Wordfence Intelligence Weekly WordPress Vulnerability Report (June 3, 2024 to June 9, 2024)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. For a limited time, all high risk issues are in-scope for all researchers! 

Last week, there were 240 vulnerabilities disclosed in 204 WordPress Plugins and 10 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 16,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
stealthcopter	25
Lucio Sá	16
LVT-tholv2k	14
wesley (wcraft)	12
Bob Matyas	12
Ngô Thiên An (ancorn_)	10
Francesco Carlucci	10
Krzysztof Zając	8
Phill Sav (Savphill)	7
Majed Refaea	7
Steven Julian	6
Rafie Muhammad	6
1337_Wannabe	5
Dmitrii Ignatyev	5
Dave Jong	5
YC_Infosec	5
Mika	4
Webbernaut	4
CatFather	3
Foxyyy	3
Manab Jyoti Dowarah	3
Tobias Weißhaar (kun_19)	3
Abdi Pranata	3
Vuln Seeker Cybersecurity Team	3
Benedictus Jovan (aillesiM)	3
Felipe Caon	3
Le Ngoc Anh	3
Peter Thaleikis	3
István Márton	3
Joshua Chan	2
Thanh Nam Tran	2
Cronus	2
Ananda Dhakal	2
shaman0x01	2
João G. Barbosa (4rCanJ0x!)	2
Dimas Maulana	2
blackmoon	2
Ankit Patel	2
Khalid	2
Krugov Artyom	1
Peng Zhou	1
Artem Polynko (Artem Polynko)	1
Dau Hoang Tai	1
alien8	1
M.Awad	1
SouzaZinn	1
haidv35	1
Duc Manh	1
Scott Kingsley Clark	1
Truoc Phan	1
Arkadiusz Hydzik	1
beluga	1
STEALIEN	1
Rayhan Ramdhany Hanaputra	1
emad	1
JoanClarke2	1
Pedro José Navas Pérez	1
William Bastos	1
RandomRoot	1
Dhabaleshwar Das	1
Van Lyubov	1
Trương Hữu Phúc (truonghuuphuc)	1
Rafshanzani Suhada	1
Roshan Cheriyan	1
Do Truong Giang	1
Vincent Bao	1
Richard Telleng (stueotue)	1
thiennv	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

BuddyPress Cover <= 2.1.4.2 - Unauthenticated Arbitrary File Upload

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-35746

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
BuddyPress Cover

Researcher

YC_Infosec

More Details >

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress <= 1.7.2 - Authenticated (Author+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-35678

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress

Researcher

Do Truong Giang

More Details >

Gallery – Image and Video Gallery with Thumbnails <= 2.0.3 - Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-35750

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
Gallery – Image and Video Gallery with Thumbnails

Researcher

LVT-tholv2k

More Details >

Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress <= 9.0.1 - Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-3592

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Researcher

Lucio Sá

More Details >

Visualizer <= 3.11.1 - Authenticated (Subscriber+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-35736

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Visualizer: Tables and Charts Manager for WordPress

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Checkout Field Editor for WooCommerce (Pro) <= 3.6.2 - Unauthenticated Arbitrary File Deletion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-35658

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Checkout Field Editor for WooCommerce (Pro)

Researcher

Dave Jong

More Details >

Email Subscribers by Icegram Express <= 5.7.20 - Unauthenticated SQL Injection via hash

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4295

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Researcher

1337_Wannabe

More Details >

MegaMenu <= 2.3.12 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-35677

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
MegaMenu

Researcher

Rafie Muhammad

More Details >

Social Login Lite For WooCommerce <= 1.6.0 - Authentication Bypass

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4552

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
Social Login Lite For WooCommerce

Researcher

István Márton

More Details >

Startklar Elementor Addons <= 1.7.15 - Unauthenticated Path Traversal to Arbitrary Directory Deletion

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-5153

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Startklar Elementor Addons

Researcher

stealthcopter

More Details >

Cowidgets – Elementor Addons <= 1.1.2 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5179

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Cowidgets – Elementor Addons

Researcher

stealthcopter

More Details >

LifterLMS – WordPress LMS Plugin for eLearning <= 7.6.2 - Authenticated (Contributor+) SQL Injection via Shortcode

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-4743

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Researcher

Peter Thaleikis

More Details >

PowerPack Pro for Elementor <= 2.10.17 - Authenticated (Contributor+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3668

Patch Status
Patched

Published
Jun 7, 2024

Affected Software
PowerPack Pro for Elementor

Researcher

Ankit Patel

More Details >

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.109 - Authenticated (Contributor+) Blind SQL Injection via data[addonID] Parameter

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5329

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Researcher

shaman0x01

More Details >

XootiX Framework <= Various Plugin Versions - Missing Authorization to Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5324

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Login/Signup Popup ( Inline Form + Woocommerce )
Side Cart Woocommerce | Woocommerce Cart
OTP Login Woocommerce (Login with OTP)
Waitlist Woocommerce ( Back in stock notifier )

Researcher

1337_Wannabe

More Details >

The Moneytizer <= 9.6.3 - Cross-Site Request Forgery via multiple AJAX actions

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2023-6968

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
The Moneytizer

Researcher

Francesco Carlucci

More Details >

The Moneytizer <= 9.6.3 - Missing Authorization via multiple AJAX actions

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2023-6966

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
The Moneytizer

Researcher

Francesco Carlucci

More Details >

FileOrganizer <= 1.0.7 - Sensitive Information Exposure via Directory Listing

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-5599

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
FileOrganizer – Manage WordPress and Website Files

Researcher

emad

More Details >

Market Exporter <= 2.0.19 - Missing Authorization to Arbitrary File Deletion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-5637

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Market Exporter

Researcher

Lucio Sá

More Details >

Qi Addons For Elementor <= 1.7.2 - Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-4887

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Qi Addons For Elementor

Researcher

haidv35

More Details >

Strategery Migrations <= 1.0 - Unauthenticated Arbitrary File Deletion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-35745

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
Strategery Migrations

Researcher

YC_Infosec

More Details >

WP-DB-Table-Editor <= 1.8.4 - Missing Authorization to Authenticated(Contributor+) Database Access

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-2019

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
WP-DB-Table-Editor

Researcher

Francesco Carlucci

More Details >

Brizy – Page Builder <= 2.4.43 - Authenticated (Contributor+) Store Cross-Site Scripting via Widget Link To URL

7.4

CVSS Rating
High (7.4)

CVE-ID
CVE-2024-3667

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Brizy – Page Builder

Researcher

Webbernaut

More Details >

SKT Addons for Elementor <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate and Creative Slider Widgets

7.4

CVSS Rating
High (7.4)

CVE-ID
CVE-2024-5091

Patch Status
Patched

Published
Jun 7, 2024

Affected Software
SKT Addons for Elementor

Researcher

stealthcopter

More Details >

Brizy – Page Builder <= 2.4.43 - Unauthenticated Stored Cross-Site Scripting via Form

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-2087

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Brizy – Page Builder

Researcher

wesley (wcraft)

More Details >

Frontend Registration – Contact Form 7 <= 5.1 - Authenticated (Editor+) Privilege Escalation

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-4870

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
Frontend Registration – Contact Form 7

Researcher

István Márton

More Details >

Heateor Social Login WordPress <= 1.1.32 - Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-35706

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Heateor Social Login WordPress

Researcher

LVT-tholv2k

More Details >

Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.1 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Navigation Menu Widget

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-5542

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Researcher

Webbernaut

More Details >

Mime Types Extended <= 0.11 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-4759

Patch Status
Unpatched

Published
Jun 4, 2024

Affected Software
Mime Types Extended

Researcher

Bob Matyas

More Details >

Social Link Pages: link-in-bio landing pages for your social media profiles <= 1.6.9 - Missing Authorization to Arbitrary Page Creation and Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-3555

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
Social Link Pages: link-in-bio landing pages for your social media profiles

Researcher

Lucio Sá

More Details >

Tutor LMS – eLearning and online course solution <= 2.7.1 -Authenticated (Administrator+) SQL Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-4902

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Tutor LMS – eLearning and online course solution

Researcher

wesley (wcraft)

More Details >

WP Time Slots Booking Form <= 1.2.10 - Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-35734

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
WP Time Slots Booking Form

Researcher

Manab Jyoti Dowarah

More Details >

Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.23 - Authenticated (Contributor+) Path Traversal via esc_dir Function

6.8

CVSS Rating
Medium (6.8)

CVE-ID
CVE-2024-5481

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Researcher

Tobias Weißhaar (kun_19)

More Details >

MelaPress Login Security <= 1.3.0 - Authenticated (Admin+) Remote File Inclusion

6.6

CVSS Rating
Medium (6.6)

CVE-ID
CVE-2024-35650

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
MelaPress Login Security

Researcher

YC_Infosec

More Details >

Album and Image Gallery plus Lightbox <= 2.0 - Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-4194

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Album and Image Gallery plus Lightbox

Researcher

stealthcopter

More Details >

BuddyForms <= 2.8.9 - Email Verification Bypass due to Insufficient Randomness

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-5149

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Researcher

István Márton

More Details >

CF7 Google Sheets Connector <= 5.0.9 - Missing Authorization to Limited Site Configuration Update

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-5654

Patch Status
Patched

Published
Jun 7, 2024

Affected Software
CF7 Google Sheets Connector

Researcher

1337_Wannabe

More Details >

Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.1 - Missing Authorization to MA Template Creation or Modification

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-5382

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Researcher

Webbernaut

More Details >

Ovic Importer <= 1.6.3 - Authenticated (Subscriber+) Arbitrary File Download

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-35754

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
Ovic Importer

Researcher

Majed Refaea

More Details >

Advanced Woo Labels – Product Labels for WooCommerce <= 1.93 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35675

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Advanced Woo Labels – Product Labels for WooCommerce

Researcher

Phill Sav (Savphill)

More Details >

Block for Font Awesome <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35705

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Block for Font Awesome

Researcher

Ngô Thiên An (ancorn_)

More Details >

BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35704

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library

Researcher

Ngô Thiên An (ancorn_)

More Details >

Blocksy <= 2.0.50 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5439

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Blocksy

Researcher

Ngô Thiên An (ancorn_)

More Details >

Bloglo <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35715

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Bloglo

Researcher

stealthcopter

More Details >

Boostify Header Footer Builder for Elementor <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via size Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5006

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Boostify Header Footer Builder for Elementor

Researcher

stealthcopter

More Details >

Brizy – Page Builder <= 2.4.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-1161

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Brizy – Page Builder

Researcher

wesley (wcraft)

More Details >

Brizy – Page Builder <= 2.4.43 - Authenticated(Contributor+) Stored Cross-Site Scripting via Form Functionality

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-1164

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Brizy – Page Builder

Researcher

RandomRoot

More Details >

Cards for Beaver Builder <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Cards Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5663

Patch Status
Patched

Published
Jun 7, 2024

Affected Software
Cards for Beaver Builder

Researcher

Francesco Carlucci

More Details >

Clever Addons for Elementor <= 2.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple CAFE Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2350

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Clever Addons for Elementor

Researcher

Francesco Carlucci

More Details >

Clever Fox <= 25.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-1768

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Clever Fox

Researchers

Ngô Thiên An (ancorn_)

Dau Hoang Tai

More Details >

Colibri Page Builder <= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_video_player Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4451

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Colibri Page Builder

Researcher

Ngô Thiên An (ancorn_)

More Details >

Colibri Page Builder <= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5038

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Colibri Page Builder

Researcher

Ngô Thiên An (ancorn_)

More Details >

Comments – wpDiscuz <= 7.6.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35681

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Comments – wpDiscuz

Researcher

LVT-tholv2k

More Details >

Cowidgets – Elementor Addons <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via heading_tag Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4697

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Cowidgets – Elementor Addons

Researcher

stealthcopter

More Details >

Download Attachments <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3230

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Download Attachments

Researcher

Krzysztof Zając

More Details >

Download Manager <= 3.2.93 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm_modal_login_form Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4001

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Download Manager

Researcher

Thanh Nam Tran

More Details >

Easy Social Like Box – Popup – Sidebar Widget <= 4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5224

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Easy Social Like Box – Popup – Sidebar Widget

Researcher

Krzysztof Zając

More Details >

ElementsReady Addons for Elementor <= 6.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5152

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
ElementsReady Addons for Elementor

Researcher

stealthcopter

More Details >

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5571

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor

Researcher

wesley (wcraft)

More Details >

Envo Extra <= 1.8.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5645

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Envo Extra

Researcher

wesley (wcraft)

More Details >

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.8.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lightbox and Modal Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5612

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Essential Addons for Elementor Pro

Researcher

wesley (wcraft)

More Details >

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.22 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5188

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders

Researcher

Ngô Thiên An (ancorn_)

More Details >

Essential Real Estate <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4273

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Essential Real Estate

Researcher

Krzysztof Zając

More Details >

GamiPress – Link <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5536

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
GamiPress – Link

Researcher

Francesco Carlucci

More Details >

H5P <= 1.15.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3111

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Interactive Content – H5P

Researcher

Dmitrii Ignatyev

More Details >

Heateor Social Login WordPress <= 1.1.32 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35707

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Heateor Social Login WordPress

Researcher

LVT-tholv2k

More Details >

HT Feed <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35699

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
HT Feed

Researcher

LVT-tholv2k

More Details >

Idyllic <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35714

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Idyllic

Researcher

stealthcopter

More Details >

Image Hover Effects for Elementor with Lightbox and Flipbox <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via _id, oxi_addons_f_title_tag, and content_description_tag Parameters

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5001

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Image Hover Effects for Elementor with Lightbox and Flipbox

Researcher

stealthcopter

More Details >

Kognetiks Chatbot for WordPress <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35738

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Kognetiks Chatbot for WordPress

Researcher

LVT-tholv2k

More Details >

Magical Addons For Elementor <= 1.1.39 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5161

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Researcher

stealthcopter

More Details >

Materialis Companion <= 1.3.41 - Authenticated (Contributor+) Store Cross-Site Scripting via materialis_contact_form Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4707

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Materialis Companion

Researcher

stealthcopter

More Details >

MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution <= 4.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via hover_animation Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5259

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Researcher

stealthcopter

More Details >

Newsletter <= 8.3.4 - Unauthenticated Stored Cross-Site Scripting via np1

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5317

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Newsletter – Send awesome emails from WordPress

Researcher

Arkadiusz Hydzik

More Details >

One Page Express Companion <= 1.6.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via one_page_express_contact_form Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4703

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
One Page Express Companion

Researcher

stealthcopter

More Details >

Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via Zipped SVG

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5426

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Researcher

Tobias Weißhaar (kun_19)

More Details >

Pixgraphy <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35740

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Pixgraphy

Researcher

stealthcopter

More Details >

Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel - Combo Blocks <= 2.2.80 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4042

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Post Grid and Gutenberg Blocks – ComboBlocks

Researcher

stealthcopter

More Details >

Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks <= 2.2.80 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-1988

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Post Grid and Gutenberg Blocks – ComboBlocks

Researcher

Ngô Thiên An (ancorn_)

More Details >

Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) <= 3.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pacific Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5640

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)

Researcher

wesley (wcraft)

More Details >

ProfilePro <= 1.3 - Authenticated (Subscriber+) Stored Cross Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-6668

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
ProfilePro

Researcher

Vuln Seeker Cybersecurity Team

More Details >

PropertyHive <= 2.0.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35701

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
PropertyHive

Researcher

CatFather

More Details >

PVN Auth Popup <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-6718

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
PVN Auth Popup

Researcher

Bob Matyas

More Details >

Qi Addons For Elementor <= 1.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4364

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Qi Addons For Elementor

Researcher

wesley (wcraft)

More Details >

Qi Blocks <= 1.2.9 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5221

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Qi Blocks

Researcher

wesley (wcraft)

More Details >

Recurring PayPal Donations <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35676

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Recurring PayPal Donations

Researcher

LVT-tholv2k

More Details >

Responsive <= 5.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35654

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Responsive

Researcher

stealthcopter

More Details >

Responsive Addons – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme. <= 3.0.5 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5222

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.

Researcher

wesley (wcraft)

More Details >

RestroPress – Online Food Ordering System <= 3.1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35719

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
RestroPress – Online Food Ordering System

Researcher

LVT-tholv2k

More Details >

Rife Free <= 2.4.19 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35708

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Rife Free

Researcher

stealthcopter

More Details >

Rotating Tweets (Twitter widget and shortcode) <= 1.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5141

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Rotating Tweets (Twitter widget and shortcode)

Researcher

Krzysztof Zając

More Details >

Royal Elementor Addons and Templates <= 1.3.976 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Uploads

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4489

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Royal Elementor Addons and Templates

Researcher

wesley (wcraft)

More Details >

Royal Elementor Addons and Templates <= 1.3.976 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4488

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Royal Elementor Addons and Templates

Researcher

Ngô Thiên An (ancorn_)

More Details >

Save as PDF Plugin by Pdfcrowd <= 3.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35649

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Save as PDF Plugin by Pdfcrowd

Researcher

LVT-tholv2k

More Details >

SellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4608

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
SellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster

Researcher

stealthcopter

More Details >

Sensei Pro (WC Paid Courses) <= 4.23.1.1.23.1 - Authenticated (Student+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34765

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
woothemes-sensei

Researcher

Rafie Muhammad

More Details >

SEOPress <= 7.7.2 - Authenticated (Contributor+) Open Redirect

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4900

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
SEOPress – On-site SEO

Researcher

Dmitrii Ignatyev

More Details >

SEOPress <= 7.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4899

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
SEOPress – On-site SEO

Researcher

Dmitrii Ignatyev

More Details >

Simple Image Popup Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5342

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Simple Image Popup Shortcode

Researcher

Francesco Carlucci

More Details >

Slider Revolution <= 6.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Elementor wrapperid and zindex

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4637

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Slider Revolution

Researcher

stealthcopter

More Details >

Slider Revolution <= 6.7.11 - Authenticated (Author+) Stored Cross-Site Scripting via Add Layer class, id, and title Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4581

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Slider Revolution

Researcher

wesley (wcraft)

More Details >

Spotify Play Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5199

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Spotify Play Button

Researcher

Bob Matyas

More Details >

SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! <= 1.0.46 - Authenticated (Contributor+) Stored Cross-Site Scripting via Trigger Link Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5485

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
SureTriggers: All-in-One WordPress Automation

Researcher

Krzysztof Zając

More Details >

TablePress – Tables in WordPress made easy <= 2.3 - Authenticated (Author+) Server-Side Request Forgery via DNS Rebind

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4354

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
TablePress – Tables in WordPress made easy

Researcher

Tobias Weißhaar (kun_19)

More Details >

tagDiv Composer <= 4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via button Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3888

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
tagDiv Composer

Researcher

Truoc Phan

More Details >

TemplatesNext OnePager <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35753

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
TemplatesNext OnePager

Researcher

LVT-tholv2k

More Details >

Testimonials Widget <= 4.0.4 - Authenticated (Author+) Stored Cross-Site Scripting via testimonials Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4705

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Testimonials Widget

Researcher

stealthcopter

More Details >

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35739

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Researcher

SouzaZinn

More Details >

Theme <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35711

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Event

Researcher

stealthcopter

More Details >

Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4212

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Themesflat Addons For Elementor

Researcher

stealthcopter

More Details >

Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via URLs

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4458

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Themesflat Addons For Elementor

Researcher

Ankit Patel

More Details >

Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Tags

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2922

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Themesflat Addons For Elementor

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Titles

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4459

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Themesflat Addons For Elementor

Researcher

Vincent Bao

More Details >

Weather Widget Pro <= 1.1.40 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35755

Patch Status
Patched

Published
Jun 7, 2024

Affected Software
Weather Widget Pro

Researcher

LVT-tholv2k

More Details >

Weaver Xtreme Theme Support <= 6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via div Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4939

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Weaver Xtreme Theme Support

Researcher

Peter Thaleikis

More Details >

WebP & SVG Support <= 1.4.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3633

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
WebP & SVG Support

Researchers

Bob Matyas

Rayhan Ramdhany Hanaputra

More Details >

WordPress prettyPhoto <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5162

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
WordPress prettyPhoto

Researcher

stealthcopter

More Details >

WP Docs <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35695

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
WP Docs

Researcher

LVT-tholv2k

More Details >

WP jQuery Lightbox <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5425

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
LightPress Lightbox

Researcher

Webbernaut

More Details >

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_lightbox Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4821

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
WP Shortcodes Plugin — Shortcodes Ultimate

Researcher

Richard Telleng (stueotue)

More Details >

Minimal Coming Soon – Coming Soon Page <= 2.38 - Missing Authorization to Limited Settings Change

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2024-5087

Patch Status
Patched

Published
Jun 7, 2024

Affected Software
Minimal Coming Soon – Coming Soon Page

Researcher

Foxyyy

More Details >

12 Step Meeting List <= 3.14.33 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35693

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
12 Step Meeting List

Researcher

alien8

More Details >

Active Products Tables for WooCommerce. Use constructor to create tables <= 1.0.6.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35730

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Active Products Tables for WooCommerce. Use constructor to create tables 

Researcher

Le Ngoc Anh

More Details >

Animated AL List <= 1.0.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5728

Patch Status
Unpatched

Published
Jun 7, 2024

Affected Software
Animated AL List

Researcher

Bob Matyas

More Details >

Auto Coupons for WooCommerce <= 3.0.14 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35733

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Auto Coupons for WooCommerce

Researcher

Le Ngoc Anh

More Details >

Contact Form 7 <= 5.9.4 - Unauthenticated Open Redirect

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-4704

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Contact Form 7

Researcher

William Bastos

More Details >

EasyAzon – Amazon Associates Affiliate Plugin <= 5.1.0 - Reflected Cross-Site Scripting via easyazon-cloaking-locale

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2023-6956

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
EasyAzon – Amazon Associates Affiliate Plugin

Researcher

Krzysztof Zając

More Details >

Eduma <= 5.4.7 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35697

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Eduma

Researcher

Rafie Muhammad

More Details >

Event Tickets with Ticket Scanner <= 2.3.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35652

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Event Tickets with Ticket Scanner

Researcher

Le Ngoc Anh

More Details >

Formula <= 0.5.1 - Reflected Cross-Site Scripting via quality_customizer_notify_dismiss_action

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5613

Patch Status
Patched

Published
Jun 7, 2024

Affected Software
Formula

Researcher

blackmoon

More Details >

Formula <= 0.5.1 - Reflected Cross-Site Scripting via ti_customizer_notify_dismiss_recommended_plugins

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5638

Patch Status
Patched

Published
Jun 7, 2024

Affected Software
Formula

Researcher

blackmoon

More Details >

GiveWP – Donation Plugin and Fundraising Platform <= 3.12.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35679

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
GiveWP – Donation Plugin and Fundraising Platform

Researcher

Dimas Maulana

More Details >

GP Premium <= 2.4.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-3469

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
GP Premium

Researchers

1337_Wannabe

M.Awad

More Details >

Link Library <= 7.6.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35687

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Link Library

Researcher

Dimas Maulana

More Details >

Logo Manager For Enamad <= 0.7.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-4757

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Logo Manager For Enamad

Researcher

Bob Matyas

More Details >

MapFig Studio <= 0.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-6712

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
MapFig Studio

Researcher

Vuln Seeker Cybersecurity Team

More Details >

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.77 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35668

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)

Researcher

Rafie Muhammad

More Details >

Newsletters <= 4.9.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35718

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Newsletters

Researcher

beluga

More Details >

Pagerank Tools <= 1.1.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5730

Patch Status
Unpatched

Published
Jun 7, 2024

Affected Software
Pagerank tools

Researcher

Bob Matyas

More Details >

Simple AL Slider <= 1.2.10 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5729

Patch Status
Unpatched

Published
Jun 7, 2024

Affected Software
Simple AL Slider

Researcher

Bob Matyas

More Details >

Widget4Call <= 1.0.7 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5727

Patch Status
Unpatched

Published
Jun 7, 2024

Affected Software
Widget4Call

Researcher

Bob Matyas

More Details >

WP Docs <= 2.1.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35696

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
WP Docs

Researcher

LVT-tholv2k

More Details >

WP Visitors Tracker <= 2.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35737

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
WP Visitors Tracker

Researcher

Dave Jong

More Details >

WPMobile.App — Android and iOS Mobile Application <= 11.41 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35694

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
WPMobile.App — Android and iOS Mobile Application

Researcher

CatFather

More Details >

Bosa Elementor Addons and Templates for WooCommerce <= 1.0.12 - Missing Authorization

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-35724

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Bosa Elementor Addons and Templates for WooCommerce

Researcher

Abdi Pranata

More Details >

Clever Fox – One Click Website Importer by Nayra Themes <= 25.2.0 - Missing Authorization to arbitrary theme activation via clever-fox-activate-theme

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2023-6876

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Clever Fox

Researcher

Lucio Sá

More Details >

Countdown, Coming Soon, Maintenance – Countdown & Clock <= 2.7.8 - Missing Authorization to Authenticated (Subscriber+) PHP Object Injection

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-2017

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Countdown, Coming Soon, Maintenance – Countdown & Clock

Researcher

Lucio Sá

More Details >

Debug Log Manager <= 2.3.1 - Missing Authorization

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-35669

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Debug Log Manager

Researcher

Majed Refaea

More Details >

GDPR CCPA Compliance & Cookie Consent Banner <= 2.7.0 - Missing Authorization to Settings Update and Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-5607

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
GDPR CCPA Compliance & Cookie Consent Banner

Researcher

Lucio Sá

More Details >

Kenta Blocks – Responsive Blocks and block templates library <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-35731

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Kenta Blocks – Responsive Blocks and block templates library

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

Pure Chat – Live Chat Plugin & More! <= 2.22 - Cross-Site Request Forgery

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-35673

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Pure Chat – Live Chat & More!

Researcher

Majed Refaea

More Details >

WP Mobile Menu – The Mobile-Friendly Responsive Menu <= 2.8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Alt

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-3987

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
WP Mobile Menu – The Mobile-Friendly Responsive Menu

Researcher

stealthcopter

More Details >

Authorize.net Payment Gateway For WooCommerce <= 8.0 - Insufficient Verification of Data Authenticity to Unauthenticated Payment Bypass

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-2382

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
Authorize.net Payment Gateway For WooCommerce

Researcher

Lucio Sá

More Details >

Bookster – WordPress Appointment Booking Plugin <= 1.1.0 - Unauthenticated Appointment Manipulation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-5071

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Bookster – WordPress Appointment Booking Plugin

Researcher

Roshan Cheriyan

More Details >

BuddyPress Members Only <= 3.4.8 - Improper Access Control to Sensitive Information Exposure via REST API

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-0972

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
BuddyPress Members Only

Researcher

Francesco Carlucci

More Details >

Claudio Sanches – Checkout Cielo for WooCommerce <= 1.1.0 - Insufficient Verification of Data Authenticity to Order Payment Status Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-1718

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
Claudio Sanches – Checkout Cielo for WooCommerce

Researcher

Lucio Sá

More Details >

Contact Form Builder, Contact Widget <= 2.1.7 - Authentication Request Bypass

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35747

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
Contact Form Builder, Contact Widget

Researcher

Joshua Chan

More Details >

Easy Forms for Mailchimp <= 6.9.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35742

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
Easy Forms for Mailchimp

Researcher

Ngô Thiên An (ancorn_)

More Details >

GDPR/CCPA Cookie Consent Banner <= 3.2 - Missing Authorization via handle_consent_toggle()

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35692

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Termly – GDPR/CCPA Cookie Consent Banner

Researcher

Mika

More Details >

Insert Post Ads <= 1.3.2 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35665

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
Insert Post Ads

Researcher

Mika

More Details >

Integrate Google Drive <= 1.3.93 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35670

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files into Your WordPress Site

Researcher

Steven Julian

More Details >

LA-Studio Element Kit for Elementor <= 1.3.6 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35725

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
LA-Studio Element Kit for Elementor

Researcher

Dhabaleshwar Das

More Details >

LearnPress – WordPress LMS Plugin <= 4.2.6.8 - Basic Information Disclosure via JSON API

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-5483

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
LearnPress – WordPress LMS Plugin

Researcher

shaman0x01

More Details >

Leyka <= 3.31.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35683

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Leyka

Researcher

Mika

More Details >

Master Addons for Elementor <= 2.0.5.4.1 - Missing Authorization via get_jltma_save_menuitem_settings()

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35660

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Researcher

Khalid

More Details >

Open Graph <= 1.11.2 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-5615

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Open Graph

Researcher

Krzysztof Zając

More Details >

Podlove Web Player <= 5.7.3 - Missing Authorization to Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35710

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Podlove Web Player

Researcher

Peng Zhou

More Details >

PPOM for WooCommerce <= 32.0.20 - Unauthenticated Content Injection Vulnerability

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35728

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
PPOM – Product Addons & Custom Fields for WooCommerce

Researcher

Phill Sav (Savphill)

More Details >

Radcliffe 2 <= 2.0.17 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35685

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Radcliffe 2

Researcher

Rafie Muhammad

More Details >

Restrict for Elementor <= 1.0.7 - Protection Mechanism Bypass

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-0910

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Restrict for Elementor

Researcher

Francesco Carlucci

More Details >

Sensei LMS <= 4.23.1 & Sensei Pro (WC Paid Courses) <= 4.24.0.1.24.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35686

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Sensei LMS – Online Courses, Quizzes, & Learning
woothemes-sensei

Researcher

Rafie Muhammad

More Details >

Under Construction / Maintenance Mode from Acurax <= 2.6 - Unauthenticated IP Spoofing

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35749

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
Under Construction / Maintenance Mode from Acurax

Researcher

Mika

More Details >

Upload Fields for WPForms <= 1.0.2 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35661

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
Upload Fields for WPForms – Drag and Drop Multiple File Upload, Image Upload, and Google Drive Upload for WPForms

Researcher

Majed Refaea

More Details >

WooCommerce Dropshipping <= 5.0.4 - Missing Authorization to Unauthenticated Arbitrary Email Send

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35748

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
WooCommerce Dropshipping Premium

Researcher

Dave Jong

More Details >

WP EasyCart <= 5.5.19 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35667

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Shopping Cart & eCommerce Store

Researcher

Joshua Chan

More Details >

WP Time Slots Booking Form <= 1.2.11 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35735

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
WP Time Slots Booking Form

Researcher

Manab Jyoti Dowarah

More Details >

WP Translate <= 5.3.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35663

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
WP Translate – WordPress Translation Plugin

Researcher

Majed Refaea

More Details >

WP-Recall – Registration, Profile, Commerce & More <= 16.26.6 - Unauthenticated Payment Deletion via delete_payment

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-1175

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
WP-Recall – Registration, Profile, Commerce & More

Researcher

Francesco Carlucci

More Details >

WPUpper Share Buttons <= 3.43 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-4997

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
WPUpper Share Buttons

Researcher

Krzysztof Zając

More Details >

YITH WooCommerce Product Add-Ons <= 4.9.2 - Unauthenticated Content Injection

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35680

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
YITH WooCommerce Product Add-Ons

Researcher

Phill Sav (Savphill)

More Details >

Database Cleaner <= 1.0.5 - Authenticated (Admin+) Arbitrary File Read

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-35712

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Database Cleaner

Researcher

Ananda Dhakal

More Details >

SC filechecker <= 0.6 - Authenticated (Admin+) Arbitrary File Deletion

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-35743

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
SC filechecker

Researcher

YC_Infosec

More Details >

Upunzipper <= 1.0.0 - Authenticated (Admin+) Arbitrary File Deletion

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-35744

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
Upunzipper

Researcher

YC_Infosec

More Details >

WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection

4.7

CVSS Rating
Medium (4.7)

CVE-ID
CVE-2023-5424

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
WS Form LITE – Drag & Drop Contact Form Builder for WordPress
WS Form Pro

Researcher

Duc Manh

More Details >

Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content <= 0.6.9 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-35655

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content

Researcher

Phill Sav (Savphill)

More Details >

Custom Dash <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-4942

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Custom Dash

Researcher

Artem Polynko (Artem Polynko)

More Details >

Easy Table of Contents <= 2.0.65 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5573

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Easy Table of Contents

Researcher

Dmitrii Ignatyev

More Details >

Fluid Notification Bar <= 3.2.3 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-3031

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
Fluid Notification Bar

Researcher

Benedictus Jovan (aillesiM)

More Details >

Frontend Checklist <= 2.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-4957

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Frontend Checklist

Researcher

Felipe Caon

More Details >

Frontend Checklist <= 2.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Items

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-4959

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Frontend Checklist

Researcher

Bob Matyas

More Details >

Nafeza Prayer Time <= 1.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-4462

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
Nafeza Prayer Time

Researcher

Benedictus Jovan (aillesiM)

More Details >

PVN Auth Popup <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-6713

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
PVN Auth Popup

Researcher

Vuln Seeker Cybersecurity Team

More Details >

Simple Photoswipe <= 0.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5473

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Simple Photoswipe

Researcher

Felipe Caon

More Details >

Stellissimo Text Box <= 1.1.4 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-35752

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
Stellissimo Text Box

Researcher

Cronus

More Details >

Tooltip CK <= 2.2.15 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-35756

Patch Status
Unpatched

Published
Jun 7, 2024

Affected Software
Tooltip CK

Researcher

Cronus

More Details >

Tracking Code Manager <= 2.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-6335

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Tracking Code Manager

Researcher

Dmitrii Ignatyev

More Details >

Video Widget <= 1.2.3 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-5169

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Video Widget

Researcher

Bob Matyas

More Details >

Visual Composer Website Builder <= 45.8.0 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-35653

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Visual Composer Website Builder

Researcher

Phill Sav (Savphill)

More Details >

Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.4.10 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-35751

Patch Status
Unpatched

Published
Jun 6, 2024

Affected Software
Woody code snippets – Insert Header Footer Code, AdSense Ads

Researcher

Phill Sav (Savphill)

More Details >

WP Chat App <= 3.6.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-4664

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
WP Chat App

Researcher

Krugov Artyom

More Details >

YITH WooCommerce Tab Manager <= 1.35.0 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-35698

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
YITH WooCommerce Tab Manager

Researcher

Phill Sav (Savphill)

More Details >

Admin Notices Manager <= 1.4.0 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-1717

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Admin Notices Manager

Researcher

Lucio Sá

More Details >

Album Gallery – WordPress Gallery <= 1.5.7 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35720

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Album Gallery – WordPress Gallery

Researcher

Steven Julian

More Details >

Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) <= 5.2.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35689

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Researcher

Majed Refaea

More Details >

Boostify Header Footer Builder for Elementor <= 1.3.5 - Missing Authorization to Page/Post Creation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4788

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Boostify Header Footer Builder for Elementor

Researcher

Lucio Sá

More Details >

BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages <= 3.4.19 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35726

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages

Researcher

Abdi Pranata

More Details >

Copymatic – AI Content Writer & Generator <= 1.9 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35716

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Copymatic – AI Content Writer & Generator

Researcher

Majed Refaea

More Details >

Dashboard To-Do List <= 1.2.0 - Missing Authorization via ardtdw_widgetsetup()

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35723

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Dashboard To-Do List

Researcher

CatFather

More Details >

ElasticPress <= 5.1.0 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35684

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
ElasticPress

Researcher

Ananda Dhakal

More Details >

Emergency Password Reset <= 8.0 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35648

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Emergency Password Reset

Researcher

Pedro José Navas Pérez

More Details >

Essential Real Estate <= 4.4.2 - Insecure Direct Object Reference to Arbitrary Attachment Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4274

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
Essential Real Estate

Researcher

Lucio Sá

More Details >

Extra Product Options for WooCommerce <= 3.0.6 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35727

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Extra Product Options for WooCommerce

Researcher

Abdi Pranata

More Details >

Gutenberg Blocks and Page Layouts – Attire Blocks <= 1.9.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4088

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Gutenberg Blocks and Page Layouts – Attire Blocks

Researcher

Benedictus Jovan (aillesiM)

More Details >

Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery <= 1.4.5 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35721

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery

Researcher

Steven Julian

More Details >

Kadence Blocks Pro <= 2.3.7 - Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-1330

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Kadence Blocks Pro

Researcher

Scott Kingsley Clark

More Details >

KiviCare <= 3.6.4 - Authenticated (Patient+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35659

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
KiviCare – Clinic & Patient Management System (EHR)

Researcher

Van Lyubov

More Details >

Login/Signup Popup ( Inline Form + Woocommerce ) 2.7.1 - 2.7.2 - Missing Authorization to Arbitrary Options Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5665

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Login/Signup Popup ( Inline Form + Woocommerce )

Researcher

1337_Wannabe

More Details >

Media Slider – Photo Sleder, Video Slider, Link Slider, Carousal Slideshow <= 1.3.9 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35717

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Media Slider – Photo Slider, Video Slider, Link Slider, Carousal Slideshow

Researcher

Steven Julian

More Details >

MJ Update History <= 1.0.4 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35671

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
MJ Update History

Researcher

thiennv

More Details >

Mollie Forms <= 2.6.13 - Cross-Site Request Forgery to Arbitrary Post Duplication

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-2368

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Mollie Forms

Researcher

Lucio Sá

More Details >

Muslim Prayer Time BD <= 2.4 - Cross-Site Request Forgery to Settings Reset

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4758

Patch Status
Unpatched

Published
Jun 5, 2024

Affected Software
Muslim Prayer Time BD

Researcher

Bob Matyas

More Details >

Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.11 - Authenticated (Subscriber+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35682

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Researcher

Dave Jong

More Details >

ProfileGrid <= 5.8.6 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5453

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
ProfileGrid – User Profiles, Groups and Communities

Researcher

Lucio Sá

More Details >

Restaurant Menu and Food Ordering <= 2.4.16 - Missing Authorization to Menu Creation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5459

Patch Status
Patched

Published
Jun 4, 2024

Affected Software
Five Star Restaurant Menu and Food Ordering

Researcher

Lucio Sá

More Details >

Salon booking system <= 9.9 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4468

Patch Status
Patched

Published
Jun 7, 2024

Affected Software
Salon Booking System

Researcher

JoanClarke2

More Details >

Simple COD Fees for WooCommerce <= 2.0.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35662

Patch Status
Unpatched

Published
Jun 3, 2024

Affected Software
Simple COD Fees for WooCommerce

Researcher

LVT-tholv2k

More Details >

Simple Photoswipe <= 0.1 - Missing Authorization (Subscriber+) Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5570

Patch Status
Unpatched

Published
Jun 7, 2024

Affected Software
Simple Photoswipe

Researcher

Felipe Caon

More Details >

Slider Responsive Slideshow – Image slider, Gallery slideshow <= 1.4.0 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35722

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Slider Responsive Slideshow – Image slider, Gallery slideshow

Researcher

Steven Julian

More Details >

Strong Testimonials <= 3.1.12 - Authenticated(Contributor+) Improper Authorization to Views Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2023-6491

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Strong Testimonials

Researcher

Rafshanzani Suhada

More Details >

Tickera <= 3.5.2.6 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35729

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Tickera – WordPress Event Ticketing

Researcher

Manab Jyoti Dowarah

More Details >

Tutor LMS – eLearning and online course solution <= 2.7.1 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5438

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Tutor LMS – eLearning and online course solution

Researcher

Thanh Nam Tran

More Details >

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.109 - Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35674

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Researcher

Khalid

More Details >

Wbcom Designs - Custom Font Uploader <= 2.3.4 - Missing Authorization to Font Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5489

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
Wbcom Designs – Custom Font Uploader

Researcher

Lucio Sá

More Details >

Widget Options - Extended <= 5.1.0 & Widget Options <= 4.0.1 - Authenticated (Subscriber+) Information Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35691

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
Widget Options - Extended
Widget Options – The #1 WordPress Widget & Block Control Plugin

Researcher

Dave Jong

More Details >

WooCommerce Tools <= 1.2.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Module Deactivation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-1689

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
WooCommerce Tools

Researcher

Lucio Sá

More Details >

WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing <= 5.0.4 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5449

Patch Status
Patched

Published
Jun 5, 2024

Affected Software
WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing

Researcher

Peter Thaleikis

More Details >

WP Reset <= 2.02 - Missing Authorization to License Key Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4661

Patch Status
Patched

Published
Jun 7, 2024

Affected Software
WP Reset – Most Advanced WordPress Reset Tool

Researcher

Foxyyy

More Details >

WP-Recall <= 16.26.6 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35657

Patch Status
Patched

Published
Jun 3, 2024

Affected Software
WP-Recall – Registration, Profile, Commerce & More

Researcher

Steven Julian

More Details >

WP Force SSL & HTTPS SSL Redirect <= 1.66 - Missing Authorization to Settings Update

4.2

CVSS Rating
Medium (4.2)

CVE-ID
CVE-2024-5770

Patch Status
Patched

Published
Jun 7, 2024

Affected Software
WP Force SSL & HTTPS SSL Redirect

Researcher

Foxyyy

More Details >

YITH Custom Login <= 1.7.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.0

CVSS Rating
Medium (4.0)

CVE-ID
CVE-2024-35732

Patch Status
Patched

Published
Jun 6, 2024

Affected Software
YITH Custom Login

Researcher

STEALIEN

More Details >