Wordfence Intelligence Weekly WordPress Vulnerability Report (June 24, 2024 to June 30, 2024)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. For a limited time, all high risk issues are in-scope for all researchers! 

Last week, there were 121 vulnerabilities disclosed in 99 WordPress Plugins, 20 WordPress Themes, and WordPress Core that have been added to the Wordfence Intelligence Vulnerability Database, and there were 58 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 17,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WordPress Core < 6.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via HTML API
• WAF-RULE-710 – data redacted while we work with the vendor on a patch.
• WAF-RULE-711 – data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafie Muhammad	16
Dhabaleshwar Das	12
wesley (wcraft)	8
Francesco Carlucci	5
Dave Jong	5
Webbernaut	5
Krzysztof Zając	5
Bob Matyas	5
stealthcopter	4
João Pedro Soares de Alcântara	4
Ngô Thiên An (ancorn_)	3
Lucio Sá	3
Michael	2
Dimas Maulana	2
piro	2
Steven Julian	2
Project Black	2
Le Ngoc Anh	2
LuxF0z	1
Bassem Essam	1
Fulan Engineering	1
Dale Mavers	1
RE-ALTER	1
Trương Hữu Phúc (truonghuuphuc)	1
Huynh Tien Si	1
João G. Barbosa (4rCanJ0x!)	1
MCboyIR	1
apple502j	1
Edouard L	1
David Fifield	1
x89	1
mishre	1
István Márton	1
vps1-	1
Kursat Cetin	1
Martin Herancourt	1
Majed Refaea	1
kauenavarro	1
Jean Tirstan T	1
CatFather	1
Djennez	1
emad	1
Ibnu Ubaeydillah	1
Manab Jyoti Dowarah	1
Arkadiusz Hydzik	1
beluga	1
Alex Concha	1
Dennis Snell	1
Grzegorz Ziółkowski	1
Aaron Jorbin	1
Yoshihito Kamata	1
filime	1
akas wisnu aji	1
ngductung	1
LVT-tholv2k	1
Ananda Dhakal	1
Phill Sav (Savphill)	1
Ulyses Saicha	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

PayPlus Payment Gateway <= 6.6.8 - Unauthenticated SQL Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-6205

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
PayPlus Payment Gateway

Researcher

Project Black

More Details >

Several WordPress.org Plugins <= Various Versions - Injected Backdoor

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-6297

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
Social Sharing Plugin – Social Warfare
Contact Form 7 Multi-Step Addon
Simply Show Hooks
Wrapper Link Elementor
BLAZE Retail Widget
PowerPress Podcasting plugin by Blubrry
Ad Invalid Click Protector (AICP)
WP Server Health Stats
Seo Optimized Images
Twenty20 Image Before-After
and 3 more...

Researcher(s): Unknown

More Details >

Newspack Blocks <= 3.0.8 - Authenticated (Contributor+) Arbitrary File Upload

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-37424

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Newspack Blocks

Researcher

Rafie Muhammad

More Details >

Zita Elementor Site Library <= 1.6.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-37420

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Zita Elementor Site Library

Researcher

Majed Refaea

More Details >

Filter & Grids <= 2.8.32 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-6164

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Filter & Grids

Researcher

Project Black

More Details >

Quiz Maker <= 6.5.8.3 - Unauthenticated SQL Injection via 'ays_questions' Parameter

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-6028

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
Quiz Maker

Researcher

Arkadiusz Hydzik

More Details >

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress <= 1.2.10 - Unauthenticated SQL Injection via 'uwp_sort_by'

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-6265

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Auto Featured Image <= 1.2 - Authenticated (Contributor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-6054

Patch Status
Unpatched

Published
Jun 26, 2024

Affected Software
Auto Featured Image

Researcher

István Márton

More Details >

Striking <= 2.3.4 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-37268

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Striking

Researcher

Rafie Muhammad

More Details >

WordPress Plugin for Google Maps – WP MAPS <= 4.6.1 - Authenticated (Contributor+) SQL Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-2386

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
WP Maps – Display Google Maps Perfectly with Ease

Researcher

Krzysztof Zając

More Details >

WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce <= 2.2.25 - Authenticated (Contributor+) File inclusion via Shortcode

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-5431

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce

Researcher

Krzysztof Zając

More Details >

Advanced File Manager <= 5.2.4 - Sensitive Information Exposure via Directory Listing

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-5598

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Advanced File Manager

Researcher

emad

More Details >

Foxiz <= 2.3.5 - Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-37260

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Foxiz

Researcher

Kursat Cetin

More Details >

PowerPack Lite for Beaver Builder <= 1.3.0.3 - Authenticated (Editor+) Local File Inclusion

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-37410

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
PowerPack Lite for Beaver Builder

Researcher

João Pedro Soares de Alcântara

More Details >

WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-4869

Patch Status
Patched

Published
Jun 25, 2024

Affected Software
Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy)

Researcher

Krzysztof Zając

More Details >

Newspack Blocks <= 3.0.8 - Authenticated (Contributor+) Arbitrary Directory Deletion

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-37423

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Newspack Blocks

Researcher

Rafie Muhammad

More Details >

Anima <= <=1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37248

Patch Status
Unpatched

Published
Jun 25, 2024

Affected Software
Anima

Researcher

stealthcopter

More Details >

Create by Mediavine <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Schema Meta Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5601

Patch Status
Patched

Published
Jun 26, 2024

Affected Software
Create by Mediavine

Researcher

Krzysztof Zając

More Details >

Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4569

Patch Status
Patched

Published
Jun 26, 2024

Affected Software
Elementor Addon Elements

Researcher

Ngô Thiên An (ancorn_)

More Details >

Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4570

Patch Status
Patched

Published
Jun 26, 2024

Affected Software
Elementor Addon Elements

Researcher

wesley (wcraft)

More Details >

Elementor Website Builder <= 3.22.1 - Authenticated (Contributor+) Arbitrary SVG Download

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37437

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Elementor Website Builder – More than Just a Page Builder

Researcher

stealthcopter

More Details >

Enter Addons <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37263

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Enter Addons – Ultimate Template Builder for Elementor

Researcher

vps1-

More Details >

Esteem <= 1.5.0 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37432

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Esteem

Researcher

Michael

More Details >

Exclusive Addons for Elementor <= 2.6.9.8 - Authenticated (Contibutor+) Stored Cross-Site Scripting via Card Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5332

Patch Status
Patched

Published
Jun 25, 2024

Affected Software
Exclusive Addons for Elementor

Researcher

wesley (wcraft)

More Details >

Extensions for Elementor <= 2.0.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5666

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Extensions for Elementor

Researcher

Francesco Carlucci

More Details >

Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells <= 3.3.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5192

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells

Researcher

wesley (wcraft)

More Details >

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via galleryID and className Parameters

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5424

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery

Researcher

Webbernaut

More Details >

Gallery Slideshow <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37246

Patch Status
Unpatched

Published
Jun 25, 2024

Affected Software
Gallery Slideshow

Researcher

Jean Tirstan T

More Details >

Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.2.42 - Authenticated (Contributor+) Stored Cross-Site Scripting in Google Maps Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5289

Patch Status
Patched

Published
Jun 26, 2024

Affected Software
Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Researcher

wesley (wcraft)

More Details >

Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.2.45 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5819

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Researcher

Webbernaut

More Details >

Happy Addons for Elementor <= 3.11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gradient Heading Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5790

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Happy Addons for Elementor

Researcher

wesley (wcraft)

More Details >

HT Mega – Absolute Addons For Elementor <= 2.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5215

Patch Status
Patched

Published
Jun 25, 2024

Affected Software
HT Mega – Absolute Addons For Elementor

Researcher

stealthcopter

More Details >

HT Mega – Absolute Addons For Elementor <= 2.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Player Widget Settings

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5173

Patch Status
Patched

Published
Jun 25, 2024

Affected Software
HT Mega – Absolute Addons For Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

Html5 Audio Player <= 2.2.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37445

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
HTML5 Audio Player- Audio Player Plugin

Researcher

LVT-tholv2k

More Details >

IdeaPush <= 8.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37265

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
IdeaPush

Researcher

piro

More Details >

Infinite <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via project_url Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5796

Patch Status
Unpatched

Published
Jun 27, 2024

Affected Software
Infinite

Researcher

Francesco Carlucci

More Details >

Portfolio Gallery – Image Gallery Plugin <= 1.6.4 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-6262

Patch Status
Patched

Published
Jun 26, 2024

Affected Software
Portfolio Gallery – Image Gallery Plugin

Researcher

Webbernaut

More Details >

Print My Blog <= 3.27.0 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37271

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Print My Blog – Print, PDF, & eBook Converter WordPress Plugin

Researcher

CatFather

More Details >

Progress Planner <= 0.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37422

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Progress Planner

Researcher

akas wisnu aji

More Details >

Scylla lite <= 1.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5922

Patch Status
Unpatched

Published
Jun 27, 2024

Affected Software
Scylla lite

Researcher

Francesco Carlucci

More Details >

Silesia <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5788

Patch Status
Unpatched

Published
Jun 27, 2024

Affected Software
Silesia

Researcher

Francesco Carlucci

More Details >

Stackable – Page Builder Gutenberg Blocks <= 3.13.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-6296

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Stackable – Page Builder Gutenberg Blocks

Researcher

Webbernaut

More Details >

Stock Ticker <= 3.24.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via stock_ticker Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-6363

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Stock Ticker

Researcher

Dale Mavers

More Details >

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.6.0- Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4983

Patch Status
Patched

Published
Jun 26, 2024

Affected Software
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Researcher

Ngô Thiên An (ancorn_)

More Details >

The7 — Website and eCommerce Builder for WordPress <= 11.13.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5451

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
The7 — Website and eCommerce Builder for WordPress

Researcher

wesley (wcraft)

More Details >

Theron Lite <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5925

Patch Status
Unpatched

Published
Jun 27, 2024

Affected Software
Theron Lite

Researcher

Francesco Carlucci

More Details >

Ultimate Post Kit Addons For Elementor – (Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud) <= 3.11.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Count (Static) Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5662

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Ultimate Post Kit Addons For Elementor – (Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud)

Researcher

wesley (wcraft)

More Details >

WidgetKit <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-37428

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
All-in-One Addons for Elementor – WidgetKit

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

WordPress Core < 6.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via HTML API

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-6307

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
WordPress

Researchers

Alex Concha

Dennis Snell

Grzegorz Ziółkowski

Aaron Jorbin

More Details >

WordPress Core < 6.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Template Part Block

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-31111

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
WordPress

Researcher

Rafie Muhammad

More Details >

All In One Redirection <= 2.2.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37245

Patch Status
Unpatched

Published
Jun 25, 2024

Affected Software
All In One Redirection

Researcher

Dimas Maulana

More Details >

Elementor Pro <= 3.21.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-35656

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Elementor Website Builder Pro

Researcher

Michael

More Details >

Events Manager <= 6.4.8 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-5889

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Events Manager – Calendar, Bookings, Tickets, and more!

Researcher

kauenavarro

More Details >

Floating Social Buttons <= 1.5 - Cross-Site Request Forgery

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-6405

Patch Status
Unpatched

Published
Jun 28, 2024

Affected Software
Floating Social Buttons

Researcher

Yoshihito Kamata

More Details >

Goya <= 1.0.8.7 - Unauthenticated Reflected Cross-Site Scripting via Multiple Parameters

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2023-4017

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Goya

Researcher

RE-ALTER

More Details >

Groundhogg <= 3.4.2.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37264

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Researcher

Ananda Dhakal

More Details >

Mailster <= 4.0.9 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37433

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Mailster - Email Newsletter Plugin for WordPress

Researcher

Martin Herancourt

More Details >

NextScripts <= 4.4.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37275

Patch Status
Unpatched

Published
Jun 27, 2024

Affected Software
NextScripts: Social Networks Auto-Poster

Researcher

Rafie Muhammad

More Details >

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37262

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Online Booking & Scheduling Calendar for WordPress by vcita

Researcher

Le Ngoc Anh

More Details >

Permalink Manager Lite <= 2.4.3.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37257

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Permalink Manager Lite

Researcher

Rafie Muhammad

More Details >

Social Rocket <= 1.3.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37258

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Social Rocket – Social Sharing Plugin

Researcher

Dimas Maulana

More Details >

Striking <= 2.3.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37267

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Striking

Researcher

Rafie Muhammad

More Details >

The Ultimate WordPress Toolkit – WP Extended <= 2.4.7 - Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37259

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
The Ultimate WordPress Toolkit – WP Extended

Researcher

beluga

More Details >

Uncanny Toolkit Pro for LearnDash <= 4.1.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37436

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Uncanny Toolkit Pro for LearnDash

Researcher

Dave Jong

More Details >

WP eStore <= 8.5.4 - Reflected Cross-Site Scripting via Category Editing

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-6076

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
WP eStore

Researcher

Bob Matyas

More Details >

WP eStore <= 8.5.4 - Reflected Cross-Site Scripting via Customer Editing

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-6074

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
WP eStore

Researcher

Bob Matyas

More Details >

WP eStore <= 8.5.4 - Reflected Cross-Site Scripting via Discount Editing

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-6073

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
WP eStore

Researcher

Bob Matyas

More Details >

WP eStore <= 8.5.4 - Reflected Cross-Site Scripting via REQUEST_URI

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-6072

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
WP eStore

Researcher

Bob Matyas

More Details >

WP Photo Album Plus <= 8.8.00.002 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37416

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
WP Photo Album Plus

Researcher

stealthcopter

More Details >

WP-Lister Lite for Amazon <= 2.6.16 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-37261

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
WP-Lister Lite for Amazon

Researcher

Le Ngoc Anh

More Details >

DethemeKit For Elementor <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via URL Parameter of the De Gallery Widget

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-6283

Patch Status
Patched

Published
Jun 26, 2024

Affected Software
DethemeKit For Elementor

Researcher

Webbernaut

More Details >

Easy Image Collage <= 1.13.5 - Missing Authorization to Authenticated (Contributor+) Data Clearance

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-5863

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Easy Image Collage

Researcher

Lucio Sá

More Details >

Church Admin <= 4.4.4 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37440

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Church Admin

Researcher

Ngô Thiên An (ancorn_)

More Details >

Defender Security <= 4.7.2 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37444

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Defender Security – Malware Scanner, Login Security & Firewall

Researcher

Rafie Muhammad

More Details >

Elements kit Elementor addons <= 3.1.4 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37255

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
ElementsKit Elementor addons

Researcher

Rafie Muhammad

More Details >

Featured Image from URL <= 4.8.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37276

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Featured Image from URL (FIFU)

Researcher

Rafie Muhammad

More Details >

Masterstudy Elementor Widgets <= 1.2.2 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37269

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Masterstudy Elementor Widgets

Researcher

Rafie Muhammad

More Details >

Paid Memberships Pro <= 3.0.4 - Unauthenticated Insecure Direct Object Reference to Order Status Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37277

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Researcher

Rafie Muhammad

More Details >

Patreon WordPress <= 1.9.0 - Protection Mechanism Bypass

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37430

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Patreon WordPress

Researcher

MCboyIR

More Details >

Progress Planner <= 0.9.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37411

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Progress Planner

Researcher

Djennez

More Details >

SEO SIMPLE PACK <= 3.2.1 - Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-2795

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
SEO SIMPLE PACK

Researcher

Krzysztof Zając

More Details >

TrustedLogin Vendor < 1.1.1 - Unauthenticated Information Disclosure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37270

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
TrustedLogin Vendor

Researcher

Dhabaleshwar Das

More Details >

Uncanny Automator Pro < 5.3.0.1 - Missing Authorization to Unauthenticated License Setting Reset

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-37119

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Uncanny Automator Pro

Researcher

Dave Jong

More Details >

Various Plugins <= Various Version - Use of Polyfill.io

5.3

CVSS Rating
Medium (5.3)

CVE-ID
Unknown

Patch Status
Patched

Published
Jun 25, 2024

Affected Software
OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer)
Pixel Manager for WooCommerce – Track Google Analytics, Google Ads, TikTok and more
weForms – Easy Drag & Drop Contact Form Builder For WordPress
Qualified Electronic Signatures by eID Easy
Digital River Global Commerce
WP User Frontend – Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission Plugin

Researcher(s): Unknown

More Details >

Conversios.io - All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce <= 7.1.0 - Reflected Cross-Site Scripting

4.7

CVSS Rating
Medium (4.7)

CVE-ID
CVE-2024-6288

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Conversios – Google Analytics 4 (GA4), Google Ads, Meta Pixel & more for WooCommerce

Researcher

Ulyses Saicha

More Details >

Atarim <= 3.31 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37434

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Visual Website Collaboration, Feedback & Project Management – Atarim

Researcher

piro

More Details >

Branda <= 3.4.17 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37239

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Branda – White Label WordPress, Custom Login Page Customizer

Researcher

Fulan Engineering

More Details >

Cards for Beaver Builder <= 1.1.4 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37278

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Cards for Beaver Builder

Researcher

João Pedro Soares de Alcântara

More Details >

Chained Quiz <= 1.3.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37446

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Chained Quiz

Researcher

Manab Jyoti Dowarah

More Details >

Depicter Slider <= 3.0.2 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37414

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Researcher

Steven Julian

More Details >

Easy Age Verify <= 1.8.2 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-35757

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Easy Age Verify

Researcher

Huynh Tien Si

More Details >

Login with phone number <= 1.7.35 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37429

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Login with phone number

Researcher

LuxF0z

More Details >

Photo Gallery by Ays <= 5.7.0 - Authenticated (Administrator+) HTML Injection

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37442

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Photo Gallery by Ays – Responsive Image Gallery

Researcher

Ibnu Ubaeydillah

More Details >

PixelYourSite – Your smart PIXEL (TAG) Manager <= 9.6.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37447

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
PixelYourSite – Your smart PIXEL (TAG) & API Manager

Researcher

ngductung

More Details >

PowerPack Lite for Beaver Builder <= 1.3.0.4 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37409

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
PowerPack Lite for Beaver Builder

Researcher

João Pedro Soares de Alcântara

More Details >

Slider Revolution <= 6.7.13 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-37449

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Slider Revolution

Researcher

wesley (wcraft)

More Details >

Blossom Shop <= 1.1.7 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37412

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Blossom Shop

Researcher

Dhabaleshwar Das

More Details >

Coachify <= 1.0.7 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37417

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Coachify

Researcher

Dhabaleshwar Das

More Details >

E2Pdf – Export To Pdf Tool for WordPress <= 1.20.27 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37415

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
E2Pdf – Export To Pdf Tool for WordPress

Researcher

Steven Julian

More Details >

Easy Affiliate Links <= 3.7.3 - Missing Authorization to Authenticated (Subscriber+) Settings Reset

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5864

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Easy Affiliate Links

Researcher

Lucio Sá

More Details >

Elegant Pink <= 1.3.0 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37426

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Elegant Pink

Researcher

Dhabaleshwar Das

More Details >

File Manager <= 7.2.7 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37254

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
File Manager

Researcher

Rafie Muhammad

More Details >

JobScout <= 1.1.4 - Cross-Site Request Forgery to Notice Dimissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37421

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
JobScout

Researcher

Dhabaleshwar Das

More Details >

Mesmerize <= 1.6.120 - Cross-Site Request Forgery to Cache Clearing

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37431

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Mesmerize

Researcher

Dhabaleshwar Das

More Details >

NewsMash <= 1.0.34 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37441

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
NewsMash

Researcher

Dhabaleshwar Das

More Details >

Newspack Blocks <= 3.0.8 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37425

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Newspack Blocks

Researcher

Rafie Muhammad

More Details >

OnePress <= 2.3.6 - Cross-Site Request Forgery via save_settings()

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37448

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
OnePress

Researcher

Dhabaleshwar Das

More Details >

Page and Post Clone <= 6.0 - Insecure Direct Object Reference to Authenticated (Author+) Sensitive Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5942

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Page and Post Clone

Researcher

Bassem Essam

More Details >

Perfect Portfolio <= 1.2.0 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37435

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Perfect Portfolio

Researcher

Dhabaleshwar Das

More Details >

Preschool and Kindergarten <= 1.2.1 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37413

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Preschool and Kindergarten

Researcher

Dhabaleshwar Das

More Details >

Travel Monster <= 1.1.2 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37272

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Travel Monster

Researcher

Dhabaleshwar Das

More Details >

Uncanny Automator Pro < 5.3.0.1 - Cross-Site Request Forgery to License Setting Reset

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37118

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Uncanny Automator Pro

Researcher

Dave Jong

More Details >

Uncanny Toolkit Pro for LearnDash <= 4.1.4 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37438

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Uncanny Toolkit Pro for LearnDash

Researcher

Dave Jong

More Details >

Uncanny Toolkit Pro for LearnDash <= 4.1.4 - Missing Authorization to Arbitrary Page/Post Duplication

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37439

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
Uncanny Toolkit Pro for LearnDash

Researcher

Dave Jong

More Details >

WordPress Core < 6.5.5 - Authenticated (Contributor+) Directory Traversal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32111

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
WordPress

Researchers

apple502j

Rafie Muhammad

Edouard L

David Fifield

x89

mishre

More Details >

WP eStore <= 8.5.4 - Cross-Site Request Forgery to Coupon Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-6075

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
WP eStore

Researcher

Bob Matyas

More Details >

WP Job Manager - Resume Manager <= 2.1.0 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37443

Patch Status
Patched

Published
Jun 28, 2024

Affected Software
WP Job Manager - Resume Manager

Researcher

Rafie Muhammad

More Details >

WP Mobile Menu <= 2.8.4.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-37274

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
WP Mobile Menu – The Mobile-Friendly Responsive Menu

Researcher

Dhabaleshwar Das

More Details >

Zita Elementor Site Library <= 1.6.2 - Missing Authorization to Page Creation and Options Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3249

Patch Status
Patched

Published
Jun 24, 2024

Affected Software
Zita Elementor Site Library

Researcher

Lucio Sá

More Details >

Tutor LMS <= 2.7.1 - Authenticated (Admin+) Path Traversal

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2024-37266

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
Tutor LMS – eLearning and online course solution

Researcher

filime

More Details >

WooCommerce <= 8.9.2 - Authenticated (Shop Manager+) Content Injection

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2024-35777

Patch Status
Patched

Published
Jun 27, 2024

Affected Software
WooCommerce

Researcher

Phill Sav (Savphill)

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.