Cincopa video and media plug-in
CVE ID: CVE-2024-23515
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/285d2b85-cdd0-4447-8cdc-b641751e4a5f

Affiliates Manager <= 2.9.34 – Cross-Site Request Forgery

Affected Software: Affiliates Manager
CVE ID: CVE-2024-0859
CVSS Score: 4.3 (Medium)
Researcher/s: Nathaniel Oh (0x4n3)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/433a03c2-09fd-4ce6-843b-55ad09f4b4f7

WooCommerce Conversion Tracking <= 2.0.11 – Missing Authorization via wcct_install_happy_addons

Affected Software: WooCommerce Conversion Tracking
CVE ID: CVE-2024-24711
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4775ef21-01d6-4c5a-9e3e-f9b6e093fc7f

BizPrint <= 4.5.1 – Cross-Site Request Forgery in Printer Management

Affected Software: BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More.
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/487a131e-4911-42d6-bfd7-fc697c89552d

Fatal Error Notify <= 1.5.2 – Missing Authorization to Test Error Email Sending

Affected Software: Fatal Error Notify
CVE ID: CVE-2023-7202
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50499cd6-0e27-494a-892c-5ca827d4433b

Active Products Tables for WooCommerce. Professional products tables for WooCommerce store <= 1.0.6.1 – Cross-Site Request Forgery


Shareaholic <= 9.7.11 – Missing Authorization via accept_terms_of_service

Affected Software: Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
CVE ID: CVE-2024-24709
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5cde239c-20bf-41fa-b7d6-e21b14dcbc22

Setka Editor <= 2.1.20 – Cross-Site Request Forgery via handleRequest

Affected Software: A no-code page builder for beautiful performance-based content
CVE ID: CVE-2024-24701
CVSS Score: 4.3 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7058306f-ec20-4722-aaa1-552a75945a1e

Location Picker at Checkout for WooCommerce <= 1.8.9 – Missing Authorization via checkout_map_rules_order_ajax_handler


FG Drupal to WordPress <= 3.67.0 – Cross-Site Request Forgery via ajax_importer

Affected Software/s: FG Joomla to WordPress, FG PrestaShop to WooCommerce, FG Drupal to WordPress
CVE ID: CVE-2024-24837
CVSS Score: 4.3 (Medium)
Researcher/s: Friday
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dc34ff1-1b7e-4974-907a-745911df5dc8

Orbit Fox by ThemeIsle <= 2.10.29 – Cross-Site Request Forgery

Affected Software: Orbit Fox by ThemeIsle
CVE ID: CVE-2024-1162
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88f6a24f-f14a-4d0a-be5a-f8c84910b4fc

JTRT Responsive Tables <= 4.1.9 – Cross-Site Request Forgery

Affected Software: JTRT Responsive Tables
CVE ID: CVE-2024-24802
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89ca9214-145e-43c6-a642-7c371f635332

Page Restrict <= 2.5.5 – Cross-Site Request Forgery via pr_admin_page

Affected Software: Page Restrict
CVE ID: CVE-2024-24702
CVSS Score: 4.3 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/956984d4-4f8b-4e20-8002-4e9809b3872c

WP-CFM <= 1.7.8 – Cross-Site Request Forgery via multiple AJAX functions

Affected Software: WP-CFM
CVE ID: CVE-2024-24706
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9790c592-1445-4f9d-987e-ae5ab49c4dcd

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.4.1 – Missing Authorization


Custom Order Numbers for WooCommerce <= 1.6.0 – Cross-Site Request Forgery to Notice Dismissal

Affected Software: Custom Order Numbers for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/981908d3-e1e7-4093-a2ee-69aa50127731

PopupAlly <= 2.1.0 – Cross-Site Request Forgery via optin_submit_callback

Affected Software: PopupAlly
CVE ID: CVE-2024-23520
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6bef410-8706-4440-b50f-08824ef754f6

Debug <= 1.10 – Cross-Site Request Forgery

Affected Software: Debug
CVE ID: CVE-2024-24798
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa7276bb-6a9b-4cbd-8333-14c4dfac4108

Custom Order Status for WooCommerce <= 2.3.0 – Cross-Site Request Forgery

Affected Software: Custom Order Status for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab2a4903-2c69-48da-bd4a-79b39b78806c

WordPress Review & Structure Data Schema Plugin – Review Schema <= 2.1.14 – Missing Authorization to Arbitrary Review Update

Affected Software: WordPress Review & Structure Data Schema Plugin – Review Schema
CVE ID: CVE-2024-0836
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7039206-a25a-4aa0-87e2-be11dd1f12eb

Starbox – the Author Box for Humans <= 3.4.7 – Insecure Direct Object Reference

Affected Software: Starbox – the Author Box for Humans
CVE ID: CVE-2024-0366
CVSS Score: 4.3 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67

CP Media Player <= 1.1.3 – Cross-Site Request Forgery to Player Deletion and Duplication

Affected Software: CP Media Player – Audio Player and Video Player
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ced380a5-04a6-40c1-a731-0d3b929e4428

Don’t Muck My Markup <= 1.8 – Cross-Site Request Forgery

Affected Software: Don’t Muck My Markup
CVE ID: CVE-2024-23510
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1390c22-3c8d-47f1-b225-1bcbc215832a

W3SPEEDSTER <= 7.19 – Cross-Site Request Forgery via launch

Affected Software: W3SPEEDSTER
CVE ID: CVE-2024-24708
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e358355e-097c-4a6d-a21a-3d08098efff0

WordPress Toolbar Plugin <= 2.2.6 – Open Redirect via wptbto

Affected Software: WordPress Toolbar
CVE ID: CVE-2023-6389
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e88a45e5-f882-419e-b0b0-612912666693

ACF Photo Gallery Field <= 2.6 – Missing Authorization

Affected Software: ACF Photo Gallery Field
CVE ID: CVE-2024-23518
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f557ddf1-cee3-498c-87bc-fa81bf574591

WooCommerce Box Office <= 1.2.2 – Missing Authorization

Affected Software: WooCommerce Box Office
CVE ID: CVE-2024-24799
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff2097a9-fe7a-48f3-be9c-dc0caef74262

Feed Them Social <= 4.2.0 – Cross-Site Request Forgery via review_nag_check

Affected Software: Feed Them Social – Page, Post, Video, and Photo Galleries
CVE ID: CVE-2024-24710
CVSS Score: 3.5 (Low)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e86152a6-cd8d-4466-bcc5-830413500e12

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

No Comments