Wordfence Intelligence Weekly WordPress Vulnerability Report (June 17, 2024 to June 23, 2024)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. For a limited time, all high risk issues are in-scope for all researchers! 

Last week, there were 185 vulnerabilities disclosed in 137 WordPress Plugins and 14 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 61 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 17,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WAF-RULE-707 – data redacted while we work with the vendor on a patch.
• WAF-RULE-708 – data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Lucio Sá	13
wesley (wcraft)	10
Dave Jong	9
stealthcopter	9
Rafie Muhammad	9
Majed Refaea	9
Bob Matyas	8
Dhabaleshwar Das	8
LVT-tholv2k	8
Abdi Pranata	8
Francesco Carlucci	7
István Márton	5
Dmitrii Ignatyev	5
Krzysztof Zając	5
Jean Tirstan T	4
Peter Thaleikis	3
Guido Iván García	3
Phill Sav (Savphill)	3
Ngô Thiên An (ancorn_)	3
Arkadiusz Hydzik	3
João Pedro Soares de Alcântara	3
Jack Taylor	3
JoanClarke2	2
Norbert Hofmann	2
Colin Xu	2
Gibran Abdillah	2
Webbernaut	2
Felipe Caon	2
CatFather	2
Snicco	2
Ananda Dhakal	2
Steven Julian	2
Rayhan Ramdhany Hanaputra	2
Khalid	1
Vinay Kumar	1
beluga	1
Mochamad Sofyan	1
Rafshanzani Suhada	1
Yuuta Watanabe	1
Peng Zhou	1
Benedictus Jovan (aillesiM)	1
thiennv	1
Jin Hao Chan	1
LuxF0z	1
M.Awad	1
Nosa "apapedulimu" Shandy	1
YC_Infosec	1
1337_Wannabe	1
tom	1
Yuchen Ji	1
Tim Coen	1
Hoa Le Ngoc (lengochoa)	1
Muhammad Daffa	1
Davide Balzano	1
AtaTurk1925	1
Akbar Kustirama	1
Truoc Phan	1
An Đặng	1
Joshua Chan	1
haidv35	1
vps1-	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

InstaWP Connect <= 0.1.0.38 - Unauthenticated Arbitrary File Upload

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-37228

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
InstaWP Connect – 1-click WP Staging & Migration

Researcher

AtaTurk1925

More Details >

WishList Member X <= 3.25.1 - Unauthenticated Arbitrary SQL Execution

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-37112

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

WP Hotel Booking <= 2.1.0 - Unauthenticated SQL Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-3605

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
WP Hotel Booking

Researcher

Krzysztof Zając

More Details >

Consulting Elementor Widgets <= 1.3.0 - Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-37090

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Consulting Elementor Widgets

Researcher

Rafie Muhammad

More Details >

Image Optimizer, Resizer and CDN – Sirv <= 7.2.6 - Authenticated (Contributor+) Arbitrary File Upload

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-5853

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Image Optimizer, Resizer and CDN – Sirv

Researcher

Lucio Sá

More Details >

WishList Member X <= 3.25.1 - Authenticated (Subscriber+) Remote Code Execution

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-37109

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

Zoho Marketing Automation <= 1.2.7 - Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-37225

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Zoho Marketing Automation

Researcher

LVT-tholv2k

More Details >

Consulting Elementor Widgets <= 1.3.0 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-37089

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Consulting Elementor Widgets

Researcher

Rafie Muhammad

More Details >

Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.23 - Unauthenticated SQL Injection via optin

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-5756

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce

Researcher

Arkadiusz Hydzik

More Details >

Lifeline Donation <= 1.2.6 - Authentication Bypass

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-5432

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Lifeline Donation

Researcher

István Márton

More Details >

Salon Booking System <= 10.2 - Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-3229

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Salon Booking System

Researcher

Gibran Abdillah

More Details >

Shariff Wrapper <= 4.6.13 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4098

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Shariff Wrapper

Researcher

haidv35

More Details >

Themify - WooCommerce Product Filter <= 1.4.9 - Unauthenticated SQL Injection via conditions Parameter

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-6027

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Themify – WooCommerce Product Filter

Researcher

Arkadiusz Hydzik

More Details >

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.2.5 - Authenticated (Contributor+) SQL Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4742

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Researcher

Peter Thaleikis

More Details >

Ali2Woo Lite <= 3.3.5 - Cross-Site Request Forgery to PHP Object Injection

9.6

CVSS Rating
Critical (9.6)

CVE-ID
CVE-2024-37212

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
AliExpress Dropshipping with AliNext Lite

Researcher

Majed Refaea

More Details >

WordPress Picture / Portfolio / Media Gallery <= 3.0.1 - Unauthenticated Server-Side Request Forgery

9.3

CVSS Rating
Critical (9.3)

CVE-ID
CVE-2024-5021

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
WordPress Picture / Portfolio / Media Gallery

Researcher

Francesco Carlucci

More Details >

Squeeze <= 1.4 - Authenticated (Admin+) Arbitrary File Upload

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-35767

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Squeeze

Researcher

YC_Infosec

More Details >

AliExpress Dropshipping with AliNext Lite <= 3.3.5 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-2381

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
AliExpress Dropshipping with AliNext Lite

Researcher

Lucio Sá

More Details >

Consulting Elementor Widgets <= 1.3.0 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-37092

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Consulting Elementor Widgets

Researcher

Rafie Muhammad

More Details >

Consulting Elementor Widgets <= 1.3.0 - Authenticated (Contributor+) Remote Code Execution

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-37091

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Consulting Elementor Widgets

Researcher

Rafie Muhammad

More Details >

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) PHP Code Injection via Loop Custom Field

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3562

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Custom Field Suite

Researcher

Jack Taylor

More Details >

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) SQL Injection via Term Custom Field

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3561

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Custom Field Suite

Researcher

Jack Taylor

More Details >

Media Library Assistant <= 3.16 - Authenticated (Contributor+) SQL Injection via order Parameter

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5605

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Media Library Assistant

Researcher

Krzysztof Zając

More Details >

Pexels: Free Stock Photos <= 1.2.2 - Authenticated (Contributor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-6132

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Pexels: Free Stock Photos

Researcher

István Márton

More Details >

Photo Gallery, Images, Slider in Rbs Image Gallery <= 3.2.19 - Cross-Site Request Forgery to Post Creation and Limited Data Loss

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5343

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Photo Gallery, Images, Slider in Rbs Image Gallery

Researcher

JoanClarke2

More Details >

Photo Video Gallery Master <= 1.5.3 - Authenticated (Contributor+) PHP Object Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5724

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Photo Video Gallery Master

Researcher

Francesco Carlucci

More Details >

Slideshow SE <= 2.5.17 - Authenticated (Author+) Limited Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-35778

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Slideshow SE

Researcher

João Pedro Soares de Alcântara

More Details >

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.5.6 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5455

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
The Plus Addons for Elementor Page Builder

Researcher

wesley (wcraft)

More Details >

WishList Member X <= 3.25.1 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-37107

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

Word Balloon <= 4.21.1 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-35781

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Word Balloon

Researcher

João Pedro Soares de Alcântara

More Details >

WP Blog Post Layouts <= 1.1.3 - Authenticated (Contributor+) Local File Inlcusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5503

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
WP Blog Post Layouts

Researcher

stealthcopter

More Details >

Academy LMS <= 2.0.2 - Open Redirect

8.3

CVSS Rating
High (8.3)

CVE-ID
CVE-2024-37234

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Academy LMS – eLearning and online course solution for WordPress

Researcher

Mochamad Sofyan

More Details >

Login with phone number <= 1.7.34 - Insecure Password Reset Mechanism

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-6125

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Login with phone number

Researcher

István Márton

More Details >

WishList Member X <= 3.25.1 - Authenticated (Subscriber+) Arbitrary File Deletion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-37108

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

Page Builder: Live Composer <= 1.5.42 - Authenticated (Contributor+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-35780

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Live Composer – Free WordPress Website Builder

Researcher

LVT-tholv2k

More Details >

WP Magazine Modules Lite <= 1.1.2 - Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-5574

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
WP Magazine Modules Lite

Researcher

stealthcopter

More Details >

Business Directory Plugin <= 6.4.3 - Authenticated (Author+) CSV Injection

7.4

CVSS Rating
High (7.4)

CVE-ID
CVE-2023-5527

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Business Directory Plugin – Easy Listing Directories for WordPress

Researcher

Dmitrii Ignatyev

More Details >

Appointment Booking and Online Scheduling <= 4.4.2 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-5791

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Online Booking & Scheduling Calendar for WordPress by vcita

Researcher

Lucio Sá

More Details >

UberMenu <= 3.8.3 - Cross-Site Request Forgery to Settings Reset

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-3593

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
UberMenu

Researcher

M.Awad

More Details >

WishList Member X <= 3.25.1 - Missing Authorization to Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-37106

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

Export WP Page to Static HTML/CSS <= 2.2.2 - Open Redirect

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2024-3597

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Export WP Page to Static HTML/CSS

Researcher

Krzysztof Zając

More Details >

Depicter <= 3.0.2 - Authenticated (Contributor+) Arbitrary Nonce Generation

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-4390

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Researcher

Arkadiusz Hydzik

More Details >

License Manager for WooCommerce <= 3.0.7 - Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-1639

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
License Manager for WooCommerce

Researcher

Lucio Sá

More Details >

Materialis <= 1.1.24 - Missing Authorization to Limited Arbitrary Options Update

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2023-3204

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Materialis

Researcher

Gibran Abdillah

More Details >

Scheduling Plugin – Online Booking for WordPress <= 3.5.10 - Missing Authorization to Unauthenticated Service Disconnection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-1634

Patch Status
Unpatched

Published
Jun 17, 2024

Affected Software
Scheduling Plugin – Online Booking for WordPress

Researcher

Lucio Sá

More Details >

Sparkle Demo Importer <= 1.4.7 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-6120

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Sparkle Demo Importer

Researcher

Lucio Sá

More Details >

Ali2Woo Lite <= 3.3.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37214

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
AliExpress Dropshipping with AliNext Lite

Researcher

Majed Refaea

More Details >

Bible Text <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5444

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Bible Text

Researcher

Bob Matyas

More Details >

Blogmentor – Blog Layouts for Elementor <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via pagination_style Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4623

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Blogmentor – Blog Layouts for Elementor

Researcher

stealthcopter

More Details >

Branda – White Label WordPress, Custom Login Page Customizer <= 3.4.17 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5191

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Branda – White Label WordPress, Custom Login Page Customizer

Researcher

wesley (wcraft)

More Details >

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_title]

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3558

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Custom Field Suite

Researcher

Jack Taylor

More Details >

DImage 360 <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35774

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
DImage 360

Researcher

Ngô Thiên An (ancorn_)

More Details >

Divi <= 4.25.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5533

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Divi

Researcher

Ngô Thiên An (ancorn_)

More Details >

Elegant Themes Icons <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37100

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Elegant Themes Icons

Researcher

Ngô Thiên An (ancorn_)

More Details >

EmbedSocial – Social Media Feeds, Reviews and Galleries <= 1.1.29 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3984

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
EmbedSocial – Social Media Feeds, Reviews and Galleries

Researcher

Krzysztof Zając

More Details >

Empty Cart Button for WooCommerce <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37217

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Empty Cart Button for WooCommerce

Researcher

LVT-tholv2k

More Details >

Flatsome <= 3.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5156

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Flatsome

Researcher

stealthcopter

More Details >

Flatsome | Multi-Purpose Responsive WooCommerce Theme <= 3.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5346

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Flatsome

Researcher

wesley (wcraft)

More Details >

Greenshift – animation and page builder blocks <= 8.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35765

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Greenshift – animation and page builder blocks

Researcher

João Pedro Soares de Alcântara

More Details >

Grey Opaque <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Download-Button Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5966

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Grey Opaque

Researcher

Francesco Carlucci

More Details >

JetWidgets For Elementor <= 1.0.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via layout_type and id Parameters

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4626

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
JetWidgets For Elementor

Researcher

stealthcopter

More Details >

Kimili Flash Embed <= 2.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37221

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Kimili Flash Embed

Researcher

LVT-tholv2k

More Details >

Master Slider – Responsive Touch Slider <= 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4375

Patch Status
Unpatched

Published
Jun 17, 2024

Affected Software
Master Slider – Responsive Touch Slider

Researcher

Krzysztof Zając

More Details >

MaxGalleria <= 6.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via maxgallery_thumb Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5970

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
MaxGalleria

Researcher

Peter Thaleikis

More Details >

MIMO Woocommerce Order Tracking <= 1.0.2 - Missing Authorization to Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5768

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
MIMO Woocommerce Order Tracking

Researcher

Lucio Sá

More Details >

Mosaic <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5965

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Mosaic

Researcher

Francesco Carlucci

More Details >

My Favorites <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37114

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
My Favorites

Researcher

Jean Tirstan T

More Details >

Orbit Fox by ThemeIsle <= 2.10.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via Services and Post Type Grid Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2484

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Orbit Fox by ThemeIsle

Researcher

wesley (wcraft)

More Details >

OSM Map Widget for Elementor <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4663

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
OSM Map Widget for Elementor

Researcher

stealthcopter

More Details >

Page Builder Sandwich – Front-End Page Builder <= 5.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37219

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Page Builder Sandwich – Front End WordPress Page Builder Plugin

Researcher

Phill Sav (Savphill)

More Details >

Page Builder: Live Composer <= 1.5.42 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35768

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Live Composer – Free WordPress Website Builder

Researcher

Phill Sav (Savphill)

More Details >

Page Builder: Live Composer <= 1.5.42 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35779

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Live Composer – Free WordPress Website Builder

Researcher

LVT-tholv2k

More Details >

PDF Viewer for Elementor <= 2.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via render

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-0845

Patch Status
Unpatched

Published
Jun 17, 2024

Affected Software
PDF Viewer for Elementor

Researchers

Webbernaut

wesley (wcraft)

stealthcopter

More Details >

Photo Gallery, Images, Slider in Rbs Image Gallery <= 3.2.19 - Authenticated (Author+) Stored Cross-Site Scripting via Image Title

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3894

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Photo Gallery, Images, Slider in Rbs Image Gallery

Researcher

Tim Coen

More Details >

Quiz and Survey Master <= 9.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-6025

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Researcher

Dmitrii Ignatyev

More Details >

Restaurant Reservations <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37223

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Restaurant Reservations

Researcher

LVT-tholv2k

More Details >

SEOPress – On-site SEO <= 7.9 - Authenticated(Contributor+) Stored Cross-Site Scripting via Social Image URL

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-1168

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
SEOPress – On-site SEO

Researcher

Webbernaut

More Details >

Shortcodes Ultimate Pro <= 7.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4217

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Shortcodes Ultimate Pro

Researcher

Dmitrii Ignatyev

More Details >

Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) <= 3.5.4 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5036

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Researcher

wesley (wcraft)

More Details >

Sinatra <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37116

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Sinatra

Researcher

stealthcopter

More Details >

Sketchfab Embed <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37216

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Sketchfab Embed

Researcher

LVT-tholv2k

More Details >

Slideshow SE <= 2.5.17 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35769

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Slideshow SE

Researcher

Steven Julian

More Details >

Support SVG <= 1.0.0 - Authenticated (Author+) Stored Cross-site Scripting via SVG

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4272

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Support SVG – Upload svg files in wordpress without hassle

Researcher

Rayhan Ramdhany Hanaputra

More Details >

SVG Block <= 1.1.19 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4269

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
SVG Block

Researcher

Rayhan Ramdhany Hanaputra

More Details >

Table Addons for Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via _id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4313

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Table Addons for Elementor

Researcher

stealthcopter

More Details >

Transition Slider – Responsive Image Slider and Gallery <= 2.20.3 - Authenticated (Editor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37215

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Transition Slider – Responsive Image Slider and Gallery

Researcher

Steven Julian

More Details >

Typing Text <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5058

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
Typing Text

Researcher

vps1-

More Details >

Ultimate Blocks – WordPress Blocks Plugin <= 3.0.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via metabox

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2023-6692

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Ultimate Blocks – WordPress Blocks Plugin

Researcher

Rafshanzani Suhada

More Details >

WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4632

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Researcher

wesley (wcraft)

More Details >

WordPress Plugin Tournamatch < 4.6.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5627

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Tournamatch

Researcher

Davide Balzano

More Details >

WP Post Author <= 3.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37101

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Enhance Your Posts with the WP Post Author Box, Co-Authors, Guest Authors, and Post Rating System, including Registration Form Builder

Researcher

Khalid

More Details >

WP Recipe Maker <= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group_tag'

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-0383

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
WP Recipe Maker

Researcher

wesley (wcraft)

More Details >

WP Scraper <= 5.7 - Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37208

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
WP Scraper

Researcher

Majed Refaea

More Details >

WP SVG Images <= 4.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5945

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
WP SVG Images

Researcher

Colin Xu

More Details >

WPZOOM Addons for Elementor (Templates, Widgets) <= 1.1.38 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Members Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5686

Patch Status
Patched

Published
Jun 19, 2024

Affected Software
WPZOOM Addons for Elementor (Templates, Widgets)

Researcher

wesley (wcraft)

More Details >

AliExpress Dropshipping with AliNext Lite <= 3.3.5 - Missing Authorization via Several Functions

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2024-4450

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
AliExpress Dropshipping with AliNext Lite

Researcher

Lucio Sá

More Details >

ARMember Premium <= 6.7 - Cross-Site Request Forgery via multiple functions

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2024-5596

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Researcher

István Márton

More Details >

Ali2Woo Lite <= 3.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37213

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
AliExpress Dropshipping with AliNext Lite

Researcher

Majed Refaea

More Details >

Ali2Woo Lite <= 3.3.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37211

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
AliExpress Dropshipping with AliNext Lite

Researcher

Majed Refaea

More Details >

Appointment Booking and Online Scheduling <= 4.4.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5859

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Online Booking & Scheduling Calendar for WordPress by vcita

Researcher

Lucio Sá

More Details >

Demo Awesome <= 1.0.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37206

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Demo Awesome

Researcher

Abdi Pranata

More Details >

Enfold <= 5.6.9 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37199

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Enfold - Responsive Multi-Purpose Theme

Researcher

tom

More Details >

Index WP MySQL For Speed <= 1.4.17 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-4977

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Index WP MySQL For Speed

Researcher

Guido Iván García

More Details >

Master Slider <= 3.9.10 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37222

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Master Slider – Responsive Touch Slider

Researcher

Rafie Muhammad

More Details >

Shortcodes by United Themes < 5.0.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37097

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Shortcodes by United Themes

Researcher

Rafie Muhammad

More Details >

SULly <= 4.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5032

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
SULly

Researcher

Bob Matyas

More Details >

SULly <= 4.3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5033

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
SULly

Researcher

Bob Matyas

More Details >

The Plus Addons for Elementor Page Builder <= 5.5.6 - Reflected Cross-Site Scripting via WP Login and Register Widget

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5344

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
The Plus Addons for Elementor Page Builder

Researcher

wesley (wcraft)

More Details >

Cost Calculator Builder PRO <= 3.1.75 - Unauthenticated Arbitrary Email Sending

5.8

CVSS Rating
Medium (5.8)

CVE-ID
CVE-2024-4787

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Cost Calculator Builder PRO

Researcher

István Márton

More Details >

BlossomThemes Email Newsletter <= 2.2.7 - Authenticated (Admin+) Server-Side Request Forgery

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-37098

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
BlossomThemes Email Newsletter

Researcher

Yuchen Ji

More Details >

Slider by 10Web <= 1.2.55 - Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-6026

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Slider by 10Web – Responsive Image Slider

Researcher

Dmitrii Ignatyev

More Details >

Hercules Core <= 6.5 - Missing Authorization to Settings Update

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-37232

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Hercules Core

Researcher

Dave Jong

More Details >

OpenPGP Form Encryption for WordPress <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-3919

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
OpenPGP Form Encryption for WordPress

Researcher

Bob Matyas

More Details >

Paid Memberships Pro <= 2.12.10 - Cross-Site Request Forgery to Membership Modification

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-1407

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Researcher

Colin Xu

More Details >

Universal Slider <= 1.6.5 - Authenticated (Contributor+) PHP Object Injection

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-5649

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Universal Slider

Researcher

Francesco Carlucci

More Details >

Wheel of Life: Coaching and Assessment Tool for Life Coach <= 1.1.7 - Missing Authorization on Several AJAX Endpoints

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-3627

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Wheel of Life: Coaching and Assessment Tool for Life Coach

Researcher

Lucio Sá

More Details >

affiliate-toolkit <= 3.4.4 - Unauthenticated Sensitive Information Exposure via Logs

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37205

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
affiliate-toolkit – WordPress Affiliate Plugin

Researcher

Joshua Chan

More Details >

ConvertKit <= 2.4.9 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3961

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages

Researcher

1337_Wannabe

More Details >

Event Management Tickets Booking <= 1.4.0 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-5059

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Event Monster – Event Management, Tickets Booking, Upcoming Event

Researcher

Muhammad Daffa

More Details >

Ibtana - WordPress Website Builder <= 1.2.3.3 - Unauthenticated reCAPTCHA Settings Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-5541

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Ibtana – WordPress Website Builder

Researcher

Peter Thaleikis

More Details >

MasterStudy LMS <= 3.2.12 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37094

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
MasterStudy LMS WordPress Plugin – for Online Courses and Education

Researcher

Majed Refaea

More Details >

Newspack Blocks <= 3.0.8 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37115

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Newspack Blocks

Researcher

Rafie Muhammad

More Details >

Optinly <= 1.0.18 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37220

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms

Researcher

beluga

More Details >

phpinfo() WP <= 5.0 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35776

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
phpinfo() WP

Researcher

LuxF0z

More Details >

SiteGuard WP Plugin <= 1.7.6 - Login Page Disclosure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37881

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
SiteGuard WP Plugin

Researcher

Yuuta Watanabe

More Details >

Solid Security <= 9.3.1 - IP Address Spoofing to Denial of Service

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2022-44593

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Researcher

Snicco

More Details >

WishList Member X <= 3.25.1 - Missing Authorization to Information Disclosure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37110

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

WishList Member X <= 3.25.1 - Unauthenticated Denial of Service

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37111

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

WishList Member X <= 3.25.1 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37113

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Wishlist Member

Researcher

Dave Jong

More Details >

WP 2FA <= 2.6.3 - Unauthenticated Information Exposure via Log File

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2022-44587

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
WP 2FA – Two-factor authentication for WordPress

Researcher

Snicco

More Details >

WP Child Theme Generator <= 1.1.1 - Missing Authorization to Unauthenticated Child Theme Creation/Activation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3610

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
WP Child Theme Generator

Researcher

Lucio Sá

More Details >

WP Maintenance <= 6.1.9.2 - IP Spoofing to Maintenance Mode Bypass

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-0789

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
WP Maintenance

Researcher

Hoa Le Ngoc (lengochoa)

More Details >

Accordions <= 2.3.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37122

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Accordion – Multiple Accordion or FAQs Builder

Researcher

Jean Tirstan T

More Details >

Amelia <= 1.1.5 & Amelia (Pro) <= 7.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-6225

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Booking for Appointments and Events Calendar – Amelia

Researcher

Vinay Kumar

More Details >

Easy Table of Contents <= 2.0.67 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-6334

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Easy Table of Contents

Researcher

Dmitrii Ignatyev

More Details >

Embed Peertube Playlist <= 1.07 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-4602

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Embed Peertube Playlist

Researcher

Bob Matyas

More Details >

Shortcode Addons <= 3.2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37121

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension

Researcher

Jean Tirstan T

More Details >

SULly <= 4.3.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5151

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
SULly

Researcher

Guido Iván García

More Details >

Tabs <= 4.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37120

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Tabs – Responsive Tabs with WooCommerce Product Tab Extension

Researcher

Jean Tirstan T

More Details >

WordPress Plugin Tournamatch < 4.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5644

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
Tournamatch

Researcher

Bob Matyas

More Details >

WP QuickLaTeX <= 3.8.6 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5472

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
WP QuickLaTeX

Researcher

Felipe Caon

More Details >

WP Secure Maintenance <= 1.6 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-4753

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
WP Secure Maintenance

Researcher

Guido Iván García

More Details >

YARPP – Yet Another Related Posts Plugin <= 5.30.9 - Authenticated(Administrator+) Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2023-6495

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
YARPP – Yet Another Related Posts Plugin

Researcher

Akbar Kustirama

More Details >

Book Landing Page <= 1.2.3 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37230

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Book Landing Page

Researcher

Dhabaleshwar Das

More Details >

Bricks Builder <= 1.9.8 - Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4874

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Bricks Builder

Researcher

Francesco Carlucci

More Details >

Chic Lite <= 1.1.3 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37104

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Chic Lite

Researcher

Dhabaleshwar Das

More Details >

CM Email Registration Blacklist and Whitelist <= 1.4.8 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5167

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
CM Email Registration Blacklist and Whitelist

Researcher

Felipe Caon

More Details >

ContentLock <= 1.0.3 - Cross-Site Request Forgery to Email Adding

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-6023

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
ContentLock

Researcher

Norbert Hofmann

More Details >

ContentLock <= 1.0.3 - Cross-Site Request Forgery to Group/Email Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-6024

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
ContentLock

Researcher

Bob Matyas

More Details >

ContentLock <= 1.0.3 - Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-6022

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
ContentLock

Researcher

Norbert Hofmann

More Details >

Custom Product List Table <= 3.0.0 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4541

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Custom Product List Table

Researcher

Benedictus Jovan (aillesiM)

More Details >

Customizr <= 4.4.21 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35771

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Customizr

Researcher

Dhabaleshwar Das

More Details >

Demo Awesome <= 1.0.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37207

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Demo Awesome

Researcher

Abdi Pranata

More Details >

Digital Newspaper <= 1.1.5 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37198

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Digital Newspaper

Researcher

Dhabaleshwar Das

More Details >

Education Zone <= 1.3.4 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37103

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Education Zone

Researcher

Dhabaleshwar Das

More Details >

Envira Photo Gallery <= 1.8.7.3 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37095

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Gallery Plugin for WordPress – Envira Photo Gallery

Researcher

Abdi Pranata

More Details >

Falang multilanguage <= 1.3.51 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37240

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Falang multilanguage for WordPress

Researcher

Dhabaleshwar Das

More Details >

FS Poster <= 6.5.8 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37237

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
FS Poster - WordPress Social media Auto Poster & Scheduler [Facebook, Instagram, Twitter, Pinterest]

Researcher

Ananda Dhakal

More Details >

Groundhogg <= 3.4.2.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37235

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Researcher

Ananda Dhakal

More Details >

Hide Dashboard Notifications <= 1.3 - Missing Authorization to Authenticated(Contributor+) Plugin Settings Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-1955

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Hide Dashboard Notifications

Researcher

Francesco Carlucci

More Details >

Hueman <= 3.7.24 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35772

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Hueman

Researcher

Dhabaleshwar Das

More Details >

Kanban Boards for WordPress <= 2.5.21 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37226

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Kanban Boards for WordPress

Researcher

LVT-tholv2k

More Details >

Laybuy Payment Extension for WooCommerce <= 5.3.9 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37203

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Laybuy Payment Extension for WooCommerce

Researcher

Abdi Pranata

More Details >

Loco Translate <= 2.6.9 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37236

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Loco Translate

Researcher

Nosa "apapedulimu" Shandy

More Details >

MasterStudy LMS <= 3.2.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37093

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
MasterStudy LMS WordPress Plugin – for Online Courses and Education

Researcher

Majed Refaea

More Details >

Newsletters <= 4.9.7 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37227

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Newsletters

Researcher

Peng Zhou

More Details >

Newspack Newsletters <= 2.13.2 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37242

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
Newspack Newsletters

Researcher

Rafie Muhammad

More Details >

Page Builder Sandwich – Front-End Page Builder <= 5.1.0 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37218

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Page Builder Sandwich – Front End WordPress Page Builder Plugin

Researcher

Phill Sav (Savphill)

More Details >

Play.ht <= 3.6.4 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37233

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio

Researcher

Abdi Pranata

More Details >

Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer <= 1.1.0 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3602

Patch Status
Unpatched

Published
Jun 19, 2024

Affected Software
Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer

Researcher

Lucio Sá

More Details >

Popup box <= 4.5.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37096

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Researcher

Abdi Pranata

More Details >

PropertyHive <= 2.0.9 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37204

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
PropertyHive

Researcher

CatFather

More Details >

Replace Image <= 1.1.10 - Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4873

Patch Status
Unpatched

Published
Jun 18, 2024

Affected Software
Replace Image

Researcher

Jin Hao Chan

More Details >

Smush – Lazy Load Images, Optimize & Compress Images <= 3.16.4 - Missing Authorization to Resmush List Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2023-3352

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN

Researchers

Truoc Phan

An Đặng

More Details >

SP Project & Document Manager <= 4.71 - Authenticated (Subscriber+) Directory Traversal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37224

Patch Status
Unpatched

Published
Jun 21, 2024

Affected Software
SP Project & Document Manager

Researcher

CatFather

More Details >

SULly <= 4.3.0 - Cross-Site Request Forgery to Plugin Reset

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5034

Patch Status
Patched

Published
Jun 22, 2024

Affected Software
SULly

Researcher

Bob Matyas

More Details >

Tickera <= 3.5.2.8 - Missing Authorization to Authenticated (Susbcriber+) Ticket Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5860

Patch Status
Patched

Published
Jun 17, 2024

Affected Software
Tickera – WordPress Event Ticketing

Researcher

Lucio Sá

More Details >

Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter <= 1.222.16 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37202

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter

Researcher

Abdi Pranata

More Details >

User Profile Picture <= 2.6.1 - Authenticated (Author+) Insecure Direct Object Reference to Profile Picture Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5639

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
User Profile Picture

Researcher

JoanClarke2

More Details >

User Rights Access Manager <= 1.1.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37209

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
User Rights Access Manager

Researcher

Majed Refaea

More Details >

Vilva <= 1.2.2 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37102

Patch Status
Patched

Published
Jun 20, 2024

Affected Software
Vilva

Researcher

Dhabaleshwar Das

More Details >

Vimeography: Vimeo Video Gallery WordPress Plugin <= 2.4.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35770

Patch Status
Patched

Published
Jun 18, 2024

Affected Software
Vimeography: Vimeo Video Gallery WordPress Plugin

Researcher

thiennv

More Details >

Woocommerce Customers Order History <= 5.2.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37201

Patch Status
Unpatched

Published
Jun 20, 2024

Affected Software
Woocommerce Customers Order History

Researcher

Abdi Pranata

More Details >

WP Job Manager - Resume Manager <= 2.1.0 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37241

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
WP Job Manager - Resume Manager

Researcher

Rafie Muhammad

More Details >

WPAdverts – Classifieds Plugin <= 2.1.2 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37238

Patch Status
Patched

Published
Jun 21, 2024

Affected Software
WPAdverts – Classifieds Plugin

Researcher

Majed Refaea

More Details >