Lucene search

K
wordfenceChloe ChamberlandWORDFENCE:AE2AB9A3EAD5823C79E503EA0D700870
HistoryMay 16, 2024 - 1:04 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 6, 2024 to May 12, 2024)

2024-05-1613:04:14
Chloe Chamberland
www.wordfence.com
30
wordfence
vulnerability
wordpress
security
database
patched
unpatched
cve
cross-site scripting
csrf
php remote file inclusion
sql injection
xss
mailing list
threat intelligence
bug bounty

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.009

Percentile

82.7%


🎉 Did you know we're running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!


Last week, there were 184 vulnerabilities disclosed in 146 WordPress Plugins and 6 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 67 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 16,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 145
Unpatched 39

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 146
High Severity 19
Critical Severity 18

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 88
Cross-Site Request Forgery (CSRF) 23
Missing Authorization 18
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 8
Unrestricted Upload of File with Dangerous Type 8
Information Exposure 7
Deserialization of Untrusted Data 6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 5
Improper Control of Generation of Code ('Code Injection') 4
Server-Side Request Forgery (SSRF) 3
Authentication Bypass Using an Alternate Path or Channel 2
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 2
Information Exposure Through Log Files 2
Authentication Bypass by Spoofing 1
Authorization Bypass Through User-Controlled Key 1
Improper Access Control 1
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 1
Improper Privilege Management 1
Incorrect Authorization 1
Insecure Storage of Sensitive Information 1
Unprotected Alternate Channel 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

Dhabaleshwar Das

| 19

stealthcopter

| 16

wesley (wcraft)

| 9

Sharanabasappa

| 8

István Márton

| 8

João G. Barbosa (4rCanJ0x!)

| 7

Bob Matyas

| 7

Benedictus Jovan (aillesiM)

| 7

Ngô Thiên An (ancorn_)

| 6

Peng Zhou

| 6

Webbernaut

| 5

Manab Jyoti Dowarah

| 5

Francesco Carlucci

| 4

Khalid

| 4

Rafie Muhammad

| 4

Joshua Chan

| 4

Krzysztof Zając

| 3

1337_Wannabe

| 3

Lucio Sá

| 3

Rayhan Ramdhany Hanaputra

| 3

Trinh Vu (Sonicrrrr)

| 2

Sebastião Gavião (Sebastgav)

| 2

Ray Wilson

| 2

Cronus

| 2

Kyle Sanchez

| 2

Huynh Tien Si

| 2

LVT-tholv2k

| 2

Le Ngoc Anh

| 2

CatFather

| 2

Majed Refaea

| 2

Ananda Dhakal

| 1

Eduardo Berlanga (seqode)

| 1

Daiki Sato

| 1

fewwords huang

| 1

Do Truong Giang

| 1

Myungju Kim

| 1

younsoung kim

| 1

SeoHyeon Lee

| 1

SeoHee Kang

| 1

beluga

| 1

alfido osdie

| 1

Krugov Artyom

| 1

Bassem Essam

| 1

t0y4

| 1

umi

| 1

Erdemstar

| 1

shaman0x01

| 1

Maksymilian Kubiak

| 1

Slawomir Zakrzewski

| 1

Peter Thaleikis

| 1

Phill Sav (Savphill)

| 1

domiee13

| 1

Hiro

| 1

Foxyyy

| 1

Dmitrii Ignatyev

| 1

rptl

| 1

Felipe Restrepo Rodriguez (pfelilpe)

| 1

Mateo Gomez

| 1

Thanh Nam Tran

| 1

Phuoc Pham (p3tl0v3r)

| 1

Elmini

| 1

JoanClarke2

| 1

Jakick

| 1

Roby Firnando Yusuf

| 1

ngductung

| 1

ST

| 1

Trình Vũ

| 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
140+ Widgets Xpro Addons For Elementor – FREE
3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin real3d-flipbook-lite
Academy LMS – eLearning and online course solution for WordPress academy
ADFO – Custom data in admin dashboard admin-form
Advanced Ads – Ad Manager & AdSense advanced-ads
AI Engine ai-engine
Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit aiomatic-automatic-ai-content-writer
All Bootstrap Blocks all-bootstrap-blocks
All-in-One Addons for Elementor – WidgetKit widgetkit-for-elementor
Arigato Autoresponder and Newsletter bft-autoresponder
Auto Affiliate Links wp-auto-affiliate-links
AWSOM News Announcement awsom-news-announcement
Back In Stock Notifier for WooCommerce WooCommerce Waitlist Pro
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader. barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Beaver Builder – WordPress Page Builder beaver-builder-lite-version
Better Elementor Addons better-elementor-addons
Blocksy Companion blocksy-companion
BlogLentor – Blog Designer Pack for Elementor bloglentor-for-elementor
Breakdance breakdance
Brizy – Page Builder brizy
Brozzme Scroll Top brozzme-scroll-top
Business Card business-card-by-esterox-100
canvasio3D Light canvasio3d-light
Church Admin church-admin
ClickCease Click Fraud Protection clickcease-click-fraud-protection
Comments Evolved for WordPress gplus-comments
Configure Login Timeout configure-login-timeout
Contact List – Premium Staff Listing, Business Directory & Address Book contact-list
Content Blocks (Custom Post Widget) custom-post-widget
Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) content-views-query-and-display-post-page
Counter Up – Animated Number Counter & Milestone Showcase wp-counter-up
Custom Field Suite custom-field-suite
Debug Info debug-info
Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler cf7-styler
Ditty – Responsive News Tickers, Sliders, and Lists ditty-news-ticker
Divi Builder divi-builder
DS Site Message ds-site-message
Dynamics 365 Integration integration-dynamics
Easy Affiliate Links easy-affiliate-links
Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) easy-digital-downloads
Edwiser Bridge – WordPress Moodle LMS Integration edwiser-bridge
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor embedpress
Enhance Your Posts with the WP Post Author Box, Co-Authors, Guest Authors, and Post Rating System, including Registration Form Builder wp-post-author
Enter Addons – Ultimate Template Builder for Elementor enteraddons
Envo's Elementor Templates & Widgets for WooCommerce envo-elementor-for-woocommerce
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders essential-addons-for-elementor-lite
Falang multilanguage for WordPress falang
Featured Content Gallery featured-content-gallery
Flo Forms – Easy Drag & Drop Form Builder flo-forms
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker
Forty Four – 404 Plugin for WordPress forty-four
GDPR Compliance gdpr-compliance
gee Search Plus, improved WordPress search gsearch-plus
Ghost ghost
Gianism gianism
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers rafflepress
Gold Addons for Elementor gold-addons-for-elementor
Graphina – Elementor Charts and Graphs graphina-elementor-charts-and-graphs
Gutenberg Blocks with AI by Kadence WP – Page Builder Features kadence-blocks
Gutenify – Visual Site Builder Blocks & Site Templates. gutenify
Heateor Social Login WordPress heateor-social-login
Hostel hostel
Hotel Booking Lite motopress-hotel-booking-lite
HT Mega – Absolute Addons For Elementor ht-mega-for-elementor
HTML5 Audio Player- Audio Player Plugin html5-audio-player
If-So Dynamic Content Personalization if-so
Image Hover Effects – Elementor Addon image-hover-effects-addon-for-elementor
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms integration-for-contact-form-7-and-pipedrive
Joli FAQ SEO – WordPress FAQ Plugin joli-faq-seo
KKProgressbar2 Free – advanced progress bars kkprogressbar
Kognetiks Chatbot for WordPress chatbot-chatgpt
LearnPress – WordPress LMS Plugin learnpress
Link Library link-library
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) magical-addons-for-elementor
Meow Gallery meow-gallery
Mesmerize Companion mesmerize-companion
Mihdan: Yandex Turbo Feed mihdan-yandex-turbo-feed
Move Addons for Elementor move-addons
Netgsm netgsm
One Click Demo Import one-click-demo-import
Orders Tracking for WooCommerce woo-orders-tracking
Pk Favicon Manager phpsword-favicon-manager
Playlist for Youtube playlist-for-youtube
Pods – Custom Content Types and Fields pods
Pootle Pagebuilder – WordPress Page builder pootle-page-builder
Porto Theme - Functionality porto-functionality
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder ajax-filter-posts
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) bdthemes-prime-slider-lite
Propovoice: All-in-One Client Management System propovoice
Pure Chat – Live Chat & More! pure-chat
QuickieBar quickiebar
Shared Counts – Social Media Share Buttons shared-counts
Shared Files – Download Manager & Media Gallery with Frontend Uploads shared-files
Shipment Tracking, Tracking, and Order Tracking for WooCommerce – ParcelPanel (Free to install) parcelpanel
ShopBuilder – Elementor WooCommerce Builder Addons shopbuilder
Shopping Cart & eCommerce Store wp-easycart
ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization shortpixel-adaptive-images
Simple Website Banner corona-virus-covid-19-banner
Site Reviews site-reviews
SKT Addons for Elementor skt-addons-for-elementor
Soccer Engine – Soccer Plugin for WordPress soccer-engine-lite
Social Connect social-connect
Social Sharing Plugin – Social Warfare social-warfare
SP Project & Document Manager sp-client-document-manager
Spectra Pro spectra-pro
SportsPress – Sports Club & League Manager sportspress
Squelch Tabs and Accordions Shortcodes squelch-tabs-and-accordions-shortcodes
Starter Templates — Elementor, WordPress & Beaver Builder Templates astra-sites
Startklar Elementor Addons startklar-elmentor-forms-extwidgets
Sticky banner sticky-banner
Sticky Social Link sticky-social-link
Stockholm Core stockholm-core
Swift Performance Lite swift-performance-lite
Table Maker table-maker
The Best WordPress Knowledgebase and Documentation Plugin – weDocs wedocs
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce the-plus-addons-for-elementor-page-builder
Themify Shortcodes themify-shortcodes
Thim Elementor Kit thim-elementor-kit
Timber timber-library
Translate Multilingual sites – TranslatePress translatepress-multilingual
TT Custom Post Type Creator tt-custom-post-type-creator
Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider ultimate-store-kit
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor
Unyson unyson
Viet Affiliate Link viet-affiliate-link
Viet Nam Affiliate viet-nam-affiliate
Visual Footer Credit Remover visual-footer-credit-remover
WC Serial Numbers – Ultimate License Manager for Selling, Licensing & Securely Delivering Digital Content with WooCommerce wc-serial-numbers
White Label CMS white-label-cms
WOLF – WordPress Posts Bulk Editor and Manager Professional bulk-editor
WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) smart-wishlist-for-more-convert
WordPress Affiliates Plugin — SliceWP Affiliates slicewp
WordPress Webinar Plugin – WebinarPress wp-webinarsystem
WP Discourse wp-discourse
WP etracker wp-etracker
WP Fastest Cache wp-fastest-cache
WP Favorite Posts wp-favorite-posts
WP Job Manager wp-job-manager
WP Latest Posts wp-latest-posts
WP Photo Album Plus wp-photo-album-plus
WP STAGING WordPress Backup Plugin – Migration Backup Restore wp-staging
WPCS ( WordPress Custom Search ) wpcs-wp-custom-search
XML Sitemap & Google News xml-sitemap-feed
Yoast SEO wordpress-seo
Z-Downloads z-downloads
Zotpress zotpress

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Divi Divi
Divi Extra extra
Himalayas himalayas
Porto porto
raindrops raindrops
Stockholm stockholm

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

WP Photo Album Plus <= 8.7.01.001 - Unauthenticated Arbitrary File Upload

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-31377

Patch Status
Patched

Published
May 7, 2024

Affected Software
WP Photo Album Plus

Researcher

stealthcopter

More Details >

canvasio3D Light <= 2.5.0 - Authenticated (Subscriber+) Arbitrary File Upload

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-34411

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
canvasio3D Light

Researcher

stealthcopter

More Details >

Shipment Tracking, Tracking, and Order Tracking for WooCommerce – ParcelPanel (Free to install) <= 3.8.2 - Authenticated (Subscriber+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-34412

Patch Status
Patched

Published
May 6, 2024

Affected Software
Shipment Tracking, Tracking, and Order Tracking for WooCommerce – ParcelPanel (Free to install)

Researcher

Le Ngoc Anh

More Details >

Edwiser Bridge <= 3.0.5 - Authentication Bypass due to Missing Empty Value Check

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4186

Patch Status
Patched

Published
May 6, 2024

Affected Software
Edwiser Bridge – WordPress Moodle LMS Integration

Researcher

István Márton

More Details >

Hotel Booking Lite <= 4.11.1 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4413

Patch Status
Patched

Published
May 10, 2024

Affected Software
Hotel Booking Lite

Researcher

Trinh Vu (Sonicrrrr)

More Details >

Kognetiks Chatbot for WordPress <= 1.9.9 - Unauthenticated Arbitrary File Upload via chatbot_chatgpt_upload_file_to_assistant Function

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4560

Patch Status
Patched

Published
May 10, 2024

Affected Software
Kognetiks Chatbot for WordPress

Researcher

Francesco Carlucci

More Details >

LearnPress – WordPress LMS Plugin <= 4.2.6.5 - Unauthenticated Time-Based SQL Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4434

Patch Status
Patched

Published
May 9, 2024

Affected Software
LearnPress – WordPress LMS Plugin

Researcher

1337_Wannabe

More Details >

Porto <= 7.1.0 - Unauthenticated Local File Inclusion via porto_ajax_posts

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-3806

Patch Status
Patched

Published
May 8, 2024

Affected Software
Porto

Researcher

István Márton

More Details >

Social Connect <= 1.2 - Authentication Bypass

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4393

Patch Status
Unpatched

Published
May 7, 2024

Affected Software
Social Connect

Researcher

István Márton

More Details >

Startklar Elementor Addons <= 1.7.13 - Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4345

Patch Status
Patched

Published
May 6, 2024

Affected Software
Startklar Elementor Addons

Researcher

István Márton

More Details >

Stockholm <= 9.6 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-34551

Patch Status
Patched

Published
May 7, 2024

Affected Software
Stockholm

Researcher

Rafie Muhammad

More Details >

Ultimate Store Kit Elementor Addons <= 1.6.3 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4606

Patch Status
Unpatched

Published
May 7, 2024

Affected Software
Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

Researcher

Ray Wilson

More Details >

AI Engine: ChatGPT Chatbot <= 2.2.63 - Authenticated (Editor+) Arbitrary File Upload

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-34440

Patch Status
Patched

Published
May 7, 2024

Affected Software
AI Engine

Researcher

stealthcopter

More Details >

Auto Affiliate Links <= 6.4.3.1 - Authenticated (Editor+) SQL Injection

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-34386

Patch Status
Patched

Published
May 6, 2024

Affected Software
Auto Affiliate Links

Researcher

Do Truong Giang

More Details >

KKProgressbar2 Free <= 1.1.4.2 - Authenticated (Admin+) SQL Injection

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-4533

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
KKProgressbar2 Free – advanced progress bars

Researcher

Bob Matyas

More Details >

Pk Favicon Manager <=2.1 - Authenticated (Admin+) Arbitrary File Upload

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-34416

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Pk Favicon Manager

Researcher

Roby Firnando Yusuf

More Details >

Startklar Elementor Addons <= 1.7.13 - Unauthenticated Arbitrary File Deletion

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-4346

Patch Status
Patched

Published
May 6, 2024

Affected Software
Startklar Elementor Addons

Researcher

István Márton

More Details >

Z-Downloads <= 1.11.3 - Authenticated (Admin+) Arbitrary File Upload

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-34555

Patch Status
Patched

Published
May 10, 2024

Affected Software
Z-Downloads

Researchers

Myungju Kim

younsoung kim

SeoHyeon Lee

SeoHee Kang

More Details >

Breakdance <= 1.7.1 - Authenticated (Contributor+) Remote Code Execution

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-4605

Patch Status
Patched

Published
May 8, 2024

Affected Software
Breakdance

Researcher

Francesco Carlucci

More Details >

Ditty – Responsive News Tickers, Sliders, and Lists <= 3.1.38 - Authenticated (Contributor+) PHP Object Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3954

Patch Status
Patched

Published
May 7, 2024

Affected Software
Ditty – Responsive News Tickers, Sliders, and Lists

Researcher

Trinh Vu (Sonicrrrr)

More Details >

LearnPress – WordPress LMS Plugin <= 4.2.6.5 - Authenticated (Instructor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-4397

Patch Status
Patched

Published
May 9, 2024

Affected Software
LearnPress – WordPress LMS Plugin

Researcher

JoanClarke2

More Details >

Porto <= 7.1.0 - Authenticated (Contributor+) Local File Inclusion via Post Meta

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3807

Patch Status
Patched

Published
May 8, 2024

Affected Software
Porto

Researcher

István Márton

More Details >

Porto Theme - Functionality <= 3.0.9 - Authenticated (Contributor+) Local File Inclusion via Post Meta

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3809

Patch Status
Patched

Published
May 8, 2024

Affected Software
Porto Theme - Functionality

Researcher

István Márton

More Details >

Porto Theme - Functionality <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3808

Patch Status
Patched

Published
May 8, 2024

Affected Software
Porto Theme - Functionality

Researcher

István Márton

More Details >

Spectra Pro <= 1.1.5 - Authenticated (Author+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3828

Patch Status
Patched

Published
May 9, 2024

Affected Software
Spectra Pro

Researcher

Ngô Thiên An (ancorn_)

More Details >

Stockholm <= 9.6 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-34552

Patch Status
Patched

Published
May 7, 2024

Affected Software
Stockholm

Researcher

Rafie Muhammad

More Details >

Stockholm Core <= 2.4.1 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-34554

Patch Status
Patched

Published
May 7, 2024

Affected Software
Stockholm Core

Researcher

Rafie Muhammad

More Details >

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.102 - Authenticated (Contributor+) SQL Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-3055

Patch Status
Patched

Published
May 10, 2024

Affected Software
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Researcher

wesley (wcraft)

More Details >

XML Sitemap & Google News <= 5.4.8 - Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-4441

Patch Status
Patched

Published
May 7, 2024

Affected Software
XML Sitemap & Google News

Researcher

Foxyyy

More Details >

Advanced Ads – Ad Manager & AdSense <= 1.52.1 - Authenticated (Admin+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-2290

Patch Status
Patched

Published
May 7, 2024

Affected Software
Advanced Ads – Ad Manager & AdSense

Researcher

ST

More Details >

KKProgressbar2 Free <= 1.1.4.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-4534

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
KKProgressbar2 Free – advanced progress bars

Researcher

Bob Matyas

More Details >

One Click Demo Import <= 3.2.0 - Authenticated (Admin+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-34433

Patch Status
Patched

Published
May 7, 2024

Affected Software
One Click Demo Import

Researcher

ngductung

More Details >

Propovoice CRM <= 1.7.6.2 - Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-4747

Patch Status
Patched

Published
May 10, 2024

Affected Software
Propovoice: All-in-One Client Management System

Researcher

Manab Jyoti Dowarah

More Details >

Timber <= 1.23.0 - Authenticated (Admin+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-29800

Patch Status
Patched

Published
May 7, 2024

Affected Software
Timber

Researcher

Trình Vũ

More Details >

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.102 - Authenticated (Admin+) Command Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-2662

Patch Status
Patched

Published
May 9, 2024

Affected Software
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Researcher

wesley (wcraft)

More Details >

WP Fastest Cache <= 1.2.6 - Authenticated (Administrator+) Arbitrary File Deletion

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-4347

Patch Status
Patched

Published
May 10, 2024

Affected Software
WP Fastest Cache

Researcher

shaman0x01

More Details >

Brizy – Page Builder <= 2.4.41 - Authenticated(Contributor+) Stored Cross-Site Scripting

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2024-1940

Patch Status
Patched

Published
May 6, 2024

Affected Software
Brizy – Page Builder

Researcher

stealthcopter

More Details >

Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro <= 5.3.1 - Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-4038

Patch Status
Patched

Published
May 7, 2024

Affected Software
Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro

Researcher

stealthcopter

More Details >

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Dual Color Header', 'Event Calendar', & 'Advanced Data Table'

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-4448

Patch Status
Patched

Published
May 9, 2024

Affected Software
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Researcher

stealthcopter

More Details >

Orders Tracking for WooCommerce <= 1.2.10 - Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-4039

Patch Status
Patched

Published
May 9, 2024

Affected Software
Orders Tracking for WooCommerce

Researcher

stealthcopter

More Details >

3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin <= 3.71 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34561

Patch Status
Patched

Published
May 7, 2024

Affected Software
3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin

Researcher

Manab Jyoti Dowarah

More Details >

Advanced Ads – Ad Manager & AdSense <= 1.52.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3952

Patch Status
Patched

Published
May 7, 2024

Affected Software
Advanced Ads – Ad Manager & AdSense

Researcher

wesley (wcraft)

More Details >

All Bootstrap Blocks <= 1.3.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35169

Patch Status
Patched

Published
May 10, 2024

Affected Software
All Bootstrap Blocks

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

All-in-One Addons for Elementor – WidgetKit <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34548

Patch Status
Patched

Published
May 7, 2024

Affected Software
All-in-One Addons for Elementor – WidgetKit

Researcher

Ray Wilson

More Details >

Beaver Builder – WordPress Page Builder <= 2.8.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3923

Patch Status
Patched

Published
May 7, 2024

Affected Software
Beaver Builder – WordPress Page Builder

Researcher

wesley (wcraft)

More Details >

Beaver Builder <= 2.8.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via photo widget crop attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4430

Patch Status
Patched

Published
May 10, 2024

Affected Software
Beaver Builder – WordPress Page Builder

Researcher

Thanh Nam Tran

More Details >

Better Elementor Addons <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34432

Patch Status
Patched

Published
May 7, 2024

Affected Software
Better Elementor Addons

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

Blocksy Companion <= 2.0.45 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Uploads

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4487

Patch Status
Patched

Published
May 10, 2024

Affected Software
Blocksy Companion

Researcher

wesley (wcraft)

More Details >

BlogLentor <= <=1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34421

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
BlogLentor – Blog Designer Pack for Elementor

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

Content Blocks (Custom Post Widget) <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34566

Patch Status
Patched

Published
May 7, 2024

Affected Software
Content Blocks (Custom Post Widget)

Researcher

Ngô Thiên An (ancorn_)

More Details >

Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) <= 3.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via pagingType Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4446

Patch Status
Patched

Published
May 6, 2024

Affected Software
Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode)

Researcher

wesley (wcraft)

More Details >

Counter Up – Animated Number Counter & Milestone Showcase <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34564

Patch Status
Patched

Published
May 7, 2024

Affected Software
Counter Up – Animated Number Counter & Milestone Showcase

Researcher

LVT-tholv2k

More Details >

Ditty <= 3.1.35 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3939

Patch Status
Patched

Published
May 6, 2024

Affected Software
Ditty – Responsive News Tickers, Sliders, and Lists

Researcher

Krugov Artyom

More Details >

Easy Affiliate Links <= 3.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34441

Patch Status
Patched

Published
May 7, 2024

Affected Software
Easy Affiliate Links

Researcher

Manab Jyoti Dowarah

More Details >

Elegant Themes Divi Theme, Extra Theme, Divi Page Builder <= 4.25.0 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4490

Patch Status
Patched

Published
May 9, 2024

Affected Software
Divi Builder
Divi
Divi Extra

Researcher

Webbernaut

More Details >

EmbedPress Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4316

Patch Status
Patched

Published
May 9, 2024

Affected Software
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor

Researcher

stealthcopter

More Details >

Enter Addons – Ultimate Template Builder for Elementor <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Animation Title widget img tag

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3680

Patch Status
Patched

Published
May 8, 2024

Affected Software
Enter Addons – Ultimate Template Builder for Elementor

Researcher

Sebastião Gavião (Sebastgav)

More Details >

Enter Addons – Ultimate Template Builder for Elementor <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Heading widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3831

Patch Status
Patched

Published
May 8, 2024

Affected Software
Enter Addons – Ultimate Template Builder for Elementor

Researcher

Sebastião Gavião (Sebastgav)

More Details >

Envo's Elementor Templates & Widgets for WooCommerce <= 1.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-35167

Patch Status
Patched

Published
May 10, 2024

Affected Software
Envo's Elementor Templates & Widgets for WooCommerce

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

Essential Addons for Elementor <= 5.9.19 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Several Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4449

Patch Status
Patched

Published
May 9, 2024

Affected Software
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Researcher

Webbernaut

More Details >

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Interactive Circles'

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4275

Patch Status
Patched

Published
May 9, 2024

Affected Software
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Researcher

Ngô Thiên An (ancorn_)

More Details >

Gallery Block (Meow Gallery) <= 5.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4386

Patch Status
Patched

Published
May 8, 2024

Affected Software
Meow Gallery

Researcher

Krzysztof Zając

More Details >

Gold Addons for Elementor <= 1.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34563

Patch Status
Patched

Published
May 7, 2024

Affected Software
Gold Addons for Elementor

Researcher

Khalid

More Details >

Graphina – Elementor Charts and Graphs <= 1.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4574

Patch Status
Patched

Published
May 10, 2024

Affected Software
Graphina – Elementor Charts and Graphs

Researcher

stealthcopter

More Details >

Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4209

Patch Status
Patched

Published
May 10, 2024

Affected Software
Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Researcher

Webbernaut

More Details >

Gutenberg Blocks with AI by Kadence WP <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Link

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4481

Patch Status
Patched

Published
May 9, 2024

Affected Software
Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Researcher

Ngô Thiên An (ancorn_)

More Details >

Heateor Social Login WordPress <= 1.1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-32674

Patch Status
Patched

Published
May 8, 2024

Affected Software
Heateor Social Login WordPress

Researcher

Daiki Sato

More Details >

Himalayas <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34571

Patch Status
Patched

Published
May 7, 2024

Affected Software
Himalayas

Researcher

stealthcopter

More Details >

HT Mega – Absolute Addons For Elementor <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Justify

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3989

Patch Status
Patched

Published
May 7, 2024

Affected Software
HT Mega – Absolute Addons For Elementor

Researcher

Ngô Thiên An (ancorn_)

More Details >

HT Mega – Absolute Addons For Elementor <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Tooltip & Popover Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3990

Patch Status
Patched

Published
May 7, 2024

Affected Software
HT Mega – Absolute Addons For Elementor

Researcher

wesley (wcraft)

More Details >

HTML5 Audio Player- Best WordPress Audio Player Plugin <= 2.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4398

Patch Status
Patched

Published
May 9, 2024

Affected Software
HTML5 Audio Player- Audio Player Plugin

Researcher

stealthcopter

More Details >

Image Hover Effects - Elementor Addon <= 1.4.1 - Authenticated(Contributor+) DOM-based Stored Cross-Site Scripting via Image Hover Effects Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-1166

Patch Status
Patched

Published
May 6, 2024

Affected Software
Image Hover Effects – Elementor Addon

Researcher

Webbernaut

More Details >

LearnPress – WordPress LMS Plugin <= 4.2.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via layout_html Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4277

Patch Status
Patched

Published
May 9, 2024

Affected Software
LearnPress – WordPress LMS Plugin

Researcher

stealthcopter

More Details >

Link Library <= 7.6.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via link-library Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4281

Patch Status
Patched

Published
May 7, 2024

Affected Software
Link Library

Researcher

Krzysztof Zając

More Details >

Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) <= 1.1.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via Text Effect Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2923

Patch Status
Patched

Published
May 6, 2024

Affected Software
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

Mesmerize Companion <= 1.6.148 - Authenticated (Contributor+) Stored Cross-Site Scripting via mesmerize_contact_form Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3494

Patch Status
Patched

Published
May 7, 2024

Affected Software
Mesmerize Companion

Researcher

stealthcopter

More Details >

Mihdan: Yandex Turbo Feed <= 1.6.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4411

Patch Status
Patched

Published
May 6, 2024

Affected Software
Mihdan: Yandex Turbo Feed

Researcher

Peter Thaleikis

More Details >

Move Addons for Elementor <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34562

Patch Status
Patched

Published
May 7, 2024

Affected Software
Move Addons for Elementor

Researcher

Khalid

More Details >

Pootle Pagebuilder – WordPress Page builder <= 5.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34573

Patch Status
Unpatched

Published
May 7, 2024

Affected Software
Pootle Pagebuilder – WordPress Page builder

Researcher

Phill Sav (Savphill)

More Details >

Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) <= 3.14.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4339

Patch Status
Patched

Published
May 7, 2024

Affected Software
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)

Researcher

Ngô Thiên An (ancorn_)

More Details >

Pure Chat – Live Chat Plugin & More! <= 2.22 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-3595

Patch Status
Patched

Published
May 8, 2024

Affected Software
Pure Chat – Live Chat & More!

Researcher

Lucio Sá

More Details >

raindrops <= 1.600 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34414

Patch Status
Patched

Published
May 6, 2024

Affected Software
raindrops

Researcher

stealthcopter

More Details >

SKT Addons for Elementor <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Block

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34436

Patch Status
Patched

Published
May 7, 2024

Affected Software
SKT Addons for Elementor

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

SKT Addons for Elementor <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Page Title

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34445

Patch Status
Patched

Published
May 7, 2024

Affected Software
SKT Addons for Elementor

Researcher

Khalid

More Details >

Starter Templates — Elementor, WordPress & Beaver Builder Templates <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4630

Patch Status
Patched

Published
May 10, 2024

Affected Software
Starter Templates — Elementor, WordPress & Beaver Builder Templates

Researcher

wesley (wcraft)

More Details >

The Plus Addons for Elementor <= 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-0445

Patch Status
Patched

Published
May 6, 2024

Affected Software
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Researcher

Webbernaut

More Details >

The Plus Addons for Elementor <= 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-2785

Patch Status
Patched

Published
May 6, 2024

Affected Software
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Researcher

Phuoc Pham (p3tl0v3r)

More Details >

Themify Shortcodes <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via themify_button Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4567

Patch Status
Patched

Published
May 8, 2024

Affected Software
Themify Shortcodes

Researcher

Francesco Carlucci

More Details >

Thim Elementor Kit <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34415

Patch Status
Patched

Published
May 6, 2024

Affected Software
Thim Elementor Kit

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

Thim Elementor Kit <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4329

Patch Status
Patched

Published
May 10, 2024

Affected Software
Thim Elementor Kit

Researcher

stealthcopter

More Details >

Zotpress <= 7.3.9 - Authenticated (Contributor+) Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-34569

Patch Status
Patched

Published
May 7, 2024

Affected Software
Zotpress

Researcher

LVT-tholv2k

More Details >

ADFO – Custom data in admin dashboard <= 1.9.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-4104

Patch Status
Patched

Published
May 7, 2024

Affected Software
ADFO – Custom data in admin dashboard

Researcher

Benedictus Jovan (aillesiM)

More Details >

Stockholm Core <= 2.4.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-34553

Patch Status
Patched

Published
May 7, 2024

Affected Software
Stockholm Core

Researcher

Rafie Muhammad

More Details >

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.102 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-3547

Patch Status
Patched

Published
May 9, 2024

Affected Software
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Researcher

Le Ngoc Anh

More Details >

WP etracker <= 1.0.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-34431

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
WP etracker

Researcher

Hiro

More Details >

Yoast SEO <= 22.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-4041

Patch Status
Patched

Published
May 6, 2024

Affected Software
Yoast SEO

Researcher

Bassem Essam

More Details >

gee Search Plus, improved WordPress search <= 1.4.4 - Authenticated (Admin+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-34560

Patch Status
Unpatched

Published
May 7, 2024

Affected Software
gee Search Plus, improved WordPress search

Researcher

Sharanabasappa

More Details >

Playlist for Youtube <= 1.32 - Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-3937

Patch Status
Patched

Published
May 8, 2024

Affected Software
Playlist for Youtube

Researcher

Erdemstar

More Details >

ShortPixel Adaptive Images <= 3.8.3 - Authenticated (Admin+) Server-Side Request Forgery

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-35172

Patch Status
Patched

Published
May 10, 2024

Affected Software
ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Researcher

Dhabaleshwar Das

More Details >

Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.6.4 - Missing Authorization via Several AJAX Action

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-34826

Patch Status
Patched

Published
May 9, 2024

Affected Software
Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler

Researcher

Dhabaleshwar Das

More Details >

Pods – Custom Content Types and Fields <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pod Form Redirect URL

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-3956

Patch Status
Patched

Published
May 9, 2024

Affected Software
Pods – Custom Content Types and Fields

Researcher

wesley (wcraft)

More Details >

Post Grid Master <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-34390

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder

Researcher

beluga

More Details >

Swift Performance Lite <= 2.3.6.18 - Incorrect Authorization to Authenticated (Subscriber+) Settings Modification

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-3722

Patch Status
Patched

Published
May 8, 2024

Affected Software
Swift Performance Lite

Researcher

Lucio Sá

More Details >

Table Maker <= 1.9.1 - Authenticated (Author+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-34574

Patch Status
Unpatched

Published
May 7, 2024

Affected Software
Table Maker

Researcher

CatFather

More Details >

WP Latest Posts <= 5.0.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-4135

Patch Status
Patched

Published
May 7, 2024

Affected Software
WP Latest Posts

Researcher

stealthcopter

More Details >

Academy LMS <= 1.9.25 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35171

Patch Status
Patched

Published
May 10, 2024

Affected Software
Academy LMS – eLearning and online course solution for WordPress

Researcher

Peng Zhou

More Details >

Barcode Scanner with Inventory & Order Manager <= 1.5.4 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-34556

Patch Status
Patched

Published
May 7, 2024

Affected Software
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Researcher

Dhabaleshwar Das

More Details >

Contact List – Easy Business Directory, Staff Directory and Address Book Plugin <= 2.9.87 - Missing Authorization to Notice Dismissal

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-34821

Patch Status
Patched

Published
May 9, 2024

Affected Software
Contact List – Premium Staff Listing, Business Directory & Address Book

Researcher

Dhabaleshwar Das

More Details >

Dynamics 365 Integration <= 1.3.17 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-34550

Patch Status
Patched

Published
May 7, 2024

Affected Software
Dynamics 365 Integration

Researcher

Joshua Chan

More Details >

Easy Digital Downloads <= 3.2.11 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-32100

Patch Status
Patched

Published
May 9, 2024

Affected Software
Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy)

Researcher

Dhabaleshwar Das

More Details >

Flo Forms <= 1.0.42 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35174

Patch Status
Unpatched

Published
May 10, 2024

Affected Software
Flo Forms – Easy Drag & Drop Form Builder

Researcher

Dhabaleshwar Das

More Details >

Ghost <= 1.4.0 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-34559

Patch Status
Patched

Published
May 7, 2024

Affected Software
Ghost

Researcher

Joshua Chan

More Details >

Gutenify <= 1.4.0 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35165

Patch Status
Patched

Published
May 10, 2024

Affected Software
Gutenify – Visual Site Builder Blocks & Site Templates.

Researcher

Peng Zhou

More Details >

If-So Dynamic Content Personalization <= 1.7.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-34820

Patch Status
Patched

Published
May 9, 2024

Affected Software
If-So Dynamic Content Personalization

Researcher

Dhabaleshwar Das

More Details >

KKProgressbar2 Free <= 1.1.4.2 - Cross-Site Request Forgery to Progress Bar Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-4535

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
KKProgressbar2 Free – advanced progress bars

Researcher

Bob Matyas

More Details >

LearnPress – WordPress LMS Plugin <= 4.2.6.5 - Unauthenticated Bypass to User Registration

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-4444

Patch Status
Patched

Published
May 9, 2024

Affected Software
LearnPress – WordPress LMS Plugin

Researcher

1337_Wannabe

More Details >

MC Woocommerce Wishlist <= 1.7.2 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-34819

Patch Status
Patched

Published
May 9, 2024

Affected Software
WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)

Researcher

Dhabaleshwar Das

More Details >

MC Woocommerce Wishlist <= 1.7.8 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-34813

Patch Status
Patched

Published
May 9, 2024

Affected Software
WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)

Researcher

Peng Zhou

More Details >

Serial Numbers for WooCommerce – License Manager <= 1.7.4 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-35173

Patch Status
Unpatched

Published
May 10, 2024

Affected Software
WC Serial Numbers – Ultimate License Manager for Selling, Licensing & Securely Delivering Digital Content with WooCommerce

Researcher

Dhabaleshwar Das

More Details >

Shared Counts – Social Media Share Buttons <= 1.4.1 - Missing Authorization to Arbitrary Email Sending

5.3

CVSS Rating
Medium (5.3)

CVE-ID
Unknown

Patch Status
Patched

Published
May 7, 2024

Affected Software
Shared Counts – Social Media Share Buttons

Researcher(s): Unknown

More Details >

Shared Files <= 1.7.19 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-34438

Patch Status
Patched

Published
May 7, 2024

Affected Software
Shared Files – Download Manager & Media Gallery with Frontend Uploads

Researcher

domiee13

More Details >

ShopBuilder – Elementor WooCommerce Builder Addons <= 2.1.8 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-34812

Patch Status
Patched

Published
May 9, 2024

Affected Software
ShopBuilder – Elementor WooCommerce Builder Addons

Researcher

Peng Zhou

More Details >

Shopping Cart & eCommerce Store <= 5.6.4 - Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-4213

Patch Status
Patched

Published
May 10, 2024

Affected Software
Shopping Cart & eCommerce Store

Researcher

rptl

More Details >

Site Reviews <= 6.11.8 - IP Address Spoofing to Blocking Bypass

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-3050

Patch Status
Patched

Published
May 8, 2024

Affected Software
Site Reviews

Researchers

Maksymilian Kubiak

Slawomir Zakrzewski

More Details >

weDocs <= 2.1.4 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-34442

Patch Status
Patched

Published
May 7, 2024

Affected Software
The Best WordPress Knowledgebase and Documentation Plugin – weDocs

Researcher

Peng Zhou

More Details >

White Label CMS <= 2.7.3 - Missing Authorization to Plugin Settings Reset

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-4280

Patch Status
Patched

Published
May 9, 2024

Affected Software
White Label CMS

Researcher

Krzysztof Zając

More Details >

WP Job Manager <= 2.2.2 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-34549

Patch Status
Patched

Published
May 7, 2024

Affected Software
WP Job Manager

Researcher

Peng Zhou

More Details >

Migration Backup Restore <= 3.4.3 - Authenticated (Administrator+) Server-Side Request Forgery

4.7

CVSS Rating
Medium (4.7)

CVE-ID
CVE-2024-4469

Patch Status
Patched

Published
May 10, 2024

Affected Software
WP STAGING WordPress Backup Plugin – Migration Backup Restore

Researcher

Dmitrii Ignatyev

More Details >

140+ Widgets | Best Addons For Elementor – FREE <= 1.4.3 - Authenticated (Admin+) Cross Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34570

Patch Status
Patched

Published
May 7, 2024

Affected Software
140+ Widgets | Xpro Addons For Elementor – FREE

Researcher

Manab Jyoti Dowarah

More Details >

AWSOM News Announcement <= 1.6.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34428

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
AWSOM News Announcement

Researcher

Rayhan Ramdhany Hanaputra

More Details >

Brozzme Scroll Top <= 1.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34426

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Brozzme Scroll Top

Researcher

Cronus

More Details >

Comments Evolved for WordPress <= 1.6.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34420

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Comments Evolved for WordPress

Researcher

Sharanabasappa

More Details >

Configure Login Timeout <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34419

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Configure Login Timeout

Researcher

Sharanabasappa

More Details >

Corona Virus (COVID-19) Banner & Live Data <= 1.8.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34429

Patch Status
Patched

Published
May 6, 2024

Affected Software
Simple Website Banner

Researcher

Rayhan Ramdhany Hanaputra

More Details >

Custom Field Suite <= 2.6.5 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-3068

Patch Status
Patched

Published
May 7, 2024

Affected Software
Custom Field Suite

Researcher

Eduardo Berlanga (seqode)

More Details >

Debug Info <= 1.3.10 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34565

Patch Status
Unpatched

Published
May 7, 2024

Affected Software
Debug Info

Researcher

Jakick

More Details >

Falang multilanguage for WordPress <= 1.3.49 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-4417

Patch Status
Patched

Published
May 10, 2024

Affected Software
Falang multilanguage for WordPress

Researcher

Benedictus Jovan (aillesiM)

More Details >

Featured Content Gallery <= 3.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34424

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Featured Content Gallery

Researcher

Sharanabasappa

More Details >

Form Maker by 10Web <= 1.15.24 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34437

Patch Status
Patched

Published
May 7, 2024

Affected Software
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Researcher

Huynh Tien Si

More Details >

Forty Four – 404 Plugin for WordPress <= 1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34423

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Forty Four – 404 Plugin for WordPress

Researcher

Cronus

More Details >

Gianism <= 5.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-3921

Patch Status
Unpatched

Published
May 8, 2024

Affected Software
Gianism

Researchers

Felipe Restrepo Rodriguez (pfelilpe)

Mateo Gomez

More Details >

QuickieBar <= 1.8.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34425

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
QuickieBar

Researcher

Sharanabasappa

More Details >

Sticky banner <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-35170

Patch Status
Patched

Published
May 10, 2024

Affected Software
Sticky banner

Researcher

Rayhan Ramdhany Hanaputra

More Details >

Sticky Social Link <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34546

Patch Status
Unpatched

Published
May 7, 2024

Affected Software
Sticky Social Link

Researcher

t0y4

More Details >

TT Custom Post Type Creator <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34430

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
TT Custom Post Type Creator

Researcher

alfido osdie

More Details >

Viet Affiliate Link <=1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34422

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Viet Affiliate Link

Researcher

Sharanabasappa

More Details >

Viet Nam Affiliate <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34417

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Viet Nam Affiliate

Researcher

Sharanabasappa

More Details >

Visual Footer Credit Remover <= 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-2846

Patch Status
Patched

Published
May 7, 2024

Affected Software
Visual Footer Credit Remover

Researcher

1337_Wannabe

More Details >

WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.2 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34558

Patch Status
Patched

Published
May 7, 2024

Affected Software
WOLF – WordPress Posts Bulk Editor and Manager Professional

Researcher

Elmini

More Details >

WordPress Affiliates Plugin — SliceWP Affiliates <= 1.1.10 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34413

Patch Status
Patched

Published
May 6, 2024

Affected Software
WordPress Affiliates Plugin — SliceWP Affiliates

Researcher

Manab Jyoti Dowarah

More Details >

WPCS ( WordPress Custom Search ) <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-34418

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
WPCS ( WordPress Custom Search )

Researcher

Sharanabasappa

More Details >

ADFO – Custom data in admin dashboard <= 1.9.0 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4103

Patch Status
Patched

Published
May 7, 2024

Affected Software
ADFO – Custom data in admin dashboard

Researcher

Benedictus Jovan (aillesiM)

More Details >

Aiomatic <= 1.9.3 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34435

Patch Status
Patched

Published
May 7, 2024

Affected Software
Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit

Researcher

Ananda Dhakal

More Details >

Arigato Autoresponder and Newsletter <= 2.7.2.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34823

Patch Status
Patched

Published
May 9, 2024

Affected Software
Arigato Autoresponder and Newsletter

Researcher

Dhabaleshwar Das

More Details >

Barcode Scanner with Inventory & Order Manager <= 1.5.4 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34557

Patch Status
Patched

Published
May 7, 2024

Affected Software
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Researcher

Dhabaleshwar Das

More Details >

Business Card <= 1.0.0 - Cross-Site Request Forgery to Arbitrary Card Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4532

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Business Card

Researcher

Bob Matyas

More Details >

Business Card <= 1.0.0 - Cross-Site Request Forgery to Card Edit

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4531

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Business Card

Researcher

Bob Matyas

More Details >

Business Card <= 1.0.0 - Cross-Site Request Forgery to Category Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4529

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Business Card

Researcher

Bob Matyas

More Details >

Business Card <= 1.0.0 - Cross-Site Request Forgery to Category Edit

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4530

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
Business Card

Researcher

Bob Matyas

More Details >

Church Admin <= 4.1.32 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34828

Patch Status
Patched

Published
May 9, 2024

Affected Software
Church Admin

Researcher

Dhabaleshwar Das

More Details >

ClickCease Click Fraud Protection <= 3.2.4 - Improper Authorization to sensitive information exposure via get_settings

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2023-6810

Patch Status
Patched

Published
May 6, 2024

Affected Software
ClickCease Click Fraud Protection

Researcher

Francesco Carlucci

More Details >

DS Site Message <= 1.14.4 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34439

Patch Status
Unpatched

Published
May 7, 2024

Affected Software
DS Site Message

Researcher

umi

More Details >

Easy Digital Downloads <= 3.2.11 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-31113

Patch Status
Patched

Published
May 9, 2024

Affected Software
Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy)

Researcher

Dhabaleshwar Das

More Details >

GDPR Compliance <= 1.2.5 - Authenticated (Subscriber+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34388

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
GDPR Compliance

Researcher

CatFather

More Details >

Giveaways and Contests by RafflePress <= 1.12.4 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4745

Patch Status
Patched

Published
May 10, 2024

Affected Software
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Researcher

Dhabaleshwar Das

More Details >

hostel <= 1.1.5.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4314

Patch Status
Patched

Published
May 6, 2024

Affected Software
Hostel

Researcher

Benedictus Jovan (aillesiM)

More Details >

Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.0 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34817

Patch Status
Patched

Published
May 9, 2024

Affected Software
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms

Researcher

Joshua Chan

More Details >

Joli FAQ SEO – WordPress FAQ Plugin <= 1.3.2 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4082

Patch Status
Patched

Published
May 7, 2024

Affected Software
Joli FAQ SEO – WordPress FAQ Plugin

Researcher

Benedictus Jovan (aillesiM)

More Details >

Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) <= 1.1.34 - Authenticated (Contributor+) Stored Cross-Site Scripting

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34547

Patch Status
Patched

Published
May 7, 2024

Affected Software
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Researcher

Khalid

More Details >

Netgsm <= 2.9.16 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35672

Patch Status
Unpatched

Published
May 10, 2024

Affected Software
Netgsm

Researcher

Dhabaleshwar Das

More Details >

ShortPixel Adaptive Images <= 3.8.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4689

Patch Status
Patched

Published
May 9, 2024

Affected Software
ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Researcher

Dhabaleshwar Das

More Details >

Soccer Engine – Soccer Plugin for WordPress <= 1.12 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4312

Patch Status
Patched

Published
May 7, 2024

Affected Software
Soccer Engine – Soccer Plugin for WordPress

Researcher

Benedictus Jovan (aillesiM)

More Details >

Social Sharing Plugin – Social Warfare <= 4.4.5.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34825

Patch Status
Patched

Published
May 9, 2024

Affected Software
Social Sharing Plugin – Social Warfare

Researcher

Majed Refaea

More Details >

SP Project & Document Manager <= 4.70 - Authenticated (Subscriber+) Arbitrary Folder Name Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-1693

Patch Status
Unpatched

Published
May 7, 2024

Affected Software
SP Project & Document Manager

Researcher

fewwords huang

More Details >

Squelch Tabs and Accordions Shortcodes <= 0.4.7 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-4463

Patch Status
Patched

Published
May 7, 2024

Affected Software
Squelch Tabs and Accordions Shortcodes

Researcher

Benedictus Jovan (aillesiM)

More Details >

Starter Templates — Elementor, WordPress & Beaver Builder Templates <= 4.1.6 - Authenticated (Contributor+) Server-Side Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-1467

Patch Status
Patched

Published
May 8, 2024

Affected Software
Starter Templates — Elementor, WordPress & Beaver Builder Templates

Researcher

Lucio Sá

More Details >

Translate Multilingual sites – TranslatePress <= 2.7.5 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34827

Patch Status
Patched

Published
May 9, 2024

Affected Software
Translate Multilingual sites – TranslatePress

Researcher

Dhabaleshwar Das

More Details >

Unyson <= 2.7.29 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34814

Patch Status
Patched

Published
May 9, 2024

Affected Software
Unyson

Researcher

Dhabaleshwar Das

More Details >

WordPress Webinar Plugin – WebinarPress <= 1.33.19 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34818

Patch Status
Unpatched

Published
May 9, 2024

Affected Software
WordPress Webinar Plugin – WebinarPress

Researcher

Majed Refaea

More Details >

WP Discourse <= 2.5.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-35168

Patch Status
Patched

Published
May 10, 2024

Affected Software
WP Discourse

Researcher

Joshua Chan

More Details >

WP Favorite Posts <= 1.6.8 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34427

Patch Status
Unpatched

Published
May 6, 2024

Affected Software
WP Favorite Posts

Researcher

Huynh Tien Si

More Details >

WP Post Author – Enhance Your Posts with the Author Bio, Co-Authors, Guest Authors, and Post Rating System, including User Registration Form Builder <= 3.6.4 - Missing Authorization to Rating Manipulation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34387

Patch Status
Patched

Published
May 6, 2024

Affected Software
Enhance Your Posts with the WP Post Author Box, Co-Authors, Guest Authors, and Post Rating System, including Registration Form Builder

Researcher

Kyle Sanchez

More Details >

WP Post Author – Enhance Your Posts with the Author Bio, Co-Authors, Guest Authors, and Post Rating System, including User Registration Form Builder <= 3.6.6 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-34389

Patch Status
Patched

Published
May 6, 2024

Affected Software
Enhance Your Posts with the WP Post Author Box, Co-Authors, Guest Authors, and Post Rating System, including Registration Form Builder

Researcher

Kyle Sanchez

More Details >

SportsPress – Sports Club & League Manager <= 2.7.20 - Missing Authorization to Notice Dismissal

3.5

CVSS Rating
Low (3.5)

CVE-ID
CVE-2024-34824

Patch Status
Patched

Published
May 9, 2024

Affected Software
SportsPress – Sports Club & League Manager

Researcher

Dhabaleshwar Das

More Details >


As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 6, 2024 to May 12, 2024) appeared first on Wordfence.

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.009

Percentile

82.7%

Related for WORDFENCE:AE2AB9A3EAD5823C79E503EA0D700870