Lucene search

K
wordfenceChloe ChamberlandWORDFENCE:33419AB2DC8B0A29DFFB75C4C8C67CDB
HistoryMay 02, 2024 - 2:49 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024)

2024-05-0214:49:19
Chloe Chamberland
www.wordfence.com
55
wordpress
vulnerability
database
api
webhook
cli scanner
cve
severity
bug bounty
security

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.5%


🎉 Did you know we're running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!


Last week, there were 304 vulnerabilities disclosed in 232 WordPress Plugins and 23 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 65 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 15,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 235
Unpatched 69

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 4
Medium Severity 247
High Severity 31
Critical Severity 22

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 96
Missing Authorization 82
Cross-Site Request Forgery (CSRF) 31
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 13
Information Exposure 12
Server-Side Request Forgery (SSRF) 12
Authorization Bypass Through User-Controlled Key 6
Deserialization of Untrusted Data 6
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 6
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 6
Information Exposure Through Log Files 6
Unrestricted Upload of File with Dangerous Type 5
Improper Privilege Management 4
Use of Less Trusted Source 4
External Control of Assumed-Immutable Web Parameter 3
Improper Control of Generation of Code ('Code Injection') 2
Improper Input Validation 2
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') 2
Authentication Bypass Using an Alternate Path or Channel 1
Guessable CAPTCHA 1
Improper Access Control 1
Improper Authorization 1
Improper Neutralization of Alternate XSS Syntax 1
URL Redirection to Untrusted Site ('Open Redirect') 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

Rafie Muhammad

| 30

Joshua Chan

| 23

stealthcopter

| 17

Dhabaleshwar Das

| 17

Dave Jong

| 14

Bob Matyas

| 14

Steven Julian

| 13

Ngô Thiên An (ancorn_)

| 13

Majed Refaea

| 12

Krzysztof Zając

| 10

Abdi Pranata

| 10

Lucio Sá

| 7

Mika

| 7

wesley (wcraft)

| 7

Khalid

| 7

Webbernaut

| 7

Tim Coen

| 6

beluga

| 6

LVT-tholv2k

| 6

Emili Castells

| 5

Kyle Sanchez

| 4

Brandon James Roldan (tomorrowisnew)

| 4

Peng Zhou

| 4

CatFather

| 4

Dmitrii Ignatyev

| 4

emad

| 3

thiennv

| 3

fewwords huang

| 2

Hoa Le Ngoc (lengochoa)

| 2

Ananda Dhakal

| 2

Ray Wilson

| 2

Trình Vũ

| 2

Richard Telleng (stueotue)

| 2

Le Ngoc Anh

| 2

Dimas Maulana

| 2

Mochamad Sofyan

| 2

Atsuya Yoda

| 2

Francisco Spínola

| 1

Francois Harvey

| 1

Francesco Carlucci

| 1

Yuchen Ji

| 1

Dau Hoang Tai

| 1

ST

| 1

João Pedro Soares de Alcântara

| 1

Phill Sav (Savphill)

| 1

andrea bocchetti

| 1

Thanh Nam Tran

| 1

Do Minh Long

| 1

Abu Hurayra

| 1

haidv35

| 1

Cronus

| 1

1337_Wannabe

| 1

Jean Tirstan T

| 1

Skalucy

| 1

Manab Jyoti Dowarah

| 1

dk0pf

| 1

Usama Arshad

| 1

Bassem Essam

| 1

Yash Chauhan

| 1

Elliot

| 1

Kursat Cetin

| 1

Christiaan Swiers (YouGina)

| 1

Benedictus Jovan (aillesiM)

| 1

M.Awad

| 1

Nikolas

| 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Academy LMS – eLearning and online course solution for WordPress academy
Accessibility Widget accessibility-widget
ActiveDEMAND activedemand
Admin and Customer Messages After Order for WooCommerce: OrderConvo admin-and-client-message-after-order-for-woocommerce
Admin Bar Editor – Hide Toolbar by User Roles admin-bar
Advanced Floating Content Lite advanced-floating-content-lite
Advanced Local Pickup for WooCommerce advanced-local-pickup-for-woocommerce
Advanced Most Recent Posts Mod advanced-most-recent-posts-mod
Advanced Post List advanced-post-list
Advanced Testimonial Carousel for Elementor advanced-testimonial-carousel-for-elementor
AGCA – Custom Dashboard & Login Page ag-custom-admin
All-in-one Like Widget all-in-one-facebook-like-widget
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) wp-analytify
Annual Archive anual-archive
Appointment Hour Booking – WordPress Booking Plugin appointment-hour-booking
AppPresser – Mobile App Framework apppresser
Arconix FAQ arconix-faq
Arconix Shortcodes arconix-shortcodes
ARforms arforms
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup armember-membership
Assistant – Every Day Productivity Apps assistant
Auto Featured Image (Auto Post Thumbnail) auto-post-thumbnail
BackUpWordPress backupwordpress
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader. barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Base64 Encoder/Decoder base64-encoderdecoder
Better Elementor Addons better-elementor-addons
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss bp-better-messages
Blog2Social: Social Media Auto Post & Scheduler blog2social
Booking Ultra Pro Appointments Booking Calendar Plugin booking-ultra-pro
Brevo for WooCommerce woocommerce-sendinblue-newsletter-subscription
Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free RRatingg
Car Dealer (Dealership) and Vehicle sales cardealer
CF7 File Download – File Download for CF7 cf7-file-download
ChatBot Conversational Forms conversational-forms
Classified Listing – Classified ads & Business Directory Plugin classified-listing
ClickCease Click Fraud Protection clickcease-click-fraud-protection
Client Dash client-dash
CM Tooltip Glossary enhanced-tooltipglossary
Colibri Page Builder colibri-page-builder
Collapse-O-Matic jquery-collapse-o-matic
Comments – wpDiscuz wpdiscuz
Contact Form 7 Database Addon – CFDB7 contact-form-cfdb7
Contact Form 7 Extension For Mailchimp contact-form-7-mailchimp-extension
Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder arforms-form-builder
Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) content-views-query-and-display-post-page
Cookie Information Free GDPR Consent Solution
CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance) cookiehub
Cornerstone cornerstone
Coupon & Discount Code Reveal Button coupon-reveal-button
Crelly Slider crelly-slider
Culqi culqi-checkout
Custom field finder custom-field-finder
Customify Site Library customify-sites
Data Tables Generator by Supsystic data-tables-generator-by-supsystic
Database for Contact Form 7, WPforms, Elementor forms contact-form-entries
Easy Accept Payments via PayPal wordpress-easy-paypal-payment-or-donation-accept-plugin
Easy Property Listings easy-property-listings
Easy Set Favicon easy-set-favicon
Element Pack Pro - Addon for Elementor Page Builder WordPress Plugin bdthemes-element-pack
ElementsKit Elementor addons and Templates Library elementskit-lite
ElementsKit Pro elementskit
Elespare – News, Magazine and Blog Elements & Blog Addons for Elementor with Header Footer Builder. One Click Import: No Coding Required! elespare
Email Customizer for WooCommerce Drag and Drop Email Templates Builder
Embed Google Photos album embed-google-photos-album-easily
ENL Newsletter enl-newsletter
EPROLO Dropshipping eprolo-dropshipping
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders essential-addons-for-elementor-lite
Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media evergreen-content-poster
Exclusive Addons for Elementor exclusive-addons-for-elementor
Export and Import Users and Customers users-customers-import-export-for-wp-woocommerce
FameTheme Demo Importer famethemes-demo-importer
Fan Page Widget by ThemeNcode facebook-fan-page-widget
Fancy Product Designer fancy-product-designer
FG Joomla to WordPress fg-joomla-to-wordpress
FileOrganizer – Manage WordPress and Website Files fileorganizer
Filterable Portfolio jungbillig-portfolio-gallery
Five Star Restaurant Reservations – WordPress Booking Plugin restaurant-reservations
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker
FOX – Currency Switcher Professional for WooCommerce woocommerce-currency-switcher
Frontend Dashboard frontend-dashboard
FV Flowplayer Video Player fv-wordpress-flowplayer
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory geodirectory
Getwid – Gutenberg Blocks getwid
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers rafflepress
GiveWP – Donation Plugin and Fundraising Platform give
Gutenberg Blocks, Page Builder – ComboBlocks post-grid
Happy Addons for Elementor happy-elementor-addons
Header Footer Code Manager Pro 99robots-header-footer-code-manager-pro
Headline Analyzer headline-analyzer
Hide Dashboard Notifications wp-hide-backed-notices
HL Twitter hl-twitter
HT Mega – Absolute Addons For Elementor ht-mega-for-elementor
Hummingbird – Cache & Page Speed Optimization for Core Web Vitals Critical CSS
Image Optimizer, Resizer and CDN – Sirv sirv
Image Slider image-slider-widget
Import and export users and customers import-users-from-csv-with-meta
InstaWP Connect – 1-click WP Staging & Migration instawp-connect
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files into Your WordPress Site integrate-google-drive
Interactive World Maps interactive-world-maps
Jeg Elementor Kit jeg-elementor-kit
KB Support – WordPress Help Desk and Knowledge Base kb-support
Knowledge Base documentation & wiki plugin – BasePress Docs basepress
Leaky Paywall leaky-paywall
List Custom Taxonomy Widget list-custom-taxonomy-widget
Login with phone number login-with-phone-number
Maintenance Mode hkdev-maintenance-mode
MainWP Child Reports mainwp-child-reports
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor master-addons
Max Addons Pro for Bricks max-addons-pro-bricks
MDTF – Meta Data and Taxonomies Filter wp-meta-data-filter-and-taxonomy-filter
Meks Smart Social Widget meks-smart-social-widget
Meks ThemeForest Smart Widget meks-themeforest-smart-widget
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor metform
MF Gig Calendar mf-gig-calendar
month name translation benaceur month-name-translation-benaceur
myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification mycred
Newsletters newsletters-lite
Opal Widgets For Elementor opal-widgets-for-elementor
Page Builder: Live Composer live-composer-page-builder
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction paid-member-subscriptions
Payment Gateway Based Fees and Discounts for WooCommerce checkout-fees-for-woocommerce
PDF Invoices & Packing Slips for WooCommerce woocommerce-pdf-invoices-packing-slips
Photo Gallery by 10Web – Mobile-Friendly Image Gallery photo-gallery
Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery gt3-photo-video-gallery
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery nextgen-gallery
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Competition Plugin for WordPress contest-gallery
Piotnet Addons For Elementor piotnet-addons-for-elementor
Piotnet Addons For Elementor Pro piotnet-addons-for-elementor-pro
Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress
Poll Vote
Popup Box – Best WordPress Popup Plugin ays-popup-box
Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation optinmonster
Popup4Phone popup4phone
PopupAlly popupally
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) buddyforms
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX ultimate-post
Premium Addons for Elementor premium-addons-for-elementor
Pretty Google Calendar pretty-google-calendar
Pricing Table by Supsystic pricing-table-by-supsystic
Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes
Print or PDF WooCommerce Order Receipts, Invoices, Labels & More. print-google-cloud-print-gcp-woocommerce
Product Addons & Fields for WooCommerce woocommerce-product-addon
ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities
PropertyHive propertyhive
Qi Addons For Elementor qi-addons-for-elementor
Quick Featured Images quick-featured-images
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress radio-player
Radio Station by netmix® – Manage and play your Show Schedule in WordPress! radio-station
Rank Math SEO with AI SEO Tools seo-by-rank-math
Rate My Post – Star Rating Plugin by FeedbackWP rate-my-post
Recencio Book Reviews recencio-book-reviews
Reviews Plus reviews-plus
RomethemeForm For Elementor romethemeform
RomethemeKit For Elementor rometheme-for-elementor
Royal Elementor Addons and Templates royal-elementor-addons
rtMedia for WordPress, BuddyPress and bbPress buddypress-media
Salon Booking System salon-booking-system
Save as PDF Plugin by Pdfcrowd save-as-pdf-by-pdfcrowd
SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share wp-scheduled-posts
Schema & Structured Data for WP & AMP schema-and-structured-data-for-wp
Secure Copy Content Protection and Content Locking secure-copy-content-protection
Seers GDPR & CCPA Cookie Consent & Compliance
Send PDF for Contact Form 7 send-pdf-for-contact-form-7
Serious Slider cryout-serious-slider
SharkDropship and Affiliate for AliExpress, eBay, Amazon, Etsy woo-aliexpress-dropshipping
ShortPixel Critical CSS shortpixel-critical-css
Simple Membership simple-membership
Simply Static simply-static
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) sina-extension-for-elementor
Slash Admin slash-admin
Smart Forms – when you need more than just a contact form smart-forms
Smart Maintenance Mode smart-maintenance-mode
Smart Recent Posts Widget smart-recent-posts-widget
Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap socialsnap
Social Sharing Plugin – Social Warfare social-warfare
Solid Affiliate solid-affiliate
SP Project & Document Manager sp-client-document-manager
Spectra – WordPress Gutenberg Blocks ultimate-addons-for-gutenberg
SSU – WordPress Amazon S3 & Wasabi Smart File Uploads Plugin wp-s3-smart-upload
Sticky Anything toast-stick-anything
StreamWeasels Twitch Integration streamweasels-twitch-integration
Survey Maker – Customer Satisfaction Survey, Chat Survey, Calculaton Form, Payment Surveys survey-maker
Table Rate Shipping Method for WooCommerce by Flexible Shipping flexible-shipping
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library) the-pack-addon
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce the-plus-addons-for-elementor-page-builder
The Plus Blocks for Block Editor Gutenberg
Timetable and Event Schedule by MotoPress mp-timetable
Tutor LMS – eLearning and online course solution tutor
Ultimate 410 Gone Status Code ultimate-410
Ultimate Blocks – WordPress Blocks Plugin ultimate-blocks
User Meta – User Profile Builder and User management plugin user-meta
USPS Shipping for WooCommerce – Live Rates flexible-shipping-usps
Video Conferencing with Zoom video-conferencing-with-zoom-api
VikRentCar Car Rental Management System vikrentcar
Vision – Image Map Builder vision
Vitepos – Point of sale (POS) plugin for WooCommerce vitepos-lite
VK Block Patterns vk-block-patterns
VOD Infomaniak vod-infomaniak
Wallet for WooCommerce – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds woo-wallet
Widget Post Slider widget-post-slider
WooCommerce Amazon Affiliates - Wordpress Plugin woozone
WooCommerce Shipping Label shipping-labels-for-woo
WordPress Ad Widget ad-widget
WordPress Backup & Migration wp-migration-duplicator
WP ADA Compliance Check Basic – Most Comprehensive Web Accessibility Solution for WordPress wp-ada-compliance-check-basic
WP Club Manager – WordPress Sports Club Plugin wp-club-manager
WP Datepicker wp-datepicker
WP Fusion Lite – Marketing Automation and CRM Integration for WordPress wp-fusion-lite
WP GoToWebinar wp-gotowebinar
WP LinkedIn Auto Publish wp-linkedin-auto-publish
WP Masquerade wp-masquerade
WP Media Category Management wp-media-category-management
WP Migrate Pro wp-migrate-db-pro
WP Page Post Widget Clone wp-page-post-widget-clone
WP Prayer wp-prayer
WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate
WP SMTP wp-smtp
WP STAGING Pro WordPress Backup Plugin wp-staging-pro
WP STAGING WordPress Backup Plugin – Migration Backup Restore wp-staging
WP Time Slots Booking Form wp-time-slots-booking-form
WP Travel Engine – Best Travel Booking WordPress Plugin, Tour Booking System wp-travel-engine
WP ULike – Most Advanced WordPress Marketing Toolkit wp-ulike
WP-Lister Lite for eBay wp-lister-for-ebay
WP-Members Membership Plugin wp-members
WP-Recall – Registration, Profile, Commerce & More wp-recall
WPC Composite Products for WooCommerce wpc-composite-products
WPCal.io – Easy Meeting Scheduler wpcal
WPPizza – A Restaurant Plugin wppizza
WPZOOM Addons for Elementor (Templates, Widgets) wpzoom-elementor-addons
XforWooCommerce xforwoocommerce
XStore Core et-core-plugin
YITH WooCommerce Compare yith-woocommerce-compare

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Accountra accountra
Althea WP althea-wp
Blocksy blocksy
Brite brite
Calliope calliope
Colibri WP colibri-wp
ColorNews colornews
Elevate WP elevate-wp
Financio financio
Hugo WP hugo-wp
Intrace intrace
Pathway pathway
Photology photology
Royal Elementor Kit royal-elementor-kit
Startupzy startupzy
Teluro teluro
Travey travey
uDesign - Responsive WordPress Theme u-design
Vertice vertice
Virtue virtue
WP Portfolio wp-portfolio
XStore xstore
Zeever zeever

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

ActiveDEMAND <= 0.2.41 - Unauthenticated Arbitrary File Upload

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-32809

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ActiveDEMAND

Researcher

stealthcopter

More Details >

Customify Site Library <= 0.0.9 - Unauthenticated Remote Code Execution

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-33644

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Customify Site Library

Researcher

Abdi Pranata

More Details >

WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.10 - Unauthenticated SQL Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-33544

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
WooCommerce Amazon Affiliates - Wordpress Plugin

Researcher

Rafie Muhammad

More Details >

WP-Recall – Registration, Profile, Commerce & More <= 16.26.5 - Unauthenticated SQL Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-32709

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WP-Recall – Registration, Profile, Commerce & More

Researcher

LVT-tholv2k

More Details >

XStore <= 9.3.5 - Unauthenticated SQL Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-33559

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore

Researcher

Rafie Muhammad

More Details >

XStore Core <= 5.3.5 - Unauthenticated SQL Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-33551

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore Core

Researcher

Rafie Muhammad

More Details >

Element Pack Pro <= 7.7.4 - Authenticated (Contributor+) Arbitrary File Read and PHAR Deserialization

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-33568

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Element Pack Pro - Addon for Elementor Page Builder WordPress Plugin

Researcher

Rafie Muhammad

More Details >

Timetable and Event Schedule by MotoPress <= 2.4.11 - Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-3342

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Timetable and Event Schedule by MotoPress

Researcher

Krzysztof Zając

More Details >

WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.10 - Authenticated (Subscriber+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-33546

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
WooCommerce Amazon Affiliates - Wordpress Plugin

Researcher

Rafie Muhammad

More Details >

WP-Recall – Registration, Profile, Commerce & More <= 16.26.5 - Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-32710

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WP-Recall – Registration, Profile, Commerce & More

Researcher

LVT-tholv2k

More Details >

XStore Core <= 5.3.5 - Authenticated (Subscriber+) Limited Arbitrary File Upload

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-33556

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore Core

Researcher

Rafie Muhammad

More Details >

Barcode Scanner with Inventory & Order Manager <= 1.5.3 - Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-33567

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Researcher

Rafie Muhammad

More Details >

OrderConvo <= 12.4 - Missing Authorization to Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-33566

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Admin and Customer Messages After Order for WooCommerce: OrderConvo

Researcher

Rafie Muhammad

More Details >

Product Addons & Fields for WooCommerce <= 32.0.18 - Unauthenticated Arbitrary File Upload via ppom_upload_file

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-3962

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Product Addons & Fields for WooCommerce

Researcher

andrea bocchetti

More Details >

Sirv <= 7.2.2 - Missing Authorization to Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-32959

Patch Status
Patched

Published
Apr 23, 2024

Affected Software
Image Optimizer, Resizer and CDN – Sirv

Researcher

Emili Castells

More Details >

WP Migrate Pro <= 2.6.10 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-30225

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
WP Migrate Pro

Researcher

Dave Jong

More Details >

XStore <= 9.3.5 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-33560

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore

Researcher

Rafie Muhammad

More Details >

XStore Core <= 5.3.5 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-33553

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore Core

Researcher

Rafie Muhammad

More Details >

XStore Core <= 5.3.5 - Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-33552

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore Core

Researcher

Rafie Muhammad

More Details >

BuddyForms <= 2.8.8 - Unauthenticated Arbitrary File Read and Server-Side Request Forgery

9.3

CVSS Rating
Critical (9.3)

CVE-ID
CVE-2024-32830

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Researcher

beluga

More Details >

ENL Newsletter <= 1.0.1 - Authenticated (Admin+) SQL Injection

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-3060

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
ENL Newsletter

Researcher

Bob Matyas

More Details >

Newsletters <= 4.9.5 - Authenticated (Admin+) Arbitrary File Upload

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-32954

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Newsletters

Researcher

Peng Zhou

More Details >

ARforms <= 6.4 - Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-32706

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ARforms

Researcher

Dave Jong

More Details >

Better Elementor Addons <= 1.4.1 - Authenticated(Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-33541

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Better Elementor Addons

Researcher

Ray Wilson

More Details >

Booking Ultra Pro <= 1.1.12 - Authenticated (Contributor+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-32960

Patch Status
Patched

Published
Apr 23, 2024

Affected Software
Booking Ultra Pro Appointments Booking Calendar Plugin

Researcher

Emili Castells

More Details >

Custom field finder <= 0.3 - Authenticated (Author+) PHP Object Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-33641

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Custom field finder

Researcher

CatFather

More Details >

ElementsKit Elementor addons <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Onepage Scroll Module

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3499

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ElementsKit Elementor addons and Templates Library

Researcher

Webbernaut

More Details >

ElementsKit Pro <= 3.6.0 - Authenticated (Contributor+) Local File Inclusion via Price Menu, Hotspot, and Advanced Toggle Widgets

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3500

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
ElementsKit Pro

Researcher

Webbernaut

More Details >

GiveWP – Donation Plugin and Fundraising Platform <= 3.4.2 - Authenticated (GiveWP Manager+) PHP Object Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-30229

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
GiveWP – Donation Plugin and Fundraising Platform

Researcher

Rafie Muhammad

More Details >

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.18 - Authenticated (Contributor+) SQL Injection via rtmedia_gallery Shortcode

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3293

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
rtMedia for WordPress, BuddyPress and bbPress

Researcher

Krzysztof Zając

More Details >

WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.10 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-33549

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
WooCommerce Amazon Affiliates - Wordpress Plugin

Researcher

Rafie Muhammad

More Details >

WP Datepicker <= 2.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3895

Patch Status
Patched

Published
Apr 23, 2024

Affected Software
WP Datepicker

Researcher

Lucio Sá

More Details >

WP Masquerade <= 1.1.0 - Authenticated (Subscriber+) Account Takeover

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-33550

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
WP Masquerade

Researcher

Rafie Muhammad

More Details >

WP ULike – Most Advanced WordPress Marketing Toolkit <= 4.6.9 - Authenticated (Contributor+) SQL Injection via Shortcodes

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-1797

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
WP ULike – Most Advanced WordPress Marketing Toolkit

Researcher

Bassem Essam

More Details >

XforWooCommerce <= 2.0.2 - Authenticated (Subscriber+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-33628

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XforWooCommerce

Researcher

Dave Jong

More Details >

XStore <= 9.3.5 - Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-33564

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore

Researcher

Rafie Muhammad

More Details >

XStore Core <= 5.3.5 - Authenticated (Subscriber+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-33557

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore Core

Researcher

Rafie Muhammad

More Details >

ARForms <= 6.4 - Missing Authorization to Arbitrary File Deletion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-32703

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ARforms

Researcher

Dave Jong

More Details >

Conversational Forms for ChatBot <= 1.1.8 - Unauthenticated Arbitrary File Download

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-32729

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ChatBot Conversational Forms

Researcher

beluga

More Details >

Database for Contact Form 7, WPforms, Elementor forms <= 1.3.8 - Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-3715

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Database for Contact Form 7, WPforms, Elementor forms

Researcher

Tim Coen

More Details >

Export and Import Users and Customers <= 2.5.3 - Authenticated (Admin+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-32835

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Export and Import Users and Customers

Researcher

Trình Vũ

More Details >

Import and export users and customers <= 1.26.2 - Authenticated (Admin+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-32817

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Import and export users and customers

Researcher

Trình Vũ

More Details >

PDF Invoices & Packing Slips for WooCommerce <= 3.8.0 - Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-3047

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
PDF Invoices & Packing Slips for WooCommerce

Researcher

Tim Coen

More Details >

PDF Invoices & Packing Slips for WooCommerce <= 3.8.0 - Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-3045

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
PDF Invoices & Packing Slips for WooCommerce

Researcher

Tim Coen

More Details >

Piotnet Addons For Elementor Pro <= 7.1.17 - Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-33634

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Piotnet Addons For Elementor Pro

Researcher

Dave Jong

More Details >

Popup4Phone <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-3231

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
Popup4Phone

Researcher

Bob Matyas

More Details >

Radio Player <= 2.0.73 - Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-33592

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Researcher

Steven Julian

More Details >

Sendinblue for WooCommerce <= 4.0.17 - Authenticated (Editor+) Arbitrary File Download and Deletion

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-32807

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Brevo for WooCommerce

Researcher

beluga

More Details >

Sticky Anything <= 2.1.5 - Missing Authorization

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-33646

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Sticky Anything

Researcher

Dimas Maulana

More Details >

Survey Maker – Best WordPress Survey Plugin <= 3.6.6 - Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2023-34423

Patch Status
Patched

Published
Apr 27, 2024

Affected Software
Survey Maker – Customer Satisfaction Survey, Chat Survey, Calculaton Form, Payment Surveys

Researcher

Atsuya Yoda

More Details >

WP SMTP 1.2 - 1.2.6 - Authenticated (Admin+) SQL Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-1789

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
WP SMTP

Researcher

Christiaan Swiers (YouGina)

More Details >

WP-Lister Lite for eBay <= 3.5.11 - Authenticated (Shop Manager+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-32836

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WP-Lister Lite for eBay

Researcher

Joshua Chan

More Details >

ARForms Form Builder <= 1.6.4 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2024-1945

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder

Researcher

Lucio Sá

More Details >

5 Stars Rating Funnel <= 1.2.67 - Missing Authorization

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-32725

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free | RRatingg

Researcher

Dhabaleshwar Das

More Details >

Advanced Local Pickup for WooCommerce <= 1.6.1 - Missing Authorization to Notice Dismissal

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-32814

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Advanced Local Pickup for WooCommerce

Researcher

Dhabaleshwar Das

More Details >

FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.8 - Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-3734

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
FOX – Currency Switcher Professional for WooCommerce

Researcher

stealthcopter

More Details >

Integrate Google Drive <= 1.3.9 - Missing Authorization

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-32813

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files into Your WordPress Site

Researcher

Steven Julian

More Details >

Royal Elementor Addons and Templates <= 1.3.971 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-2798

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Royal Elementor Addons and Templates

Researcher

wesley (wcraft)

More Details >

Tutor LMS <= 2.6.2 - Missing Authorization to Unauthenticated Limited Options Update

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-3553

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Tutor LMS – eLearning and online course solution

Researcher

M.Awad

More Details >

XStore Core <= 5.3.5 - Authenticated (Subscriber+) Limited Arbitrary File Download

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-33558

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore Core

Researcher

Rafie Muhammad

More Details >

Accessibility Widget <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-32831

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Accessibility Widget

Researcher

Joshua Chan

More Details >

Advanced Most Recent Posts Mod <= 1.6.5.2 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33643

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Advanced Most Recent Posts Mod

Researcher

Ngô Thiên An (ancorn_)

More Details >

Auto Featured Image (Auto Post Thumbnail) <= 4.0.0 - Authenticated (Author+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33629

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Auto Featured Image (Auto Post Thumbnail)

Researcher

Yuchen Ji

More Details >

Blocksy <= 2.0.33 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-32961

Patch Status
Patched

Published
Apr 23, 2024

Affected Software
Blocksy

Researcher

Joshua Chan

More Details >

Blocksy <= 2.0.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via About Me block

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3747

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Blocksy

Researcher

Ngô Thiên An (ancorn_)

More Details >

Colibri Page Builder <= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'colibri_breadcrumb_element' Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3337

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Colibri Page Builder

Researcher

stealthcopter

More Details >

Collapse-O-Matic <= 1.8.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2023-7030

Patch Status
Patched

Published
Apr 23, 2024

Affected Software
Collapse-O-Matic

Researcher

Richard Telleng (stueotue)

More Details >

ColorNews <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33540

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
ColorNews

Researcher

stealthcopter

More Details >

Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Post Overlay

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3929

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode)

Researcher

wesley (wcraft)

More Details >

Culqi <= 3.0.14 - Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-32819

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Culqi

Researcher

Majed Refaea

More Details >

Embed Google Photos album <= 2.1.9 - Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-32775

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Embed Google Photos album

Researcher

LVT-tholv2k

More Details >

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4003

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Researcher

Ngô Thiên An (ancorn_)

More Details >

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery & Interactive Circle

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3728

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Researcher

stealthcopter

More Details >

Exclusive Addons for Elementor <= 2.6.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2750

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Exclusive Addons for Elementor

Researcher

wesley (wcraft)

More Details >

Exclusive Addons for Elementor <= 2.6.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3985

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Exclusive Addons for Elementor

Researcher

stealthcopter

More Details >

Exclusive Addons for Elementor <= 2.6.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Expired Title

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3489

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Exclusive Addons for Elementor

Researcher

Webbernaut

More Details >

FV Flowplayer Video Player <= 7.5.43.7212 - Authenticated (Subscriber+) Server-side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-32955

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
FV Flowplayer Video Player

Researcher

Steven Julian

More Details >

GeoDirectory – WordPress Business Directory Plugin, or Classified Directory <= 2.3.48 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'gd_single_tabs' Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3732

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Researcher

Krzysztof Zając

More Details >

Getwid – Gutenberg Blocks <= 2.0.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'Countdown'

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3588

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Getwid – Gutenberg Blocks

Researcher

Webbernaut

More Details >

Happy Addons for Elementor <= 3.10.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Calendly Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3890

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Happy Addons for Elementor

Researcher

Ngô Thiên An (ancorn_)

More Details >

Jeg Elementor Kit <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via JKit - Banner

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3819

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Jeg Elementor Kit

Researcher

wesley (wcraft)

More Details >

Knowledge Base documentation & wiki plugin – BasePress <= 2.16.1 - Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33590

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Knowledge Base documentation & wiki plugin – BasePress Docs

Researcher

beluga

More Details >

Opal Widgets For Elementor <= 1.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33649

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Opal Widgets For Elementor

Researcher

Khalid

More Details >

Photo Gallery - GT3 Image Gallery & Gutenberg Block Gallery <= 2.7.7.21 - Authenticated (Author+) Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4035

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

Researcher

stealthcopter

More Details >

Piotnet Addons For Elementor <= 2.4.27 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33630

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Piotnet Addons For Elementor

Researcher

Khalid

More Details >

Piotnet Addons For Elementor Pro <= 7.1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33631

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Piotnet Addons For Elementor Pro

Researcher

Dave Jong

More Details >

Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3239

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Researcher

Dmitrii Ignatyev

More Details >

Premium Addons for Elementor <= 4.10.25 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-32791

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Premium Addons for Elementor

Researcher

Ray Wilson

More Details >

Premium Addons for Elementor <= 4.10.28 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3885

Patch Status
Patched

Published
Apr 23, 2024

Affected Software
Premium Addons for Elementor

Researcher

Ngô Thiên An (ancorn_)

More Details >

Premium Addons for Elementor <= 4.10.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'arrow_style'

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3647

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Premium Addons for Elementor

Researcher

stealthcopter

More Details >

Pretty Google Calendar <= 1.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33640

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Pretty Google Calendar

Researcher

LVT-tholv2k

More Details >

ProfileGrid <= 5.7.1 - Authenticated (Contributor+) SQL Injection

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-30241

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
ProfileGrid – User Profiles, Groups and Communities

Researcher

Ngô Thiên An (ancorn_)

More Details >

Qi Addons For Elementor <= 1.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3309

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Qi Addons For Elementor

Researcher

Webbernaut

More Details >

Radio Player <= 2.0.73 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-29811

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Researcher

Abu Hurayra

More Details >

Rank Math SEO with AI SEO Tools <= 1.0.216 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titleWrapper'

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3665

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Rank Math SEO with AI SEO Tools

Researcher

wesley (wcraft)

More Details >

Recencio Book Reviews <= 1.66.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33648

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Recencio Book Reviews

Researcher

Ngô Thiên An (ancorn_)

More Details >

RomethemeKit For Elementor <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-32956

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
RomethemeKit For Elementor

Researcher

Khalid

More Details >

Royal Elementor Addons and Templates <= 1.3.971 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Accordion Title Tags

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3889

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Royal Elementor Addons and Templates

Researcher

Ngô Thiên An (ancorn_)

More Details >

Royal Elementor Addons and Templates <= 1.3.971 - Authenticated (Contributor+) Stored Cross-Site Scripting via Flip Carousel, Flip Box, Post Grid, and Taxonomy List Widget Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3675

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Royal Elementor Addons and Templates

Researcher

stealthcopter

More Details >

Royal Elementor Addons and Templates <= 1.3.971 - Authenticated (Contributor+) Stored Cross-Site Scripting via HTML Tags

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2799

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Royal Elementor Addons and Templates

Researchers

Ngô Thiên An (ancorn_)

ST

João Pedro Soares de Alcântara

More Details >

Save as PDF plugin by Pdfcrowd <= 3.2.0 - Missing Authorization

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33684

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Save as PDF Plugin by Pdfcrowd

Researcher

Majed Refaea

More Details >

Schema & Structured Data for WP & AMP <= 1.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via How To and FAQ Blocks

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3491

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Schema & Structured Data for WP & AMP

Researcher

stealthcopter

More Details >

Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Sina Fancy Text Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3988

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Researcher

wesley (wcraft)

More Details >

Social Sharing Plugin – Social Warfare <= 4.4.6.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-1959

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Social Sharing Plugin – Social Warfare

Researcher

Krzysztof Zając

More Details >

The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library) <= 2.0.8.2 - Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-32718

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Researcher

Majed Refaea

More Details >

The Plus Addons for Elementor <= 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3199

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Researcher

Webbernaut

More Details >

The Plus Addons for Elementor <= 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3197

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Researcher

Tim Coen

More Details >

Ultimate 410 Gone Status Code <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3677

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Ultimate 410 Gone Status Code

Researcher

Krzysztof Zając

More Details >

Virtue <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Author

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4034

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Virtue

Researcher

stealthcopter

More Details >

WP Portfolio <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33537

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
WP Portfolio

Researcher

stealthcopter

More Details >

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_lightbox

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3548

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
WP Shortcodes Plugin — Shortcodes Ultimate

Researcher

Dmitrii Ignatyev

More Details >

WP ULike <= 4.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-1572

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
WP ULike – Most Advanced WordPress Marketing Toolkit

Researcher

Richard Telleng (stueotue)

More Details >

WP ULike <= 4.6.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-1759

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
WP ULike – Most Advanced WordPress Marketing Toolkit

Researcher

stealthcopter

More Details >

WPC Composite Products for WooCommerce <= 7.2.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2838

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
WPC Composite Products for WooCommerce

Researcher

Krzysztof Zając

More Details >

wpDiscuz <= 7.6.15 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Alternative Text

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2477

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Comments – wpDiscuz

Researcher

Ngô Thiên An (ancorn_)

More Details >

WPZOOM Addons for Elementor (Templates, Widgets) <= <=1.1.35 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-33539

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
WPZOOM Addons for Elementor (Templates, Widgets)

Researcher

Khalid

More Details >

XStore Core <= 5.3.5 - Missing Authorization

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2024-33555

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore Core

Researcher

Rafie Muhammad

More Details >

ARforms <= 6.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-32702

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ARforms

Researcher

Dave Jong

More Details >

Base64 Encoder/Decoder <= 0.9.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-3823

Patch Status
Unpatched

Published
Apr 24, 2024

Affected Software
Base64 Encoder/Decoder

Researcher

Bob Matyas

More Details >

Base64 Encoder/Decoder <= 0.9.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-3822

Patch Status
Unpatched

Published
Apr 24, 2024

Affected Software
Base64 Encoder/Decoder

Researcher

Francisco Spínola

More Details >

Cornerstone <= 0.8.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-28002

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Cornerstone

Researcher

Rafie Muhammad

More Details >

Easy Set Favicon <= 1.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-33645

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Easy Set Favicon

Researcher

Dimas Maulana

More Details >

Fancy Product Designer <= 6.1.7 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-0905

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Fancy Product Designer

Researcher

Bob Matyas

More Details >

Header Footer Code Manager Pro <= 1.0.16 - Reflected Cross-Site Scripting via message

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-3473

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Header Footer Code Manager Pro

Researcher

1337_Wannabe

More Details >

Interactive World Maps <= 2.4.14 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-3681

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Interactive World Maps

Researcher

Usama Arshad

More Details >

Max Addons Pro for Bricks <= 1.6.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-32952

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Max Addons Pro for Bricks

Researcher

Dave Jong

More Details >

Piotnet Addons For Elementor Pro <= 7.1.17 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-33633

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Piotnet Addons For Elementor Pro

Researcher

Dave Jong

More Details >

Seers | GDPR & CCPA Cookie Consent & Compliance <= 8.1.0 - Cross-Site Request Forgery

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-32789

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Seers | GDPR & CCPA Cookie Consent & Compliance

Researcher

Le Ngoc Anh

More Details >

Slash Admin <= 3.8.1 - Cross-Site Request Forgery

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-32958

Patch Status
Patched

Published
Apr 23, 2024

Affected Software
Slash Admin

Researcher

Cronus

More Details >

The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library) <= 2.0.8.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-32785

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Researcher

Le Ngoc Anh

More Details >

UDesign <= 4.7.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-4077

Patch Status
Unpatched

Published
Apr 23, 2024

Affected Software
uDesign - Responsive WordPress Theme

Researcher

Rafie Muhammad

More Details >

Video Conferencing with Zoom <= 4.4.4 - Open Redirect

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-33584

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Video Conferencing with Zoom

Researcher

Joshua Chan

More Details >

VOD Infomaniak <= 1.5.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-33571

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
VOD Infomaniak

Researcher

Rafie Muhammad

More Details >

WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.10 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-33548

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
WooCommerce Amazon Affiliates - Wordpress Plugin

Researcher

Rafie Muhammad

More Details >

WP Media Category Management <= 2.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-32950

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WP Media Category Management

Researcher

Abdi Pranata

More Details >

XStore <= 9.3.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-33562

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore

Researcher

Rafie Muhammad

More Details >

XStore Core <= 5.3.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-33554

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore Core

Researcher

Rafie Muhammad

More Details >

Absolutely Glamorous Custom Admin <= 7.2.3 - Authenticated (Admin+) Server-Side Request Forgery

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-33627

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
AGCA – Custom Dashboard & Login Page

Researcher

emad

More Details >

Academy LMS <= 1.9.16 - Missing Authorization

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-32714

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Academy LMS – eLearning and online course solution for WordPress

Researcher

Mochamad Sofyan

More Details >

Colibri Page Builder <= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'colibri-gallery-slideshow' Shortcode

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-3340

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Colibri Page Builder

Researcher

Ngô Thiên An (ancorn_)

More Details >

Crelly Slider <= 1.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-33542

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Crelly Slider

Researcher

Steven Julian

More Details >

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin <= 2.6.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-32711

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification

Researcher

stealthcopter

More Details >

Simple Membership <= 4.4.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-3730

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Simple Membership

Researcher

Thanh Nam Tran

More Details >

Tutor LMS – eLearning and online course solution <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tutor_instructor_list' Shortcode

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-3994

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Tutor LMS – eLearning and online course solution

Researcher

wesley (wcraft)

More Details >

Ultimate Blocks <= 3.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Heading

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-3241

Patch Status
Patched

Published
Apr 23, 2024

Affected Software
Ultimate Blocks – WordPress Blocks Plugin

Researchers

Dmitrii Ignatyev

Dau Hoang Tai

More Details >

Advanced Testimonial Carousel for Elementor <= 3.0.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32783

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Advanced Testimonial Carousel for Elementor

Researcher

Abdi Pranata

More Details >

Analytify <= 5.2.1 - Missing Authorization to Unauthenticated Google Analytics Tracking ID Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-1584

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Researcher

Francesco Carlucci

More Details >

Appointment Hour Booking <= 1.4.56 - Captcha Bypass

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32720

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Appointment Hour Booking – WordPress Booking Plugin

Researcher

Mochamad Sofyan

More Details >

AppPresser <= 4.3.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32776

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
AppPresser – Mobile App Framework

Researcher

Mika

More Details >

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup <= 4.0.28 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32948

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Researcher

Kursat Cetin

More Details >

Assistant – Every Day Productivity Apps <= 1.4.9.1 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33538

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Assistant – Every Day Productivity Apps

Researcher

Joshua Chan

More Details >

Barcode Scanner with Inventory & Order Manager <= 1.5.3 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33565

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Researcher

Rafie Muhammad

More Details >

BizPrint <= 4.3.39 - Missing Authorization via showTemplatePreview()

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32777

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Print or PDF WooCommerce Order Receipts, Invoices, Labels & More.

Researcher

Joshua Chan

More Details >

Blog2Social: Social Media Auto Post & Scheduler <= 7.4.2 - Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3678

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Blog2Social: Social Media Auto Post & Scheduler

Researcher

Krzysztof Zając

More Details >

BP Better Messages <= 2.4.32 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32802

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Researcher

Ananda Dhakal

More Details >

Classified Listing – Classified ads & Business Directory Plugin <= 3.0.10.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3893

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Classified Listing – Classified ads & Business Directory Plugin

Researcher

Lucio Sá

More Details >

Client Dash <= 2.2.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33652

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Client Dash

Researcher

Skalucy

More Details >

Contact Form 7 Database Addon – CFDB7 <= 1.2.6.8 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3870

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Contact Form 7 Database Addon – CFDB7

Researcher

Tim Coen

More Details >

CookieHub <= 1.1.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32784

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance)

Researcher

Abdi Pranata

More Details >

Easy Accept Payments <= 4.9.10 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33591

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Easy Accept Payments via PayPal

Researcher

Joshua Chan

More Details >

Easy Property Listings <= 3.5.3 - Missing Authorization via epl_update_listing_coordinates()

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32799

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Easy Property Listings

Researcher

Mika

More Details >

Email Customizer for WooCommerce | Drag and Drop Email Templates Builder <= 2.6.0 - Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32781

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Email Customizer for WooCommerce | Drag and Drop Email Templates Builder

Researcher

Emili Castells

More Details >

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.15 - Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3733

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Researcher

Webbernaut

More Details >

FG Joomla to WordPress <= 4.20.2 - Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32788

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
FG Joomla to WordPress

Researcher(s): Unknown

More Details >

Frontend Dashboard <= 2.2.2 -

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32726

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Frontend Dashboard

Researcher

Emili Castells

More Details >

Giveaways and Contests by RafflePress <= 1.12.7 - Unauthenticated IP Spoofing

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32827

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Researcher

Brandon James Roldan (tomorrowisnew)

More Details >

Hummingbird <= 3.7.3 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32792

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Hummingbird – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript

Researcher

Peng Zhou

More Details >

Integrate Google Drive <= 1.3.8 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32949

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files into Your WordPress Site

Researcher

Steven Julian

More Details >

Leaky Paywall <= 4.20.8 - Missing Authorization to Price Manipulation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33594

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Leaky Paywall

Researcher

Joshua Chan

More Details >

Login with phone number <= 1.6.93 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32832

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Login with phone number

Researcher

Majed Refaea

More Details >

Maintenance Mode by helderk <= 3.0.1 - Unauthenticated IP Spoofing

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32708

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Maintenance Mode

Researcher

Hoa Le Ngoc (lengochoa)

More Details >

Max Addons Pro for Bricks <= 1.6.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32951

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Max Addons Pro for Bricks

Researcher

Dave Jong

More Details >

Newsletters <= 4.9.5 - Information Exposure via Log files

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32953

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Newsletters

Researcher

Peng Zhou

More Details >

Photo Gallery by 10Web <= 1.8.20 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33586

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Researcher

Steven Julian

More Details >

Piotnet Addons For Elementor Pro <= 7.1.17 - Missing Authorization to Arbitrary Post/Page Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33635

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Piotnet Addons For Elementor Pro

Researcher

Dave Jong

More Details >

Popup Box – Best WordPress Popup Plugin <= 4.3.6 - Missing Authorization to Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3897

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Popup Box – Best WordPress Popup Plugin

Researcher

Krzysztof Zając

More Details >

Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks <= 2.2.78 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32816

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Gutenberg Blocks, Page Builder – ComboBlocks

Researcher

Peng Zhou

More Details >

ProfileGrid <= 5.8.2 - Bypass Group Members Limit

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32774

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ProfileGrid – User Profiles, Groups and Communities

Researcher

Kyle Sanchez

More Details >

Rate My Post – Star Rating Plugin by FeedbackWP <= 3.4.4 - Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32823

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Rate My Post – Star Rating Plugin by FeedbackWP

Researcher

Kyle Sanchez

More Details >

RomethemeForm For Elementor <= 1.1.2 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32727

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
RomethemeForm For Elementor

Researcher

thiennv

More Details >

Royal Elementor Addons <= 1.3.93 - Unauthenticated IP Spoofing

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32786

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Royal Elementor Addons and Templates

Researcher

Brandon James Roldan (tomorrowisnew)

More Details >

Secure Copy Content Protection and Content Locking <= 3.9.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33587

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Secure Copy Content Protection and Content Locking

Researcher

Mika

More Details >

Send PDF for Contact Form 7 <= 1.0.2.3 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3585

Patch Status
Patched

Published
Apr 23, 2024

Affected Software
Send PDF for Contact Form 7

Researcher

Krzysztof Zając

More Details >

Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy <= 2.1.1 - Unauthenticated Arbitrary Content Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32724

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
SharkDropship and Affiliate for AliExpress, eBay, Amazon, Etsy

Researcher(s): Unknown

More Details >

Simply Static <= 3.1.3 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32825

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Simply Static

Researcher

CatFather

More Details >

Social Snap <= 1.3.5 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32805

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap

Researcher

Majed Refaea

More Details >

Solid Affiliate <= 1.9.1 - Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33637

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Solid Affiliate

Researcher

Francois Harvey

More Details >

SSU <= 1.5.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33597

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
SSU – WordPress Amazon S3 & Wasabi Smart File Uploads Plugin

Researcher

Mika

More Details >

StreamWeasels Twitch Integration <= 1.7.8 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32716

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
StreamWeasels Twitch Integration

Researcher

Majed Refaea

More Details >

Survey Maker <= 4.0.9 - IP Address Spoofing

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2023-35764

Patch Status
Patched

Published
Apr 27, 2024

Affected Software
Survey Maker – Customer Satisfaction Survey, Chat Survey, Calculaton Form, Payment Surveys

Researcher

Atsuya Yoda

More Details >

User Meta <= 3.0 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33575

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
User Meta – User Profile Builder and User management plugin

Researcher

stealthcopter

More Details >

USPS Shipping for WooCommerce – Live Rates <= 1.9.4 - Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32811

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
USPS Shipping for WooCommerce – Live Rates

Researcher

Joshua Chan

More Details >

VikRentCar Car Rental Management System <= 1.3.2 - Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32780

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
VikRentCar Car Rental Management System

Researcher

Steven Julian

More Details >

Vision Interactive <= 1.7.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32779

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Vision – Image Map Builder

Researcher

Steven Julian

More Details >

VK Block Patterns <= 1.31.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32826

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
VK Block Patterns

Researcher

Mika

More Details >

WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.10 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33545

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
WooCommerce Amazon Affiliates - Wordpress Plugin

Researcher

Rafie Muhammad

More Details >

WP Club Manager <= 2.2.11 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32719

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WP Club Manager – WordPress Sports Club Plugin

Researcher

Mika

More Details >

WP Fusion Lite – Marketing Automation and CRM Integration for WordPress <= 3.42.10 - Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32796

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WP Fusion Lite – Marketing Automation and CRM Integration for WordPress

Researcher

Majed Refaea

More Details >

WP STAGING <= 3.4.3 and WP STAGING Pro <= 5.4.3 - Sensitive Information Exposure via Log File

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3682

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
WP STAGING WordPress Backup Plugin – Migration Backup Restore
WP STAGING Pro WordPress Backup Plugin

Researcher

haidv35

More Details >

WP Time Slots Booking Form <= 1.2.06 - Unauthenticated Price Manipulation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33543

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
WP Time Slots Booking Form

Researcher

Joshua Chan

More Details >

WP Travel Engine <= 5.8.0 - Unauthenticated Price Manipulation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32798

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WP Travel Engine – Best Travel Booking WordPress Plugin, Tour Booking System

Researcher

Ananda Dhakal

More Details >

WP-Members Membership Plugin <= 3.4.9.3 - Unprotected Storage of Potentially Sensitive Files

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-2920

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
WP-Members Membership Plugin

Researcher

Tim Coen

More Details >

XStore <= 9.3.5 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-33561

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore

Researcher

Rafie Muhammad

More Details >

Advanced Floating Content Lite <= 1.2.5 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-32723

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Advanced Floating Content Lite

Researcher

Joshua Chan

More Details >

Advanced Post List <= 0.5.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-33642

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Advanced Post List

Researcher

emad

More Details >

All-in-one Like Widget <= 2.2.7 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-32815

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
All-in-one Like Widget

Researcher

Joshua Chan

More Details >

Annual Archive <= 1.6.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-33598

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Annual Archive

Researcher

Emili Castells

More Details >

CF7 File Download – File Download for CF7 <= 2.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-33697

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
CF7 File Download – File Download for CF7

Researcher

Joshua Chan

More Details >

Colibri Page Builder <= 1.0.262 - Authenticated (Author+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-3338

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Colibri Page Builder

Researcher

stealthcopter

More Details >

Coupon & Discount Code Reveal Button <= 1.2.5 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-32722

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Coupon & Discount Code Reveal Button

Researcher

emad

More Details >

Fan Page Widget by ThemeNcode <= 2.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-33695

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Fan Page Widget by ThemeNcode

Researcher

Joshua Chan

More Details >

FileOrganizer and FileOrganizer Pro <= 1.0.6 - Authenticated Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-2324

Patch Status
Patched

Published
Apr 23, 2024

Affected Software
FileOrganizer – Manage WordPress and Website Files

Researcher

Nikolas

More Details >

Filterable Portfolio <= 1.6.4 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-4234

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
Filterable Portfolio

Researcher

Steven Julian

More Details >

Form Maker by 10Web <= 1.15.24 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-2258

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Researcher

stealthcopter

More Details >

HL Twitter <= 2014.1.18 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-3630

Patch Status
Unpatched

Published
Apr 24, 2024

Affected Software
HL Twitter

Researcher

Bob Matyas

More Details >

Image Slider <= 1.1.125 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-32707

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Image Slider

Researcher

Jean Tirstan T

More Details >

List Custom Taxonomy Widget <= 4.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-32833

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
List Custom Taxonomy Widget

Researcher

Joshua Chan

More Details >

Meks Smart Social Widget <= 1.6.4 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-33693

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
Meks Smart Social Widget

Researcher

Joshua Chan

More Details >

Meks ThemeForest Smart Widget <= 1.6 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-33694

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
Meks ThemeForest Smart Widget

Researcher

Joshua Chan

More Details >

month name translation benaceur <= 2.3.7 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-3634

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
month name translation benaceur

Researcher

Bob Matyas

More Details >

Nextgen Gallery <= 3.59 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-2744

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Researcher

Dmitrii Ignatyev

More Details >

Popup4Phone <= 1.3.2 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-3580

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
Popup4Phone

Researcher

Bob Matyas

More Details >

PopupAlly <= 2.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-33639

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
PopupAlly

Researcher

Manab Jyoti Dowarah

More Details >

Smart Recent Posts Widget <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-33692

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
Smart Recent Posts Widget

Researcher

Joshua Chan

More Details >

TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds <= 1.5.0 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-32584

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
Wallet for WooCommerce – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds

Researcher

Joshua Chan

More Details >

Widget Post Slider <= 1.3.5. - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-32801

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Widget Post Slider

Researcher

Joshua Chan

More Details >

WordPress Ad Widget <= 2.20.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-33696

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
WordPress Ad Widget

Researcher

Joshua Chan

More Details >

Admin Bar Remover <= 1.0.2.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-1716

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Admin Bar Editor – Hide Toolbar by User Roles

Researcher

Lucio Sá

More Details >

ARForms <= 6.4 - Missing Authorization to Arbitrary Option Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32704

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ARforms

Researcher

Dave Jong

More Details >

ARForms <= 6.4 - Missing Authorization to Arbitrary Plugin Activation/Deactivation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32705

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ARforms

Researcher

Dave Jong

More Details >

Base64 Encoder/Decoder <= 0.9.2 - Cross-Site Request Forgery to Setting Reset

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3824

Patch Status
Unpatched

Published
Apr 24, 2024

Affected Software
Base64 Encoder/Decoder

Researcher

Bob Matyas

More Details >

ClickCease Click Fraud Protection <= 3.2.5 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33678

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
ClickCease Click Fraud Protection

Researcher

Elliot

More Details >

CM Tooltip Glossary – Powerful Glossary Plugin <= 4.2.11 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4086

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
CM Tooltip Glossary

Researcher

Benedictus Jovan (aillesiM)

More Details >

ColibriWP Theme framework <= (Various Versions) - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33686

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Colibri WP
Elevate WP
Althea WP
Hugo WP
Pathway
Brite
Vertice
Teluro
Calliope

Researcher

Dhabaleshwar Das

More Details >

Contact Form 7 Extension For Mailchimp <= 0.5.70 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33677

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
Contact Form 7 Extension For Mailchimp

Researcher

thiennv

More Details >

Contest Gallery <= 21.3.4 - Authenticated (Author+) Arbitrary File Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32778

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Competition Plugin for WordPress

Researcher

CatFather

More Details >

Data Tables Generator by Supsystic <= 1.10.31 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32829

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Data Tables Generator by Supsystic

Researcher

Steven Julian

More Details >

Elespare – Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! <= 2.1.2 - Missing Authorization to Subscriber+ Arbitrary Post Creation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-0900

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Elespare – News, Magazine and Blog Elements & Blog Addons for Elementor with Header Footer Builder. One Click Import: No Coding Required!

Researcher

Lucio Sá

More Details >

EPROLO Dropshipping <= 1.7.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33573

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
EPROLO Dropshipping

Researcher

Abdi Pranata

More Details >

Evergreen Content Poster <= 1.4.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32824

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media

Researcher

CatFather

More Details >

FameTheme Demo Importer <= 1.1.5 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33679

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
FameTheme Demo Importer

Researcher

Brandon James Roldan (tomorrowisnew)

More Details >

Financio <= 1.1.3 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33690

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Financio

Researcher

Dhabaleshwar Das

More Details >

Five Star Restaurant Reservations <= 2.6.16 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33596

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Five Star Restaurant Reservations – WordPress Booking Plugin

Researcher

Steven Julian

More Details >

Flexible Shipping <= 4.24.15 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32828

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Table Rate Shipping Method for WooCommerce by Flexible Shipping

Researcher

Dhabaleshwar Das

More Details >

Headline Analyzer <= 1.3.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32806

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Headline Analyzer

Researcher

Majed Refaea

More Details >

Hide Dashboard Notifications <= 1.2.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33683

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Hide Dashboard Notifications

Researcher

Dhabaleshwar Das

More Details >

HL Twitter <= 2014.1.18 - Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3629

Patch Status
Unpatched

Published
Apr 24, 2024

Affected Software
HL Twitter

Researcher

Bob Matyas

More Details >

HL Twitter <= 2014.1.18 - Cross-Site Request Forgery to Twitter Account Unlink

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3631

Patch Status
Unpatched

Published
Apr 24, 2024

Affected Software
HL Twitter

Researcher

Bob Matyas

More Details >

HT Mega – Absolute Addons For Elementor <= 2.4.7 - Missing Authorization to Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32782

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
HT Mega – Absolute Addons For Elementor

Researcher

Khalid

More Details >

InstaWP Connect <= 0.1.0.24 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32701

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
InstaWP Connect – 1-click WP Staging & Migration

Researcher

Dhabaleshwar Das

More Details >

KB Support <= 1.6.0 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33589

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
KB Support – WordPress Help Desk and Knowledge Base

Researcher

beluga

More Details >

Knowledge Base documentation & wiki plugin – BasePress <= 2.16.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33588

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Knowledge Base documentation & wiki plugin – BasePress Docs

Researcher

beluga

More Details >

MainWP Child Reports <= 2.1.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33680

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
MainWP Child Reports

Researcher

Brandon James Roldan (tomorrowisnew)

More Details >

Master Addons for Elementor <= 2.0.5.4.1 - Missing Authorization on Duplicate Post

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33595

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor

Researcher

Khalid

More Details >

Metform Elementor Contact Form Builder <= 3.8.3 - Missing Authorization to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33570

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Researcher

Rafie Muhammad

More Details >

MF Gig Calendar <= 1.2.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33651

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
MF Gig Calendar

Researcher

Khalid

More Details >

Multiple Plugins by tychesoftwares <= (Various Versions) - Missing Authorization to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4233

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Arconix Shortcodes
Arconix FAQ
Print Invoice & Delivery Notes for WooCommerce

Researcher

Dhabaleshwar Das

More Details >

Multiple Themes by jegstudio <= (Various Versions) - Missing Authorization to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33685

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Intrace
Travey
Startupzy
Zeever
Photology
Accountra

Researcher

Dhabaleshwar Das

More Details >

Page Builder: Live Composer <= 1.5.38 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32957

Patch Status
Patched

Published
Apr 23, 2024

Affected Software
Page Builder: Live Composer

Researcher

Phill Sav (Savphill)

More Details >

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.11.0 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32728

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Researcher

Dhabaleshwar Das

More Details >

Payment Gateway Based Fees and Discounts for WooCommerce <= 2.12.1 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33585

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Payment Gateway Based Fees and Discounts for WooCommerce

Researcher

Dhabaleshwar Das

More Details >

Piotnet Addons For Elementor Pro <= 7.1.17 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33632

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Piotnet Addons For Elementor Pro

Researcher

Dave Jong

More Details >

Podlove Podcast Publisher <= 4.0.11 - Authenticated (Contributor+) Server-Side Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32812

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Podlove Podcast Publisher

Researcher

Majed Refaea

More Details >

Podlove Podcast Publisher <= 4.0.14 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32712

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Podlove Podcast Publisher

Researcher

LVT-tholv2k

More Details >

Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation <= 2.15.3 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33691

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation

Researcher

Dhabaleshwar Das

More Details >

ProfileGrid – User Profiles, Memberships, Groups and Communities <= 5.7.9 - Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32772

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ProfileGrid – User Profiles, Groups and Communities

Researcher

Kyle Sanchez

More Details >

ProfileGrid – User Profiles, Memberships, Groups and Communities <= 5.7.9 - Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32808

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ProfileGrid – User Profiles, Groups and Communities

Researcher

Kyle Sanchez

More Details >

PropertyHive <= 2.0.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3607

Patch Status
Patched

Published
Apr 24, 2024

Affected Software
PropertyHive

Researcher

Lucio Sá

More Details >

Quick Featured Images <= 13.7.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Thumbnail Deletion/Setting

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3664

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Quick Featured Images

Researcher

Lucio Sá

More Details >

Radio Station by netmix® – Manage and play your Show Schedule in WordPress! <= 2.5.7 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33689

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Radio Station by netmix® – Manage and play your Show Schedule in WordPress!

Researcher

Dhabaleshwar Das

More Details >

Reviews Plus <= 1.3.4 - Missing Authorization to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32822

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Reviews Plus

Researcher

Dhabaleshwar Das

More Details >

Royal Elementor Kit <= 1.0.116 - Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32773

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Royal Elementor Kit

Researcher

Dhabaleshwar Das

More Details >

Salon booking system <= 9.6.5 - Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-2429

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Salon Booking System

Researcher

Bob Matyas

More Details >

SchedulePress <= 5.0.8 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32717

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share

Researcher

Majed Refaea

More Details >

Secure Copy Content Protection and Content Locking <= 3.7.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32787

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Secure Copy Content Protection and Content Locking

Researcher

Abdi Pranata

More Details >

Serious Slider <= 1.2.4 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33650

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Serious Slider

Researcher

Steven Julian

More Details >

ShortPixel Critical CSS <= 1.0.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32810

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ShortPixel Critical CSS

Researcher

Dhabaleshwar Das

More Details >

Smart Forms <= 2.6.91 - Missing Authorization to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33593

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Smart Forms – when you need more than just a contact form

Researcher

Dhabaleshwar Das

More Details >

Smart Maintenance Mode <= 1.4.4 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33638

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
Smart Maintenance Mode

Researcher

Hoa Le Ngoc (lengochoa)

More Details >

SP Project & Document Manager <= 4.71 - Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3748

Patch Status
Unpatched

Published
Apr 24, 2024

Affected Software
SP Project & Document Manager

Researcher

fewwords huang

More Details >

SP Project & Document Manager <= 4.71 - Insecure Direct Object Reference to Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3749

Patch Status
Unpatched

Published
Apr 24, 2024

Affected Software
SP Project & Document Manager

Researcher

fewwords huang

More Details >

Spectra – WordPress Gutenberg Blocks <= 2.12.6 - Authenticated (Contributor+) Path Traversal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3107

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
Spectra – WordPress Gutenberg Blocks

Researcher

Ngô Thiên An (ancorn_)

More Details >

The Plus Blocks for Block Editor | Gutenberg <= 3.2.5 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33572

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
The Plus Blocks for Block Editor | Gutenberg

Researcher

LVT-tholv2k

More Details >

Total Poll Lite <= 4.9.9 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32821

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Poll | Vote | Contest – Best Poll Plugin for WordPress

Researcher

thiennv

More Details >

Vitepos <= 3.0.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33574

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Vitepos – Point of sale (POS) plugin for WooCommerce

Researcher

Abdi Pranata

More Details >

WordPress Backup & Migration <= 1.4.8 - Missing Authorization to Directory Traversal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3546

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WordPress Backup & Migration

Researcher

Krzysztof Zając

More Details >

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.3 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32818

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
MDTF – Meta Data and Taxonomies Filter

Researcher

Abdi Pranata

More Details >

WP ADA Compliance Check Basic – Most Comprehensive Web Accessibility Solution for WordPress <= 3.1.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32947

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WP ADA Compliance Check Basic – Most Comprehensive Web Accessibility Solution for WordPress

Researcher

Joshua Chan

More Details >

WP GDPR Compliance <= 2.0.23 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33682

Patch Status
Unpatched

Published
Apr 26, 2024

Affected Software
Cookie Information | Free GDPR Consent Solution

Researcher

Mika

More Details >

WP GoToWebinar <= 14.46 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32804

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WP GoToWebinar

Researcher

Abdi Pranata

More Details >

WP LinkedIn Auto Publish <= 8.11 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32797

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WP LinkedIn Auto Publish

Researcher

Abdi Pranata

More Details >

WP Page Post Widget Clone <= 1.0.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33636

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
WP Page Post Widget Clone

Researcher

Do Minh Long

More Details >

WP Prayer <= 2.0.9 - Cross-Site Request Forgery to Arbitrary Prayer Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3407

Patch Status
Unpatched

Published
Apr 24, 2024

Affected Software
WP Prayer

Researcher

Bob Matyas

More Details >

WP Prayer <= 2.0.9 - Cross-Site Request Forgery to Email Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3406

Patch Status
Unpatched

Published
Apr 24, 2024

Affected Software
WP Prayer

Researcher

Bob Matyas

More Details >

WP Prayer <= 2.0.9 - Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-3405

Patch Status
Unpatched

Published
Apr 24, 2024

Affected Software
WP Prayer

Researcher

Bob Matyas

More Details >

WPCal.io – Easy Meeting Scheduler <= 0.9.5.8 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32795

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WPCal.io – Easy Meeting Scheduler

Researcher

Majed Refaea

More Details >

WPPizza <= 3.18.10 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33576

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
WPPizza – A Restaurant Plugin

Researcher

Majed Refaea

More Details >

WZone <= 14.0.10 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33547

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
WooCommerce Amazon Affiliates - Wordpress Plugin

Researcher

Rafie Muhammad

More Details >

XStore <= 9.3.5 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-33563

Patch Status
Unpatched

Published
Apr 25, 2024

Affected Software
XStore

Researcher

Rafie Muhammad

More Details >

YITH WooCommerce Compare <= 2.37.0 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-32699

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
YITH WooCommerce Compare

Researcher

Ngô Thiên An (ancorn_)

More Details >

WooCommerce Shipping Label <= 2.3.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

3.3

CVSS Rating
Low (3.3)

CVE-ID
CVE-2024-32834

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
WooCommerce Shipping Label

Researcher

Joshua Chan

More Details >

BackUpWordPress <= 3.13 - Authenticated (Admin+) Directory Traversal

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2024-3034

Patch Status
Patched

Published
Apr 26, 2024

Affected Software
BackUpWordPress

Researcher

dk0pf

More Details >

Car Dealer <= 4.15 - Authenticated (Admin+) Content Injection

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2024-4214

Patch Status
Patched

Published
Apr 25, 2024

Affected Software
Car Dealer (Dealership) and Vehicle sales

Researcher

Yash Chauhan

More Details >

Pricing Table by Supsystic <= 1.9.12 - Authenticated (Admin+) Content Injection

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2024-32790

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
Pricing Table by Supsystic

Researcher

Steven Julian

More Details >


As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024) appeared first on Wordfence.

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.5%

Related for WORDFENCE:33419AB2DC8B0A29DFFB75C4C8C67CDB