Wordfence Intelligence Weekly WordPress Vulnerability Report (June 17, 2024 to June 23, 2024)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. For a limited time, all high risk issues are in-scope for all researchers! 

Last week, there were 234 vulnerabilities disclosed in 166 WordPress Plugins and 16 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 69 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 17,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WAF-RULE-707 – data redacted while we work with the vendor on a patch.
• WAF-RULE-708 – data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Bob Matyas	31
Lucio Sá	13
Dmitrii Ignatyev	11
stealthcopter	11
wesley (wcraft)	10
Dave Jong	9
Rafie Muhammad	9
Majed Refaea	9
Dhabaleshwar Das	8
LVT-tholv2k	8
Abdi Pranata	8
Francesco Carlucci	7
István Márton	5
Krzysztof Zając	5
Guido Iván García	4
Ngô Thiên An (ancorn_)	4
Jean Tirstan T	4
Krugov Artyom	3
Felipe Caon	3
Peter Thaleikis	3
Phill Sav (Savphill)	3
LuxF0z	3
Arkadiusz Hydzik	3
João Pedro Soares de Alcântara	3
Jack Taylor	3
Steven Julian	3
JoanClarke2	2
Norbert Hofmann	2
Colin Xu	2
Peng Zhou	2
Gibran Abdillah	2
Webbernaut	2
CatFather	2
Snicco	2
Ananda Dhakal	2
Rayhan Ramdhany Hanaputra	2
Khalid	1
Vinay Kumar	1
beluga	1
Sandeep Vishwakarma	1
Ayush Juneja	1
Dimas Maulana	1
Mochamad Sofyan	1
Rafshanzani Suhada	1
Thanh Hang	1
Yuuta Watanabe	1
Benedictus Jovan (aillesiM)	1
thiennv	1
Eunho Kim	1
Jin Hao Chan	1
M.Awad	1
Nosa "apapedulimu" Shandy	1
YC_Infosec	1
1337_Wannabe	1
tom	1
Yuchen Ji	1
Tim Coen	1
Hoa Le Ngoc (lengochoa)	1
kauenavarro	1
Muhammad Daffa	1
Dikshita Trivedi (Cybersecdexter)	1
Davide Balzano	1
AtaTurk1925	1
Akbar Kustirama	1
Truoc Phan	1
An Đặng	1
Joshua Chan	1
haidv35	1
vps1-	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

InstaWP Connect <= 0.1.0.38 - Unauthenticated Arbitrary File Upload

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-37228

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
InstaWP Connect – 1-click WP Staging & Migration

Researcher

AtaTurk1925

More Details >

WishList Member X <= 3.25.1 - Unauthenticated Arbitrary SQL Execution

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-37112

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

WP Hotel Booking <= 2.1.0 - Unauthenticated SQL Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-3605

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
WP Hotel Booking

Researcher

Krzysztof Zając

More Details >

Consulting Elementor Widgets <= 1.3.0 - Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-37090

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Consulting Elementor Widgets

Researcher

Rafie Muhammad

More Details >

Image Optimizer, Resizer and CDN – Sirv <= 7.2.6 - Authenticated (Contributor+) Arbitrary File Upload

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-5853

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Image Optimizer, Resizer and CDN – Sirv

Researcher

Lucio Sá

More Details >

WishList Member X <= 3.25.1 - Authenticated (Subscriber+) Remote Code Execution

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-37109

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

Zoho Marketing Automation <= 1.2.7 - Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-37225

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Zoho Marketing Automation

Researcher

LVT-tholv2k

More Details >

Bug Library <= 2.1 - Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-5450

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Bug Library

Researcher

Bob Matyas

More Details >

Consulting Elementor Widgets <= 1.3.0 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-37089

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Consulting Elementor Widgets

Researcher

Rafie Muhammad

More Details >

Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.23 - Unauthenticated SQL Injection via optin

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-5756

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Researcher

Arkadiusz Hydzik

More Details >

Lifeline Donation <= 1.2.6 - Authentication Bypass

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-5432

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Lifeline Donation

Researcher

István Márton

More Details >

Salon Booking System <= 10.2 - Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-3229

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Salon Booking System

Researcher

Gibran Abdillah

More Details >

Shariff Wrapper <= 4.6.13 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4098

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Shariff Wrapper

Researcher

haidv35

More Details >

Themify - WooCommerce Product Filter <= 1.4.9 - Unauthenticated SQL Injection via conditions Parameter

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-6027

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Themify – WooCommerce Product Filter

Researcher

Arkadiusz Hydzik

More Details >

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.2.5 - Authenticated (Contributor+) SQL Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4742

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Researcher

Peter Thaleikis

More Details >

Ali2Woo Lite <= 3.4.4 - Cross-Site Request Forgery to PHP Object Injection

9.6

CVSS Rating
Critical (9.6)

CVE-ID
CVE-2024-37212

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
AliExpress Dropshipping Plugin for WooCommerce – AliNext

Researcher

Majed Refaea

More Details >

WordPress Picture / Portfolio / Media Gallery <= 3.0.1 - Unauthenticated Server-Side Request Forgery

9.3

CVSS Rating
Critical (9.3)

CVE-ID
CVE-2024-5021

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
WordPress Picture / Portfolio / Media Gallery

Researcher

Francesco Carlucci

More Details >

Squeeze <= 1.4 - Authenticated (Admin+) Arbitrary File Upload

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-35767

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Squeeze

Researcher

YC_Infosec

More Details >

Wp EMember <= 10.6.5 - Authenticated (Admin+) Arbitrary File Upload

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-5080

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Wp EMember

Researcher

Bob Matyas

More Details >

SEOPress <= 7.8 - Unauthenticated PHP Object Injection

9.0

CVSS Rating
Critical (9.0)

CVE-ID
CVE-2024-5488

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
SEOPress – On-site SEO

Researcher(s): Unknown

More Details >

AliExpress Dropshipping with AliNext Lite <= 3.3.5 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-2381

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
AliExpress Dropshipping Plugin for WooCommerce – AliNext

Researcher

Lucio Sá

More Details >

Consulting Elementor Widgets <= 1.3.0 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-37092

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Consulting Elementor Widgets

Researcher

Rafie Muhammad

More Details >

Consulting Elementor Widgets <= 1.3.0 - Authenticated (Contributor+) Remote Code Execution

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-37091

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Consulting Elementor Widgets

Researcher

Rafie Muhammad

More Details >

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) PHP Code Injection via Loop Custom Field

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3562

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Custom Field Suite

Researcher

Jack Taylor

More Details >

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) SQL Injection via Term Custom Field

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3561

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Custom Field Suite

Researcher

Jack Taylor

More Details >

Media Library Assistant <= 3.16 - Authenticated (Contributor+) SQL Injection via order Parameter

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5605

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Media Library Assistant

Researcher

Krzysztof Zając

More Details >

Pexels: Free Stock Photos <= 1.2.2 - Authenticated (Contributor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-6132

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Pexels: Free Stock Photos

Researcher

István Márton

More Details >

Photo Gallery, Images, Slider in Rbs Image Gallery <= 3.2.19 - Cross-Site Request Forgery to Post Creation and Limited Data Loss

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5343

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Photo Gallery, Images, Slider in Rbs Image Gallery

Researcher

JoanClarke2

More Details >

Photo Video Gallery Master <= 1.5.3 - Authenticated (Contributor+) PHP Object Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5724

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Photo Video Gallery Master

Researcher

Francesco Carlucci

More Details >

Slideshow SE <= 2.5.17 - Authenticated (Author+) Limited Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-35778

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Slideshow SE

Researcher

João Pedro Soares de Alcântara

More Details >

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.5.6 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5455

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
The Plus Addons for Elementor Page Builder

Researcher

wesley (wcraft)

More Details >

WishList Member X <= 3.25.1 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-37107

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

Word Balloon <= 4.21.1 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-35781

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Word Balloon

Researcher

João Pedro Soares de Alcântara

More Details >

WP Blog Post Layouts <= 1.1.3 - Authenticated (Contributor+) Local File Inlcusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5503

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
WP Blog Post Layouts

Researcher

stealthcopter

More Details >

Academy LMS <= 2.0.10 - Open Redirect

8.3

CVSS Rating
High (8.3)

CVE-ID
CVE-2024-37234

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Researcher

Mochamad Sofyan

More Details >

Login with phone number <= 1.7.34 - Insecure Password Reset Mechanism

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-6125

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Login with phone number

Researcher

István Márton

More Details >

WishList Member X <= 3.25.1 - Authenticated (Subscriber+) Arbitrary File Deletion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-37108

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

Page Builder: Live Composer <= 1.5.42 - Authenticated (Contributor+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-35780

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Live Composer – Free WordPress Website Builder

Researcher

LVT-tholv2k

More Details >

WP Magazine Modules Lite <= 1.1.2 - Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-5574

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
WP Magazine Modules Lite

Researcher

stealthcopter

More Details >

Business Directory Plugin <= 6.4.3 - Authenticated (Author+) CSV Injection

7.4

CVSS Rating
High (7.4)

CVE-ID
CVE-2023-5527

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Business Directory Plugin – Easy Listing Directories for WordPress

Researcher

Dmitrii Ignatyev

More Details >

Appointment Booking and Online Scheduling <= 4.4.2 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-5791

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Online Booking & Scheduling Calendar for WordPress by vcita

Researcher

Lucio Sá

More Details >

Quotes and Tips by BestWebSoft <= 1.44 - Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-3112

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Quotes and Tips by BestWebSoft

Researcher

Peng Zhou

More Details >

UberMenu <= 3.8.3 - Cross-Site Request Forgery to Settings Reset

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-3593

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
UberMenu

Researcher

M.Awad

More Details >

WishList Member X <= 3.25.1 - Missing Authorization to Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-37106

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

Export WP Page to Static HTML/CSS <= 2.2.2 - Open Redirect

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2024-3597

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Export WP Page to Static HTML/CSS

Researcher

Krzysztof Zając

More Details >

Depicter <= 3.0.2 - Authenticated (Contributor+) Arbitrary Nonce Generation

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-4390

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Researcher

Arkadiusz Hydzik

More Details >

License Manager for WooCommerce <= 3.0.6 - Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-1639

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
License Manager for WooCommerce

Researcher

Lucio Sá

More Details >

Materialis <= 1.1.24 - Missing Authorization to Limited Arbitrary Options Update

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2023-3204

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Materialis

Researcher

Gibran Abdillah

More Details >

Scheduling Plugin – Online Booking for WordPress <= 3.5.10 - Missing Authorization to Unauthenticated Service Disconnection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-1634

Patch Status
Unpatched

Published
Jun 17, 2024

Affected Software
Scheduling Plugin – Online Booking for WordPress

Researcher

Lucio Sá

More Details >

Sparkle Demo Importer <= 1.4.7 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-6120

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Sparkle Demo Importer

Researcher

Lucio Sá

More Details >

Ali2Woo Lite <= 3.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37214

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
AliExpress Dropshipping Plugin for WooCommerce – AliNext

Researcher

Majed Refaea

More Details >

Bible Text <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5444

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Bible Text

Researcher

Bob Matyas

More Details >

Blogmentor – Blog Layouts for Elementor <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via pagination_style Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4623

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Blogmentor – Blog Layouts for Elementor

Researcher

stealthcopter

More Details >

Branda – White Label WordPress, Custom Login Page Customizer <= 3.4.17 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5191

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Branda – Branda – White Label & Branding, Custom Login Page Customizer

Researcher

wesley (wcraft)

More Details >

Church Admin <= 4.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35764

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Church Admin

Researcher

Ngô Thiên An (ancorn_)

More Details >

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_title]

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3558

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Custom Field Suite

Researcher

Jack Taylor

More Details >

DImage 360 <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35774

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
DImage 360

Researcher

Ngô Thiên An (ancorn_)

More Details >

Ditty – Responsive News Tickers, Sliders, and Lists <= 3.1.42 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5575

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Ditty – Responsive News Tickers, Sliders, and Lists

Researcher

Dmitrii Ignatyev

More Details >

Divi <= 4.25.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5533

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Divi

Researcher

Ngô Thiên An (ancorn_)

More Details >

Elegant Themes Icons <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37100

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Elegant Themes Icons

Researcher

Ngô Thiên An (ancorn_)

More Details >

EmbedSocial – Social Media Feeds, Reviews and Galleries <= 1.1.29 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3984

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
EmbedSocial – Social Media Feeds, Reviews and Galleries

Researcher

Krzysztof Zając

More Details >

Empty Cart Button for WooCommerce <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37217

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Empty Cart Button for WooCommerce

Researcher

LVT-tholv2k

More Details >

Excellent <= 1.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35763

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Excellent

Researcher

stealthcopter

More Details >

Flatsome <= 3.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5156

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Flatsome

Researcher

stealthcopter

More Details >

Flatsome | Multi-Purpose Responsive WooCommerce Theme <= 3.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5346

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Flatsome

Researcher

wesley (wcraft)

More Details >

Greenshift – animation and page builder blocks <= 8.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35765

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Greenshift – animation and page builder blocks

Researcher

João Pedro Soares de Alcântara

More Details >

Grey Opaque <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Download-Button Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5966

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Grey Opaque

Researcher

Francesco Carlucci

More Details >

Image Photo Gallery Final Tiles Grid <= 2.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3710

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Image Photo Gallery Final Tiles Grid

Researcher

Dmitrii Ignatyev

More Details >

Interface <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35758

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Interface

Researcher

stealthcopter

More Details >

JetWidgets For Elementor <= 1.0.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via layout_type and id Parameters

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4626

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
JetWidgets For Elementor

Researcher

stealthcopter

More Details >

Kimili Flash Embed <= 2.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37221

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Kimili Flash Embed

Researcher

LVT-tholv2k

More Details >

Master Slider – Responsive Touch Slider <= 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4375

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Master Slider – Responsive Touch Slider

Researcher

Krzysztof Zając

More Details >

MaxGalleria <= 6.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via maxgallery_thumb Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5970

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
MaxGalleria

Researcher

Peter Thaleikis

More Details >

MIMO Woocommerce Order Tracking <= 1.0.2 - Missing Authorization to Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5768

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
MIMO Woocommerce Order Tracking

Researcher

Lucio Sá

More Details >

Mosaic <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5965

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Mosaic

Researcher

Francesco Carlucci

More Details >

My Favorites <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37114

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
My Favorites

Researcher

Jean Tirstan T

More Details >

Orbit Fox by ThemeIsle <= 2.10.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via Services and Post Type Grid Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2484

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Orbit Fox by ThemeIsle

Researcher

wesley (wcraft)

More Details >

OSM Map Widget for Elementor <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4663

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
OSM Map Widget for Elementor

Researcher

stealthcopter

More Details >

Page Builder Sandwich – Front-End Page Builder <= 5.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37219

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Page Builder Sandwich – Front End WordPress Page Builder Plugin

Researcher

Phill Sav (Savphill)

More Details >

Page Builder: Live Composer <= 1.5.42 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35779

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Live Composer – Free WordPress Website Builder

Researcher

LVT-tholv2k

More Details >

Page Builder: Live Composer <= 1.5.47 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35768

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Live Composer – Free WordPress Website Builder

Researcher

Phill Sav (Savphill)

More Details >

PDF Viewer for Elementor <= 2.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via render

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-0845

Patch Status
Unpatched

Published
Jun 17, 2024

Affected Software
PDF Viewer for Elementor

Researchers

Webbernaut

wesley (wcraft)

stealthcopter

More Details >

Photo Gallery, Images, Slider in Rbs Image Gallery <= 3.2.19 - Authenticated (Author+) Stored Cross-Site Scripting via Image Title

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3894

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Photo Gallery, Images, Slider in Rbs Image Gallery

Researcher

Tim Coen

More Details >

Quiz and Survey Master <= 9.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-6025

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Researcher

Dmitrii Ignatyev

More Details >

Restaurant Reservations <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37223

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Restaurant Reservations

Researcher

LVT-tholv2k

More Details >

SEOPress – On-site SEO <= 7.9 - Authenticated(Contributor+) Stored Cross-Site Scripting via Social Image URL

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-1168

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
SEOPress – On-site SEO

Researcher

Webbernaut

More Details >

Shortcodes Ultimate Pro <= 7.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4217

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Shortcodes Ultimate Pro

Researcher

Dmitrii Ignatyev

More Details >

Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) <= 3.5.4 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5036

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Researcher

wesley (wcraft)

More Details >

Sinatra <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37116

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Sinatra

Researcher

stealthcopter

More Details >

Sketchfab Embed <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37216

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Sketchfab Embed

Researcher

LVT-tholv2k

More Details >

Slideshow SE <= 2.5.20 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35769

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Slideshow SE

Researcher

Steven Julian

More Details >

Support SVG <= 1.0.0 - Authenticated (Author+) Stored Cross-site Scripting via SVG

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4272

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Support SVG – Upload svg files in wordpress without hassle

Researcher

Rayhan Ramdhany Hanaputra

More Details >

SVG Block <= 1.1.19 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4269

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
SVG Block

Researcher

Rayhan Ramdhany Hanaputra

More Details >

Swift Framework < 2024.04.30 Authenticated (Contributor+) Stored Cross-Site Scripting via Caption Title

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2872

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Swift Framework

Researcher

Bob Matyas

More Details >

Table Addons for Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via _id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4313

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Table Addons for Elementor

Researcher

stealthcopter

More Details >

Transition Slider – Responsive Image Slider and Gallery <= 2.20.3 - Authenticated (Editor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37215

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Transition Slider – Responsive Image Slider and Gallery

Researcher

Steven Julian

More Details >

Typing Text <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5058

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Typing Text

Researcher

vps1-

More Details >

Ultimate Blocks – WordPress Blocks Plugin <= 3.0.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via metabox

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2023-6692

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Ultimate Blocks – WordPress Blocks Plugin

Researcher

Rafshanzani Suhada

More Details >

Ultimate Blocks – WordPress Blocks Plugin <= 3.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4655

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Ultimate Blocks – WordPress Blocks Plugin

Researcher

Dmitrii Ignatyev

More Details >

Watu Quiz <= 3.4.1.1 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2640

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Watu Quiz

Researcher

Eunho Kim

More Details >

Website Content in Page or Post <= 2024.03.27 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2430

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Website Content in Page or Post

Researcher

Ayush Juneja

More Details >

WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4632

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Researcher

wesley (wcraft)

More Details >

WordPress Plugin Tournamatch < 4.6.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5627

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Tournamatch

Researcher

Davide Balzano

More Details >

WP Post Author <= 3.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37101

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder

Researcher

Khalid

More Details >

WP Recipe Maker <= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group_tag'

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-0383

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
WP Recipe Maker

Researcher

wesley (wcraft)

More Details >

WP Scraper <= 5.8 - Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37208

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
WP Scraper

Researcher

Majed Refaea

More Details >

WP SVG Images <= 4.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5945

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
WP SVG Images

Researcher

Colin Xu

More Details >

WPZOOM Addons for Elementor (Templates, Widgets) <= 1.1.38 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Members Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5686

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
WPZOOM Addons for Elementor (Templates, Widgets)

Researcher

wesley (wcraft)

More Details >

AliExpress Dropshipping with AliNext Lite <= 3.3.6 - Missing Authorization via Several Functions

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2024-4450

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
AliExpress Dropshipping Plugin for WooCommerce – AliNext

Researcher

Lucio Sá

More Details >

ARMember Premium <= 6.7 - Cross-Site Request Forgery via multiple functions

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2024-5596

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Researcher

István Márton

More Details >

Ali2Woo Lite <= 3.3.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37211

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
AliExpress Dropshipping Plugin for WooCommerce – AliNext

Researcher

Majed Refaea

More Details >

Ali2Woo Lite <= 3.4.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37213

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
AliExpress Dropshipping Plugin for WooCommerce – AliNext

Researcher

Majed Refaea

More Details >

Appointment Booking and Online Scheduling <= 4.4.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5859

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Online Booking & Scheduling Calendar for WordPress by vcita

Researcher

Lucio Sá

More Details >

Demo Awesome <= 1.0.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37206

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Demo Awesome

Researcher

Abdi Pranata

More Details >

Enfold <= 5.6.9 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37199

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Enfold - Responsive Multi-Purpose Theme

Researcher

tom

More Details >

Hostel <= 1.1.5.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-3753

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Hostel

Researcher

Bob Matyas

More Details >

If-So Dynamic Content Personalization <= 1.8.0.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5713

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
If-So Dynamic Content Personalization

Researcher

Bob Matyas

More Details >

Index WP MySQL For Speed <= 1.4.17 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-4977

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Index WP MySQL For Speed

Researcher

Guido Iván García

More Details >

Inline Related Posts <= 3.6.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5626

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Inline Related Posts

Researcher

Dmitrii Ignatyev

More Details >

Master Slider <= 3.10.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37222

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Master Slider – Responsive Touch Slider

Researcher

Rafie Muhammad

More Details >

Shortcodes by United Themes < 5.0.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37097

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Shortcodes by United Themes

Researcher

Rafie Muhammad

More Details >

SULly <= 4.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5032

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
SULly

Researcher

Bob Matyas

More Details >

SULly <= 4.3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5033

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
SULly

Researcher

Bob Matyas

More Details >

Swift Framework < 2024.04.30 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-2870

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Swift Framework

Researcher

Bob Matyas

More Details >

The Plus Addons for Elementor Page Builder <= 5.5.6 - Reflected Cross-Site Scripting via WP Login and Register Widget

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5344

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
The Plus Addons for Elementor Page Builder

Researcher

wesley (wcraft)

More Details >

WP Affiliate Platform < 6.5.1 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5287

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
WP Affiliate Platform

Researcher

Bob Matyas

More Details >

WP Affiliate Platform < 6.5.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5284

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
WP Affiliate Platform

Researcher

Bob Matyas

More Details >

WP Affiliate Platform < 6.5.1 - Reflected Cross-Site Scripting via Affiliate Editing

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5281

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
WP Affiliate Platform

Researcher

Bob Matyas

More Details >

WP Affiliate Platform < 6.5.1 - Reflected Cross-Site Scripting via Banner Editing

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5286

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
WP Affiliate Platform

Researcher

Bob Matyas

More Details >

WP Affiliate Platform < 6.5.1 - Reflected Cross-Site Scripting via Lead Editing

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5283

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
WP Affiliate Platform

Researcher

Bob Matyas

More Details >

WP Affiliate Platform < 6.5.1 - Reflected Cross-Site Scripting via Registration Form

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5282

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
WP Affiliate Platform

Researcher

Bob Matyas

More Details >

WP Affiliate Platform <= 6.5.0 - Cross-Site Request Forgery to Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5280

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
WP Affiliate Platform

Researcher

Felipe Caon

More Details >

Wp EMember <= 10.6.5 - Cross-Site Request Forgery

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5077

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Wp EMember

Researcher

Bob Matyas

More Details >

WP eMember <= 10.6.5 - Reflected Cross-Site Scripting via 'editrecord'

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5075

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Wp EMember

Researcher

Bob Matyas

More Details >

WP eMember <= 10.6.5 - Reflected Cross-Site Scripting via 'login_pwd'

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5074

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Wp EMember

Researcher

kauenavarro

More Details >

WP eMember <= 10.6.6 - Reflected Cross-Site Scripting via Member Edit

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5715

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Wp EMember

Researcher

Bob Matyas

More Details >

Wp EMember <= 10.6.6 - Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5079

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Wp EMember

Researcher

Bob Matyas

More Details >

WPPizza – A Restaurant Plugin <= 3.18.13 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35766

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
WPPizza – A Restaurant Plugin

Researcher

Dimas Maulana

More Details >

Cost Calculator Builder PRO <= 3.1.75 - Unauthenticated Arbitrary Email Sending

5.8

CVSS Rating
Medium (5.8)

CVE-ID
CVE-2024-4787

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Cost Calculator Builder PRO

Researcher

István Márton

More Details >

BlossomThemes Email Newsletter <= 2.2.6 - Authenticated (Admin+) Server-Side Request Forgery

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-37098

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
BlossomThemes Email Newsletter

Researcher

Yuchen Ji

More Details >

Slider by 10Web <= 1.2.55 - Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-6026

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Slider by 10Web – Responsive Image Slider

Researcher

Dmitrii Ignatyev

More Details >

WordPress Button Plugin MaxButtons <= 9.7.7 - Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-3026

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
WordPress Button Plugin MaxButtons

Researcher

Dmitrii Ignatyev

More Details >

Hercules Core <= 6.5 - Missing Authorization to Settings Update

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-37232

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Hercules Core

Researcher

Dave Jong

More Details >

OpenPGP Form Encryption for WordPress <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-3919

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
OpenPGP Form Encryption for WordPress

Researcher

Bob Matyas

More Details >

Paid Memberships Pro <= 2.12.10 - Cross-Site Request Forgery to Membership Modification

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-1407

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Researcher

Colin Xu

More Details >

Universal Slider <= 1.6.5 - Authenticated (Contributor+) PHP Object Injection

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-5649

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Universal Slider

Researcher

Francesco Carlucci

More Details >

Wheel of Life: Coaching and Assessment Tool for Life Coach <= 1.1.7 - Missing Authorization on Several AJAX Endpoints

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-3627

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Wheel of Life: Coaching and Assessment Tool for Life Coach

Researcher

Lucio Sá

More Details >

WP Affiliate Platform < 6.5.1 - Cross-Site Request Forgery to Profile Update

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-5287

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
WP Affiliate Platform

Researcher

Bob Matyas

More Details >

affiliate-toolkit <= 3.4.4 - Unauthenticated Sensitive Information Exposure via Logs

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37205

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
affiliate-toolkit – WP Affiliate Plugin with Amazon

Researcher

Joshua Chan

More Details >

ConvertKit <= 2.4.9 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3961

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Subscribers and Landing Pages

Researcher

1337_Wannabe

More Details >

Event Management Tickets Booking <= 1.4.2 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-5059

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Event Monster – Event Management, Tickets Booking, Upcoming Event

Researcher

Muhammad Daffa

More Details >

Ibtana - WordPress Website Builder <= 1.2.3.3 - Unauthenticated reCAPTCHA Settings Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-5541

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Ibtana – WordPress Website Builder

Researcher

Peter Thaleikis

More Details >

MasterStudy LMS <= 3.2.12 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37094

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
MasterStudy LMS WordPress Plugin – for Online Courses and Education

Researcher

Majed Refaea

More Details >

Newspack Blocks <= 3.0.8 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37115

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Newspack Blocks

Researcher

Rafie Muhammad

More Details >

Optinly <= 1.0.18 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37220

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms

Researcher

beluga

More Details >

phpinfo() WP <= 5.0 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35776

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
phpinfo() WP

Researcher

LuxF0z

More Details >

SiteGuard WP Plugin <= 1.7.6 - Login Page Disclosure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37881

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
SiteGuard WP Plugin

Researcher

Yuuta Watanabe

More Details >

Solid Security <= 9.3.1 - IP Address Spoofing to Denial of Service

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2022-44593

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Researcher

Snicco

More Details >

WishList Member X <= 3.25.1 - Missing Authorization to Information Disclosure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37110

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

WishList Member X <= 3.25.1 - Unauthenticated Denial of Service

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37111

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

WishList Member X <= 3.25.1 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37113

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

WP 2FA <= 2.6.3 - Unauthenticated Information Exposure via Log File

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2022-44587

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
WP 2FA – Two-factor authentication for WordPress

Researcher

Snicco

More Details >

WP Child Theme Generator <= 1.1.1 - Missing Authorization to Unauthenticated Child Theme Creation/Activation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3610

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
WP Child Theme Generator

Researcher

Lucio Sá

More Details >

WP Maintenance <= 6.1.9.2 - IP Spoofing to Maintenance Mode Bypass

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-0789

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
WP Maintenance

Researcher

Hoa Le Ngoc (lengochoa)

More Details >

Accordions <= 2.3.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37122

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Accordion – Multiple Accordion or FAQs Builder

Researcher

Jean Tirstan T

More Details >

Amelia <= 1.1.5 & Amelia (Pro) <= 7.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-6225

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Booking for Appointments and Events Calendar – Amelia
Booking for Appointments and Events Calendar – Amelia Pro

Researcher

Vinay Kumar

More Details >

DN Footer Contacts <= 1.6.2 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-3410

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Footer Contacts Bar

Researcher

Dikshita Trivedi (Cybersecdexter)

More Details >

Easy Table of Contents <= 2.0.67 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-6334

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Easy Table of Contents

Researcher

Dmitrii Ignatyev

More Details >

Embed Peertube Playlist <= 1.07 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-4602

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Embed Peertube Playlist

Researcher

Bob Matyas

More Details >

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers <= 1.12.13 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-3963

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Researcher

Krugov Artyom

More Details >

If-So Dynamic Content Personalization <= 1.8.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-6070

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
If-So Dynamic Content Personalization

Researcher

Bob Matyas

More Details >

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Gallery

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5442

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Researcher

Krugov Artyom

More Details >

Product Enquiry for WooCommerce <= 3.1.7 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-3964

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Product Enquiry for WooCommerce

Researcher

Bob Matyas

More Details >

Secure Copy Content Protection and Content Locking <= 4.0.8 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-6138

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Secure Copy Content Protection and Content Locking

Researcher

Krugov Artyom

More Details >

Serious Slider <= 1.2.4 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-35762

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Serious Slider

Researcher

Steven Julian

More Details >

Seriously Simple Podcasting <= 3.2.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-3751

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Seriously Simple Podcasting

Researcher

Thanh Hang

More Details >

Shortcode Addons <= 3.2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37121

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension

Researcher

Jean Tirstan T

More Details >

Simple Video Directory <= 1.4.3 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5811

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Simple Video Directory

Researcher

Bob Matyas

More Details >

Social Media Widget <= 4.0.8 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-0974

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Social Media Widget

Researcher

Dmitrii Ignatyev

More Details >

SULly <= 4.3.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5151

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
SULly

Researcher

Guido Iván García

More Details >

Swift Framework < 2024.04.30 Authenticated (Admin+) Stored Cross-Site Scripting via Auth

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-2696

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Swift Framework

Researcher

Bob Matyas

More Details >

Tabs <= 4.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37120

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Tabs – Responsive Tabs with WooCommerce Product Tab Extension

Researcher

Jean Tirstan T

More Details >

URL Shortener by MyShop <= 1.0.17 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5802

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
URL Shortener by MyThemeShop

Researcher

Sandeep Vishwakarma

More Details >

User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20240319 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5002

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
User Submitted Posts – Enable Users to Submit Posts from the Front End

Researcher

Guido Iván García

More Details >

WordPress Plugin Tournamatch < 4.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5644

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Tournamatch

Researcher

Bob Matyas

More Details >

WP Job Portal <= 2.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-35760

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website

Researcher

LuxF0z

More Details >

WP Job Portal <= 2.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-35759

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website

Researcher

LuxF0z

More Details >

WP QuickLaTeX <= 3.8.6 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5472

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
WP QuickLaTeX

Researcher

Felipe Caon

More Details >

WP Secure Maintenance <= 1.6 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-4753

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
WP Secure Maintenance

Researcher

Guido Iván García

More Details >

YARPP – Yet Another Related Posts Plugin <= 5.30.9 - Authenticated(Administrator+) Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2023-6495

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
YARPP – Yet Another Related Posts Plugin

Researcher

Akbar Kustirama

More Details >

Book Landing Page <= 1.2.3 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37230

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Book Landing Page

Researcher

Dhabaleshwar Das

More Details >

Bricks Builder <= 1.9.8 - Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4874

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Bricks Builder

Researcher

Francesco Carlucci

More Details >

Chic Lite <= 1.1.3 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37104

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Chic Lite

Researcher

Dhabaleshwar Das

More Details >

CM Email Registration Blacklist and Whitelist <= 1.4.8 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5167

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Name: CM E-Mail Registration Blacklist

Researcher

Felipe Caon

More Details >

ContentLock <= 1.0.3 - Cross-Site Request Forgery to Email Adding

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-6023

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
ContentLock

Researcher

Norbert Hofmann

More Details >

ContentLock <= 1.0.3 - Cross-Site Request Forgery to Group/Email Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-6024

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
ContentLock

Researcher

Bob Matyas

More Details >

ContentLock <= 1.0.3 - Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-6022

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
ContentLock

Researcher

Norbert Hofmann

More Details >

Custom Product List Table <= 3.0.0 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4541

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Custom Product List Table

Researcher

Benedictus Jovan (aillesiM)

More Details >

Customizr <= 4.4.21 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35771

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Customizr

Researcher

Dhabaleshwar Das

More Details >

Demo Awesome <= 1.0.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37207

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Demo Awesome

Researcher

Abdi Pranata

More Details >

Digital Newspaper <= 1.1.5 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37198

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Digital Newspaper

Researcher

Dhabaleshwar Das

More Details >

Education Zone <= 1.3.4 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37103

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Education Zone

Researcher

Dhabaleshwar Das

More Details >

Envira Photo Gallery <= 1.8.7.3 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37095

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Gallery Plugin for WordPress – Envira Photo Gallery

Researcher

Abdi Pranata

More Details >

Falang multilanguage <= 1.3.51 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37240

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Falang multilanguage for WordPress

Researcher

Dhabaleshwar Das

More Details >

FS Poster <= 6.5.8 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37237

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
FS Poster - WordPress Social media Auto Poster & Scheduler [Facebook, Instagram, Twitter, Pinterest]

Researcher

Ananda Dhakal

More Details >

Groundhogg <= 3.4.2.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37235

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Researcher

Ananda Dhakal

More Details >

Hide Dashboard Notifications <= 1.3 - Missing Authorization to Authenticated(Contributor+) Plugin Settings Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-1955

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Hide Dashboard Notifications

Researcher

Francesco Carlucci

More Details >

Hueman <= 3.7.24 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35772

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Hueman

Researcher

Dhabaleshwar Das

More Details >

Kanban Boards for WordPress <= 2.5.21 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37226

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Kanban Boards for WordPress

Researcher

LVT-tholv2k

More Details >

Laybuy Payment Extension for WooCommerce <= 5.3.9 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37203

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Laybuy Payment Extension for WooCommerce

Researcher

Abdi Pranata

More Details >

Loco Translate <= 2.6.9 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37236

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Loco Translate

Researcher

Nosa "apapedulimu" Shandy

More Details >

MasterStudy LMS <= 3.2.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37093

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
MasterStudy LMS WordPress Plugin – for Online Courses and Education

Researcher

Majed Refaea

More Details >

Newsletters <= 4.9.7 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37227

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Newsletters

Researcher

Peng Zhou

More Details >

Newspack Newsletters <= 2.13.2 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37242

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Newspack Newsletters

Researcher

Rafie Muhammad

More Details >

Page Builder Sandwich – Front-End Page Builder <= 5.1.0 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37218

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Page Builder Sandwich – Front End WordPress Page Builder Plugin

Researcher

Phill Sav (Savphill)

More Details >

Play.ht <= 3.6.4 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37233

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio

Researcher

Abdi Pranata

More Details >

Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer <= 1.1.0 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3602

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer

Researcher

Lucio Sá

More Details >

Popup box <= 4.5.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37096

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Researcher

Abdi Pranata

More Details >

PropertyHive <= 2.0.9 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37204

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
PropertyHive

Researcher

CatFather

More Details >

Replace Image <= 1.1.10 - Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4873

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Replace Image

Researcher

Jin Hao Chan

More Details >

Smart Image Gallery <= 1.0.18 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3632

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Smart Image Gallery

Researcher

Bob Matyas

More Details >

Smush – Lazy Load Images, Optimize & Compress Images <= 3.16.4 - Missing Authorization to Resmush List Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2023-3352

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN

Researchers

Truoc Phan

An Đặng

More Details >

SP Project & Document Manager <= 4.71 - Authenticated (Subscriber+) Directory Traversal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37224

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
SP Project & Document Manager

Researcher

CatFather

More Details >

SULly <= 4.3.0 - Cross-Site Request Forgery to Plugin Reset

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5034

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
SULly

Researcher

Bob Matyas

More Details >

Tickera <= 3.5.2.8 - Missing Authorization to Authenticated (Susbcriber+) Ticket Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5860

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Tickera – WordPress Event Ticketing

Researcher

Lucio Sá

More Details >

Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter <= 1.222.16 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37202

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter

Researcher

Abdi Pranata

More Details >

User Profile Picture <= 2.6.1 - Authenticated (Author+) Insecure Direct Object Reference to Profile Picture Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5639

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
User Profile Picture

Researcher

JoanClarke2

More Details >

User Rights Access Manager <= 1.1.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37209

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
User Rights Access Manager

Researcher

Majed Refaea

More Details >

Vilva <= 1.2.2 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37102

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Vilva

Researcher

Dhabaleshwar Das

More Details >

Vimeography: Vimeo Video Gallery WordPress Plugin <= 2.4.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35770

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Vimeography: Vimeo Video Gallery WordPress Plugin

Researcher

thiennv

More Details >

Woocommerce Customers Order History <= 5.2.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37201

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Woocommerce Customers Order History

Researcher

Abdi Pranata

More Details >

Wp EMember <= 10.6.5 - Cross-Site Request Forgery to Bulk Delete

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5076

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Wp EMember

Researcher

Bob Matyas

More Details >

WP Job Manager - Resume Manager <= 2.1.0 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37241

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
WP Job Manager - Resume Manager

Researcher

Rafie Muhammad

More Details >

WPAdverts – Classifieds Plugin <= 2.1.2 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37238

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
WPAdverts – Classifieds Plugin

Researcher

Majed Refaea

More Details >