Wordfence Intelligence Weekly WordPress Vulnerability Report (December 2, 2024 to December 8, 2024)

💥 Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with our End of Year Holiday ExtravaganzaHigh-Risk Bonus Blitz Challenge, and Superhero Challenge for the Wordfence Bug Bounty Program. Through January 6th, 2025:

  • All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
  • All plugins and themes with 50-999 active installs hosted in the WordPress.org repository and updated within the last 2 years are in-scope for all researchers!
  • All plugins and themes hosted in the WordPress.org repository with any install count are in scope for our preset list of high threat vulnerabilities.
  • $150 bonus awarded when a researcher submits at least 15 valid high threat vulnerabilities, and then a $50 bonus awarded for every 5 submitted thereafter.
  • Minimum bounty of $5 for all valid in-scope submissions.
  • All researchers earn automatic bonuses of between 5% to 180% for valid submissions
  • Pending report limits are increased for all
  • It’s possible to earn up to $31,200 for high impact vulnerabilities!

Last week, there were 187 vulnerabilities disclosed in 179 WordPress Plugins and 6 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 60 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 20,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-774 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-775 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-776 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-777 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-778 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-779 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-780 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-781 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-782 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 119
Unpatched 68

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 156
High Severity 26
Critical Severity 5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 99
Missing Authorization 28
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 14
Cross-Site Request Forgery (CSRF) 13
Authorization Bypass Through User-Controlled Key 8
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 5
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 5
Unrestricted Upload of File with Dangerous Type 4
Improper Control of Generation of Code (‘Code Injection’) 3
Deserialization of Untrusted Data 2
Authentication Bypass Using an Alternate Path or Channel 1
Exposure of Sensitive Information to an Unauthorized Actor 1
Improper Access Control 1
Improper Authentication 1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1
URL Redirection to Untrusted Site (‘Open Redirect’) 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

vgo0

23

Peter Thaleikis

19

Francesco Carlucci

11

João Pedro Soares de Alcântara

9

SOPROBRO

7

Colin Xu

7

Mika

5

Gab

5

Tieu Pham Trong Nhan

5

Arkadiusz Hydzik

5

zer0gh0st

4

Dave Jong

4

stealthcopter

4

zaim

4

zakaria

4

Bob Matyas

4

Ananda Dhakal

3

ardias

3

Webbernaut

3

Lucio Sá

3

shaman0x01

3

wesley (wcraft)

3

Trương Hữu Phúc (truonghuuphuc)

3

João G. Barbosa (4rCanJ0x!)

3

Khalid Yusuf

2

Manab Jyoti Dowarah

2

BrokenAC ignore

2

István Márton

2

theviper17y

2

tmrswrr

2

tahu.datar

2

abrahack

1

a00n

1

Ngô Thiên An (ancorn_)

1

Abdi Pranata

1

thiennv

1

mikemyers

1

Nirmal Kavaiya

1

trongnb02

1

Régis SENET

1

Hakiduck

1

Frissi0n

1

Kevin Murphy (knmurphy)

1

Pritam Dash

1

TANG Cheuk Hei (siunam)

1

Foxyyy

1

Nishiv

1

Rafie Muhammad

1

Lam Que Chi

1

yudha

1

Certus Cybersecurity

1

1337_Wannabe

1

Krzysztof Zając

1

Michael

1

mike harris (mikeyh)

1

Noah Stead (TurtleBurg)

1

Eduardo Bido

1

Joshua Provoste

1

nvthien

1

Marco Wotschka

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
140+ Widgets | Xpro Addons For Elementor – FREE xpro-elementor-addons
ABCBiz Addons for Elementor abcbiz-addons
Accessibility by AllAccessible allaccessible
Accordion Slider accordion-slider
Accounting for WooCommerce accounting-for-woocommerce
Additional Custom Order Status for WooCommerce order-status-for-woocommerce
Advanced Element Bucket Addons for Elementor cs-element-bucket
Advanced File Manager file-manager-advanced
AI Quiz | Quiz Maker ai-quiz
All Bootstrap Blocks all-bootstrap-blocks
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) wp-analytify
AnyWhere Elementor anywhere-elementor
ARforms arforms
Arkhe Blocks arkhe-blocks
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup armember-membership
Authors List authors-list
AWeber Forms by Optin Cat aweber-wp
Awesome Shortcodes awesome-shortcodes
B Testimonial – Testimonial plugin for WP b-testimonial
Beautiful taxonomy filters beautiful-taxonomy-filters
Beaver Builder – WordPress Page Builder beaver-builder-lite-version
Block Controller block-controller
BMLT Tabbed Map bmlt-tabbed-map
Bold Page Builder bold-page-builder
Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg borderless
BP Profile Shortcodes Extra bp-profile-shortcodes-extra
Broadcast threewp-broadcast
Campaign Monitor Forms by Optin Cat campaign-monitor-wp
Captivate Sync captivatesync-trade
CardGate Payments for WooCommerce cardgate
Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid wp-carousel-free
Charity Addon for Elementor charity-addon-for-elementor
Church Admin church-admin
Classic Addons – WPBakery Page Builder classic-addons-wpbakery-page-builder-addons
Clickbank WordPress Plugin (Storefront) clickbank-storefront
Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress sprout-invoices
CLUEVO LMS, E-Learning Platform cluevo-lms
CMSMasters Elementor Addon cmsmasters-elementor-addon
Colibri Page Builder colibri-page-builder
Comfino Payment Gateway comfino-payment-gateway
Connexion Logs logs-de-connexion
Contact Form Builder by vcita contact-form-with-a-meeting-scheduler-by-vcita
Contact Form, Survey & Form Builder – MightyForms mightyforms
Contact Form, Survey, Quiz & Popup Form Builder – ARForms arforms-form-builder
Cookielay cookielay
Country Blocker country-blocker
Designer – Addons for Elementor designer
DN Shipping by Weight for WooCommerce dn-shipping-by-weight
Dollie Hub – Build Your Own WordPress Cloud Platform dollie
Drag & Drop Builder, Human Face Detector, Pre-built Templates, Spam Protection, User Email Notifications & more! pie-forms-for-wp
Easy Code Snippets easy-code-snippets
Easy Social Feed Premium easy-facebook-likebox-premium
Eleblog – Elementor Blog And Magazine Addons ele-blog
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) bdthemes-element-pack-lite
ElementsReady Addons for Elementor element-ready-lite
Email Address Obfuscation email-address-obfuscation
Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner
FancyBox for WordPress fancybox-for-wordpress
Feedpress Generator – External RSS Frontend Customizer feedpress-generator
FileBird – WordPress Media Library Folders & File Manager filebird
FileOrganizer – Manage WordPress and Website Files fileorganizer
Firelight Lightbox easy-fancybox
float block float-block
FloristPress – Customize your Woo store for your Florist bakkbone-florist-companion
Flower Delivery by Florist One flower-delivery-by-florist-one
Folder Gallery folder-gallery
Form Data Collector form-data-collector
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker
ForumWP – Forum & Discussion Board forumwp
Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials stars-testimonials-with-slider-and-masonry-grid
Friends friends
Futurio Extra futurio-extra
FV Flowplayer Video Player fv-wordpress-flowplayer
Gallery multi-gallery
Gallery Plugin for WordPress – Envira Photo Gallery envira-gallery-lite
Getwid – Gutenberg Blocks getwid
Gold Addons for Elementor gold-addons-for-elementor
Goodlayers Core goodlayers-core
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor gutentor
IdeaPush ideapush
If Menu – Visibility control for Menus if-menu
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free funnelforms-free
Intro Tour Tutorial DeepPresentation dp-intro-tours
jAlbum Bridge jalbum-bridge
KiviCare – Clinic & Patient Management System (EHR) kivicare-clinic-management-system
Knowledge Base documentation & wiki plugin – BasePress Docs basepress
LA-Studio Element Kit for Elementor lastudio-element-kit
Library Management System – Manage e-Digital Books Library library-management-system
Listdom – Business Directory and Classified Ads Listings WordPress Plugin listdom
Login Widget With Shortcode login-sidebar-widget
Login With OTP otp-login
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) magical-addons-for-elementor
Maspik – Advanced Spam Protection contact-forms-anti-spam
Message Filter for Contact Form 7 cf7-message-filter
Mini Program API wp-mini-program
Minimum and Maximum Quantity for WooCommerce min-and-max-quantity-for-woocommerce
Mollie for Contact Form 7 cf7-mollie
My auctions allegro my-auctions-allegro-free-edition
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program. mycred
Namaste! LMS namaste-lms
News Kit Elementor Addons news-kit-elementor-addons
NEX-Forms – Ultimate Form Builder – Contact forms and much more nex-forms-express-wp-form-builder
Next-Cart Store to WooCommerce Migration nextcart-woocommerce-migration
Ni WooCommerce Order Export ni-woocommerce-order-export
NPS computy nps-computy
Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita
ONLYOFFICE Docs onlyoffice
Paloma Widget postman-widget
PDF Builder for WooCommerce. Create invoices,packing slips and more woo-pdf-invoice-builder
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery nextgen-gallery
Pie Register – Social Sites Login (Add on) pie-register-social-site
Pie Register Premium pie-register-premium
Pinpoint Booking System – #1 WordPress Booking Plugin booking-system
Pojo Forms pojo-forms
Poll Maker – Versus Polls, Anonymous Polls, Image Polls poll-maker
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX ultimate-post
Posti Shipping posti-shipping
PowerPack Elementor Addons (Free Widgets, Extensions and Templates) powerpack-lite-for-elementor
Prodigy Commerce prodigy-commerce
Product Labels For Woocommerce (Sale Badges) aco-product-labels-for-woocommerce
Pulsating Chat Button amin-chat-button
Quick License Manager – WooCommerce Plugin quick-license-manager
Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins related-post
Responsive Lightbox & Gallery responsive-lightbox
Responsive Videos responsive-youtube-videos
Revy revy
RRAddons for Elementor rrdevs-for-elementor
Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more scratch-win-giveaways-for-website-facebook
SearchIQ – The Search Solution searchiq
SG Helper sg-helper
Shortcodes Blocks Creator Ultimate ultimate-shortcodes-creator
Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal simple-e-commerce-shopping-cart
Simple Redirection eelv-redirection
Simple User Registration wp-registration
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel depicter
Smart PopUp Blaster smart-popup-blaster
Smoove connector for Elementor forms smoove-elementor
SMS for Lead Capture Forms clicksend-lead-capture-form
Spectra – WordPress Gutenberg Blocks ultimate-addons-for-gutenberg
Splash Sync splash-connector
SV100 Companion sv100-companion
Swift Performance Lite swift-performance-lite
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce the-plus-addons-for-elementor-page-builder
Themesflat Addons For Elementor themesflat-addons-for-elementor
TI WooCommerce Wishlist ti-woocommerce-wishlist
Tutor LMS Elementor Addons tutor-lms-elementor-addons
TWChat – Send or receive messages from users twchat
TwentyTwenty twentytwenty
Ultimate Coming Soon & Maintenance ultimate-coming-soon
Unlock Addons for Elementor unlock-addons-for-elementor
Verowa Connect verowa-connect
Video Gallery – YouTube Gallery and Vimeo Gallery gallery-videos
Visual Portfolio, Photo Gallery & Post Grid visual-portfolio
WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder wdesignkit
WIP WooCarousel Lite wip-woocarousel-lite
WordPress Auction Plugin wp-auctions
WordPress Page Builder – Zion Builder zionbuilder
WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout gs-pinterest-portfolio
Wot Elementor Widgets wot-elementor-widgets
WP eCards wp-ecards-invites
WP GeoNames wp-geonames
WP Hide & Security Enhancer wp-hide-security-enhancer
WP Job Manager – Company Profiles wp-job-manager-companies
WP Mailster wp-mailster
WP Media Optimizer (.webp) wp-media-optimizer-webp
WP Private Content Plus wp-private-content-plus
WP System wp-system
WP Travel – Ultimate Travel Booking System, Tour Management Engine wp-travel
WP Umbrella: Update Backup Restore & Monitoring wp-health
WP-SVG wp-svg
WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor
WPC Smart Quick View for WooCommerce woo-smart-quick-view
WPCasa wpcasa
XLTab – Accordions and Tabs for Elementor Page Builder xl-tab
Z-Downloads z-downloads
Zooom zooom
افزونه پیامک ووکامرس Persian WooCommerce SMS persian-woocommerce-sms
워드프레스 결제 심플페이 – 우커머스 결제 플러그인 pgall-for-woocommerce
코드엠샵 소셜톡 mshop-naver-talktalk

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Blocksy blocksy
Flixita flixita
NewsMash newsmash
NewsMunch newsmunch
Pubnews pubnews
Soledad soledad

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Revy <= 1.18 – Unauthenticated Arbitrary File Upload

10.0

CVSS Rating
Critical (10.0)
CVE-ID
CVE-2024-54214
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
Revy
Researcher

Dave Jong

Pie Register Premium < 3.8.3.3 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-53822
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Pie Register Premium
Researcher

Ananda Dhakal

SV100 Companion <= 2.0.02 – Missing Authorization to Unuathenticated Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-12155
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
SV100 Companion
Researcher

Lucio Sá

WP Umbrella: Update Backup Restore & Monitoring <= 2.17.0 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-12209
Patch Status
Patched
Published
Dec 7, 2024

Affected Software
WP Umbrella: Update Backup Restore & Monitoring
Researcher

Arkadiusz Hydzik

Simple User Registration <= 5.5 – Missing Authorization to User Deletion

9.1

CVSS Rating
Critical (9.1)
CVE-ID
CVE-2024-53810
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Simple User Registration
Researcher

stealthcopter

Accessibility by AllAccessible <= 1.3.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-11643
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
Accessibility by AllAccessible
Researcher

1337_Wannabe

AI Quiz | Quiz Maker <= 1.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-11323
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
AI Quiz | Quiz Maker
Researcher

vgo0

All Bootstrap Blocks <= 1.3.19 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-53824
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
All Bootstrap Blocks
Researcher

Ngô Thiên An (ancorn_)

Designer <= 1.3.3 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-54225
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Designer – Addons for Elementor
Researcher

João Pedro Soares de Alcântara

Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials <= 3.3.3 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-11429
Patch Status
Patched
Published
Dec 4, 2024

Affected Software
Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials
Researcher

Peter Thaleikis

Funnelforms Free <= 3.7.5 – Authenticated (Contributor+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-10587
Patch Status
Unpatched
Published
Dec 3, 2024

Affected Software
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Researcher

Peter Thaleikis

Gallery <= 1.3 – Authenticated (Contributor+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-11501
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Gallery
Researcher

Francesco Carlucci

Pubnews <= 1.0.7 – Unauthenticated Arbitrary Plugin Installation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-10578
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Pubnews
Researcher

Kevin Murphy (knmurphy)

WP Mailster <= 1.8.16.0 – Authenticated (Contributor+) SQL Injection via orderby

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-53807
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
WP Mailster
Researcher

Lam Que Chi

Login With OTP <= 1.4.2 – Authentication Bypass via Weak OTP

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-11178
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Login With OTP
Researcher

István Márton

Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction Social Sites Login <= 1.7.9 – Authentication Bypass

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-11293
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
Pie Register – Social Sites Login (Add on)
Researcher

wesley (wcraft)

Soledad <= 8.5.9 – Unauthenticated Limited Local File Inclusion

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-11289
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Soledad
Researcher

Foxyyy

Swift Performance Lite <= 2.3.7.1 – Unauthenticated Local PHP File Inclusion via ‘ajaxify’

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-10516
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Swift Performance Lite
Researcher

Arkadiusz Hydzik

ARForms <= 6.4.1 – Directory Traversal to Authenticated (Subscriber+) Arbitrary File Read

7.7

CVSS Rating
High (7.7)
CVE-ID
CVE-2024-54216
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
ARforms
Researcher

Dave Jong

Advanced File Manager <= 5.2.10 – Authenticated (Subscriber+) Arbitrary File Upload

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-11391
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Advanced File Manager
Researcher

Joshua Provoste

Beautiful Taxonomy Filters <= 2.4.3 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-12270
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Beautiful taxonomy filters
Researcher

Frissi0n

Classic Addons – WPBakery Page Builder <= 3.0 – Authenticated (Contributor+) Limited Local PHP File Inclusion

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-11952
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
Classic Addons – WPBakery Page Builder
Researcher

Nishiv

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-11728
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
KiviCare – Clinic & Patient Management System (EHR)
Researcher

shaman0x01

Revy <= 1.18 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-54215
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
Revy
Researcher

Dave Jong

TI WooCommerce Wishlist <= 2.9.1 – Missing Authorization to Unauthenticated Plugin Setup Wizard Access

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-10567
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
TI WooCommerce Wishlist
Researcher

abrahack

Verowa Connect <= 3.0.1 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-11460
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Verowa Connect
Researcher

Colin Xu

WP Hide & Security Enhancer <= 2.5.1 – Missing Authorization to Unauthenticated Arbitrary File Contents Deletion

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-11585
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
WP Hide & Security Enhancer
Researcher

mikemyers

Authors List <= 2.0.4 – Unauthenticated Arbitrary Shortcode Execution via update_authors_list_ajax

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-10952
Patch Status
Unpatched
Published
Dec 3, 2024

Affected Software
Authors List
Researcher

Arkadiusz Hydzik

FileOrganizer <= 1.1.4 – Authenticated (Administrator+) Local JavaScript File Inclusion

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-11010
Patch Status
Patched
Published
Dec 6, 2024

Affected Software
FileOrganizer – Manage WordPress and Website Files
Researcher

TANG Cheuk Hei (siunam)

WDesignkit <= 1.0.40 – Authenticated (Administrator+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-53811
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder
Researcher

tahu.datar

YouTube Gallery and Vimeo Gallery Plugin <= 2.4.2 – Authenticated (Administrator+) SQL Injection

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-10247
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Video Gallery – YouTube Gallery and Vimeo Gallery
Researcher

tmrswrr

Library Management System <= 3.0.0 – Authenticated (Admin+) SQL Injection

6.8

CVSS Rating
Medium (6.8)
CVE-ID
CVE-2024-8679
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Library Management System – Manage e-Digital Books Library
Researcher

Eduardo Bido

ARForms Form Builder <= 1.7.1 – HTML Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-54223
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Contact Form, Survey, Quiz & Popup Form Builder – ARForms
Researcher

Pritam Dash

BP Profile Shortcodes Extra <= 2.6.0 – Authenticated (Contributor+) SQL Injection via tab Parameter

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-11732
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
BP Profile Shortcodes Extra
Researcher

Peter Thaleikis

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 – Authenticated (Doctor/Receptionist+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-11730
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
KiviCare – Clinic & Patient Management System (EHR)
Researcher

shaman0x01

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-11729
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
KiviCare – Clinic & Patient Management System (EHR)
Researcher

shaman0x01

Pinpoint Booking System <= 2.9.9.5.1 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-53815
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Pinpoint Booking System – #1 WordPress Booking Plugin
Researcher

Trương Hữu Phúc (truonghuuphuc)

WP Travel <= 9.6.0 – Missing Authorization

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-53813
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
WP Travel – Ultimate Travel Booking System, Tour Management Engine
Researcher

Trương Hữu Phúc (truonghuuphuc)

140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-54253
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
140+ Widgets | Xpro Addons For Elementor – FREE
Researcher

João Pedro Soares de Alcântara

ABCBiz Addons for Elementor <= 2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-54247
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
ABCBiz Addons for Elementor
Researcher

Gab

Advanced Element Bucket Addons for Elementor <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-54210
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
Advanced Element Bucket Addons for Elementor
Researcher

Gab

Arkhe Blocks <= 2.27.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via block attributes

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-53794
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Arkhe Blocks
Researcher

João Pedro Soares de Alcântara

B Testimonial – testimonial plugin for WP <= 1.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11880
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
B Testimonial – Testimonial plugin for WP
Researcher

Peter Thaleikis

Beaver Builder <= 2.8.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-53797
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Beaver Builder – WordPress Page Builder
Researcher

João Pedro Soares de Alcântara

Blocksy <= 2.0.77 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11420
Patch Status
Patched
Published
Dec 4, 2024

Affected Software
Blocksy
Researcher

zer0gh0st

BMLT Tabbed Map <= 1.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11866
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
BMLT Tabbed Map
Researcher

Peter Thaleikis

Bold Page Builder <= 5.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-53801
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Bold Page Builder
Researcher

Nirmal Kavaiya

Captivate Sync <= 2.0.22 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-53820
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Captivate Sync
Researcher

theviper17y

CMSMasters Elementor Addon <= 1.14.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9694
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
CMSMasters Elementor Addon
Researcher

István Márton

Contact Form Builder <= 4.10.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via livesite-pay Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10056
Patch Status
Patched
Published
Dec 4, 2024

Affected Software
Contact Form Builder by vcita
Researcher

Peter Thaleikis

Contact Form, Survey & Form Builder – MightyForms <= 1.3.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11897
Patch Status
Unpatched
Published
Dec 3, 2024

Affected Software
Contact Form, Survey & Form Builder – MightyForms
Researcher

zaim

Cookielay <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via cookielay Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10320
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Cookielay
Researcher

Peter Thaleikis

Element Pack Elementor Addons <= 5.10.5 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Lightbox Widget

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9058
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)
Researcher

zer0gh0st

ElementsReady Addons for Elementor <= 6.4.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-54224
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
ElementsReady Addons for Elementor
Researcher

João Pedro Soares de Alcântara

Email Address Obfuscation <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11935
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
Email Address Obfuscation
Researcher

theviper17y

Flower Delivery by Florist One <= 3.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11769
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
Flower Delivery by Florist One
Researcher

zaim

Futurio Extra <= 2.0.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via header_size tag

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-53802
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Futurio Extra
Researcher

João Pedro Soares de Alcântara

Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.3.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10178
Patch Status
Patched
Published
Dec 4, 2024

Affected Software
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor
Researcher

Webbernaut

jAlbum Bridge <= 2.0.15 – Authenticated (Contributor+) Stored Cross-Site Scripting via ar Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11853
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
jAlbum Bridge
Researcher

Peter Thaleikis

Listdom – Business Directory and Classified Ads Listings WordPress Plugin <= 3.7.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11854
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
Listdom – Business Directory and Classified Ads Listings WordPress Plugin
Researcher

Peter Thaleikis

Magical Addons For Elementor <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-54212
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )
Researcher

João G. Barbosa (4rCanJ0x!)

Mini Program API <= 1.4.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11380
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Mini Program API
Researcher

SOPROBRO

Multiple Plugins <= (Various Versions) – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-5020
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
Responsive Lightbox & Gallery
WPC Smart Quick View for WooCommerce
Accordion Slider
FV Flowplayer Video Player
Gallery Plugin for WordPress – Envira Photo Gallery
Colibri Page Builder
Visual Portfolio, Photo Gallery & Post Grid
Getwid – Gutenberg Blocks
Firelight Lightbox
FancyBox for WordPress
and 4 more…
Researcher

Webbernaut

myCred – Loyalty Points and Rewards plugin <= 2.7.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_send Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11201
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Researcher

Peter Thaleikis

News Kit Elementor Addons <= 1.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-54260
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
News Kit Elementor Addons
Researcher

Gab

NewsMash <= 1.0.71 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10849
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
NewsMash
Researcher

stealthcopter

NewsMunch <= 1.0.35 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10848
Patch Status
Patched
Published
Dec 4, 2024

Affected Software
NewsMunch
Researcher

stealthcopter

ONLYOFFICE Docs <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11450
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
ONLYOFFICE Docs
Researcher

zakaria

PostX <= 4.1.15 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-53818
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX
Researcher

João Pedro Soares de Alcântara

Responsive Videos <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11747
Patch Status
Unpatched
Published
Dec 3, 2024

Affected Software
Responsive Videos
Researcher

zakaria

RRAddons for Elementor <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-54232
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
RRAddons for Elementor
Researcher

Michael

Scratch & Win – Giveaways and Contests <= 2.6.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11898
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more
Researcher

Peter Thaleikis

SearchIQ – The Search Solution <= 4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10885
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
SearchIQ – The Search Solution
Researcher

Peter Thaleikis

Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel <= 3.2.1- Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-4633
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel
Researcher

wesley (wcraft)

Smart PopUp Blaster <= 1.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11339
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Smart PopUp Blaster
Researcher

SOPROBRO

Spectra – WordPress Gutenberg Blocks <= 2.16.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Team Widget

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10484
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Spectra – WordPress Gutenberg Blocks
Researcher

zer0gh0st

The Plus Addons for Elementor Page Builder Lite <= 5.6.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-53823
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Researcher

wesley (wcraft)

Themesflat Addons For Elementor <= 2.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-53796
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Themesflat Addons For Elementor
Researcher

João Pedro Soares de Alcântara

TwentyTwenty <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11352
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
TwentyTwenty
Researcher

yudha

Unlock Addons for Elementor <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-54230
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Unlock Addons for Elementor
Researcher

Gab

WIP WooCarousel Lite <= 1.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11779
Patch Status
Patched
Published
Dec 4, 2024

Affected Software
WIP WooCarousel Lite
Researcher

zaim

WordPress Page Builder – Zion Builder <= 3.6.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-54213
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
WordPress Page Builder – Zion Builder
Researcher

João G. Barbosa (4rCanJ0x!)

WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout <= 1.8.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11453
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
Researcher

Peter Thaleikis

Wot Elementor Widgets <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-54228
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Wot Elementor Widgets
Researcher

Gab

WP eCards <= 1.3.904 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11903
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
WP eCards
Researcher

zaim

WP Mailster <= 1.8.17.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11782
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
WP Mailster
Researcher

Peter Thaleikis

WP-SVG <= 0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11644
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
WP-SVG
Researcher

Bob Matyas

WPBITS Addons For Elementor Page Builder <= 1.5.2 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8962
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
WPBITS Addons For Elementor Page Builder
Researcher

Francesco Carlucci

Zooom <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11451
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Zooom
Researcher

zakaria

코드엠샵 소셜톡 <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11904
Patch Status
Patched
Published
Dec 6, 2024

Affected Software
코드엠샵 소셜톡
Researcher

Peter Thaleikis

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup <= 4.0.51 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2024-10681
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Researcher

Arkadiusz Hydzik

Pojo Forms <= 1.4.7 – Authenticated (Subscriber+) Arbitrary Shortcode Execution via form_preview_shortcode

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2024-10909
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Pojo Forms
Researcher

Arkadiusz Hydzik

Accounting for WooCommerce <= 1.6.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11324
Patch Status
Patched
Published
Dec 4, 2024

Affected Software
Accounting for WooCommerce
Researcher

vgo0

Additional Custom Order Status for WooCommerce <= 1.6.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11814
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
Additional Custom Order Status for WooCommerce
Researcher

vgo0

Awesome Shortcodes <= 1.7.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-54209
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
Awesome Shortcodes
Researcher

SOPROBRO

Block Controller <= 1.4.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-54208
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
Block Controller
Researcher

João Pedro Soares de Alcântara

Broadcast <= 51.01 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11379
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Broadcast
Researcher

vgo0

Campaign Monitor Forms by Optin Cat <= 2.5.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11326
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Campaign Monitor Forms by Optin Cat
Researcher

vgo0

CardGate Payments for WooCommerce <= 3.2.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12257
Patch Status
Patched
Published
Dec 6, 2024

Affected Software
CardGate Payments for WooCommerce
Researcher

Colin Xu

Clickbank WordPress Plugin (Storefront) <= 1.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11336
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Clickbank WordPress Plugin (Storefront)
Researcher

SOPROBRO

Comfino Payment Gateway <= 4.1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11329
Patch Status
Patched
Published
Dec 6, 2024

Affected Software
Comfino Payment Gateway
Researcher

vgo0

Country Blocker <= 3.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-54226
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Country Blocker
Researcher

SOPROBRO

Drag & Drop Builder, Human Face Detector, Pre-built Templates, Spam Protection, User Email Notifications & more! <= 1.4.19 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11436
Patch Status
Patched
Published
Dec 6, 2024

Affected Software
Drag & Drop Builder, Human Face Detector, Pre-built Templates, Spam Protection, User Email Notifications & more!
Researcher

Colin Xu

Easy Code Snippets <= 1.0.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11464
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Easy Code Snippets
Researcher

vgo0

Feedpress Generator – External RSS Frontend Customizer <= 1.2.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11457
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Feedpress Generator – External RSS Frontend Customizer
Researcher

nvthien

Flixita <= 1.0.82 – Reflected Cross-Site Scripting via id Parameter

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-10836
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Flixita
Researcher

vgo0

Folder Gallery <= 1.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11823
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Folder Gallery
Researcher

zakaria

Form Data Collector <= 2.2.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11461
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Form Data Collector
Researcher

vgo0

ForumWP – Forum & Discussion Board <= 2.1.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-10879
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
ForumWP – Forum & Discussion Board
Researcher

Peter Thaleikis

ForumWP – Forum & Discussion Board <= 2.1.2 – Reflected Cross-Site Scripting via url Parameter

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11204
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
ForumWP – Forum & Discussion Board
Researcher

Peter Thaleikis

Goodlayers Core <= 2.0.7 – Reflected Cross-Site Scripting via ‘font-family’

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11200
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Goodlayers Core
Researcher

mike harris (mikeyh)

Intro Tour Tutorial DeepPresentation <= 6.5.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11466
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
Intro Tour Tutorial DeepPresentation
Researcher

vgo0

Login Widget With Shortcode <= 6.1.2 – Open Redirect

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-54255
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Login Widget With Shortcode
Researcher

ardias

Mollie for Contact Form 7 <= 5.0.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12165
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Mollie for Contact Form 7
Researcher

Colin Xu

My auctions allegro <= 3.6.17 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11707
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
My auctions allegro
Researcher

vgo0

Next-Cart Store to WooCommerce Migration <= 3.9.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11687
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Next-Cart Store to WooCommerce Migration
Researcher

vgo0

Ni WooCommerce Order Export <= 3.1.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-54231
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Ni WooCommerce Order Export
Researcher

thiennv

NPS computy <= 2.8.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11807
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
NPS computy
Researcher

vgo0

Paloma Widget <= 1.14 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-54205
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
Paloma Widget
Researcher

ardias

PDF Builder for WooCommerce. Create invoices,packing slips and more <= 1.2.136 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11276
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
PDF Builder for WooCommerce. Create invoices,packing slips and more
Researcher

Colin Xu

Pie Register Premium < 3.8.3.3 – Unauthenticated Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-53821
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Pie Register Premium
Researcher

Ananda Dhakal

Posti Shipping <= 3.10.3 – Cross-Site Request Forgery to Reflected Cross-Site Scripting via generate_notices_html Function

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-10832
Patch Status
Unpatched
Published
Dec 3, 2024

Affected Software
Posti Shipping
Researcher

vgo0

Pulsating Chat Button <= 1.3.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11813
Patch Status
Unpatched
Published
Dec 3, 2024

Affected Software
Pulsating Chat Button
Researcher

SOPROBRO

Quick License Manager – WooCommerce Plugin <= 2.4.17 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11805
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Quick License Manager – WooCommerce Plugin
Researcher

vgo0

Shortcodes Blocks Creator Ultimate <= 2.2.0 – Reflected Cross-Site Scripting via _wpnonce

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12167
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Shortcodes Blocks Creator Ultimate
Researcher

vgo0

Shortcodes Blocks Creator Ultimate <= 2.2.0 – Reflected Cross-Site Scripting via ‘page’

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12166
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Shortcodes Blocks Creator Ultimate
Researcher

Colin Xu

Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal <= 3.1.2 – Reflected Cross-Site Scripting via monthly_sales_current_year Parameter

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12128
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal
Researcher

vgo0

Smoove connector for Elementor forms <= 4.1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11367
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Smoove connector for Elementor forms
Researcher

vgo0

Splash Sync <= 2.0.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11368
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Splash Sync
Researcher

vgo0

TWChat – Send or receive messages from users <= 4.0.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11374
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
TWChat – Send or receive messages from users
Researcher

vgo0

WP GeoNames <= 1.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-53812
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
WP GeoNames
Researcher

ardias

WP Job Manager – Company Profiles <= 1.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2023-6978
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
WP Job Manager – Company Profiles
Researcher

Krzysztof Zając

WP Media Optimizer (.webp) <= 1.4.0 – Reflected Cross-Site Scripting via wpmowebp-css-resources and wpmowebp-js-resources Parameters

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12060
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
WP Media Optimizer (.webp)
Researcher

vgo0

WP System <= 1.1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12003
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
WP System
Researcher

vgo0

افزونه پیامک ووکامرس Persian WooCommerce SMS <= 7.0.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-10046
Patch Status
Patched
Published
Dec 6, 2024

Affected Software
افزونه پیامک ووکامرس Persian WooCommerce SMS
Researcher

Webbernaut

워드프레스 결제 심플페이 – 우커머스 결제 플러그인 <= 5.2.2 – Reflected Cross-Site Scripting via add_query_arg Parameter

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11943
Patch Status
Patched
Published
Dec 6, 2024

Affected Software
워드프레스 결제 심플페이 – 우커머스 결제 플러그인
Researcher

Peter Thaleikis

Borderless <= 1.5.8 – Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-54211
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg
Researcher

João G. Barbosa (4rCanJ0x!)

SG Helper <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-11093
Patch Status
Unpatched
Published
Dec 3, 2024

Affected Software
SG Helper
Researcher

Francesco Carlucci

WordPress Auction Plugin <= 3.7 – Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-54207
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
WordPress Auction Plugin
Researcher

Hakiduck

ARForms <= 6.4.1 – Missing Authorization to Plugin Settings Change

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-54217
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
ARforms
Researcher

Dave Jong

Event Tickets with Ticket Scanner <= 2.4.4 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-9866
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Event Tickets with Ticket Scanner
Researcher

zer0gh0st

FloristPress <= 7.3.0 – Missing Authorization to Arbitrary Content Deletion

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-53798
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
FloristPress – Customize your Woo store for your Florist
Researcher

Mika

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-9872
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Online Booking & Scheduling Calendar for WordPress by vcita
Researcher

stealthcopter

Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal <= 3.1.2 – Missing Authorization to Authenticated (Subscriber+) Settings Update / Data Access

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-12253
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal
Researcher

Lucio Sá

Church Admin <= 5.0.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-53795
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Church Admin
Researcher

Mika

Client Invoicing by Sprout Invoices <= 20.8.0 – Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-53819
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
Researcher

Manab Jyoti Dowarah

Connexion Logs <= 3.0.2 – Cross-Site Request Forgery to Log Deletion

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-11373
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
Connexion Logs
Researcher

Bob Matyas

Friends <= 3.2.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-12028
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Friends
Researcher

Colin Xu

If Menu <= 0.19.1 – Missing Authorization to License Key Update

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-7894
Patch Status
Patched
Published
Dec 6, 2024

Affected Software
If Menu – Visibility control for Menus
Researcher

Marco Wotschka

Minimum and Maximum Quantity for WooCommerce <= 2.0.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-54227
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Minimum and Maximum Quantity for WooCommerce
Researcher

Abdi Pranata

Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins <= 2.0.58 – Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-10937
Patch Status
Patched
Published
Dec 4, 2024

Affected Software
Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins
Researcher

Francesco Carlucci

Ultimate Coming Soon & Maintenance <= 1.0.9 – Missing Authorization to Unauthenticated Template Activation

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-9706
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Ultimate Coming Soon & Maintenance
Researcher

Tieu Pham Trong Nhan

WP Private Content Plus <= 3.6.1 – Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-11292
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
WP Private Content Plus
Researcher

Francesco Carlucci

WPCasa <= 1.2.13 – Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-53826
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
WPCasa
Researcher

Manab Jyoti Dowarah

AWeber Forms by Optin Cat <= 2.5.7 – Reflected Cross-Site Scripting

5.2

CVSS Rating
Medium (5.2)
CVE-ID
CVE-2024-11325
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
AWeber Forms by Optin Cat
Researcher

vgo0

Connexion Logs <= 3.0.2 – Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-11372
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
Connexion Logs
Researcher

Régis SENET

NEX-Forms – Ultimate Form Builder <= 8.7.8 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-53808
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
NEX-Forms – Ultimate Form Builder – Contact forms and much more
Researcher

trongnb02

Product Labels For Woocommerce <= 1.5.8 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-53817
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Product Labels For Woocommerce (Sale Badges)
Researcher

tahu.datar

Float Block <= 1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-11645
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
float block
Researcher

Bob Matyas

Video Gallery <= 2.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-9769
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Video Gallery – YouTube Gallery and Vimeo Gallery
Researcher

tmrswrr

Z-Downloads <= 1.11.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-54206
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Z-Downloads
Researcher

Certus Cybersecurity

Analytify <= 5.4.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-53814
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
Researcher

Trương Hữu Phúc (truonghuuphuc)

AnyWhere Elementor <= 1.2.11 – Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10777
Patch Status
Patched
Published
Dec 4, 2024

Affected Software
AnyWhere Elementor
Researcher

Francesco Carlucci

Charity Addon for Elementor <= 1.3.2 – Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12062
Patch Status
Unpatched
Published
Dec 2, 2024

Affected Software
Charity Addon for Elementor
Researcher

Francesco Carlucci

CLUEVO LMS, E-Learning Platform <= 1.13.2 – Cross-Site Request Forgery to Module Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-11444
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
CLUEVO LMS, E-Learning Platform
Researcher

Peter Thaleikis

DN Shipping by Weight for WooCommerce <= 1.1.1 – Cross-Site Request Forgery to Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-11842
Patch Status
Patched
Published
Dec 6, 2024

Affected Software
DN Shipping by Weight for WooCommerce
Researcher

Bob Matyas

Dollie Hub – Build Your Own WordPress Cloud Platform <= 6.2.0 – Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12099
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
Dollie Hub – Build Your Own WordPress Cloud Platform
Researcher

Francesco Carlucci

Eleblog – Elementor Blog And Magazine Addons <= 1.8 – Missing Authorization to Authenticated (Subscriber+) Deactivation Submission

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10663
Patch Status
Unpatched
Published
Dec 3, 2024

Affected Software
Eleblog – Elementor Blog And Magazine Addons
Researcher

Tieu Pham Trong Nhan

Filebird <= 6.3.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-53825
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
FileBird – WordPress Media Library Folders & File Manager
Researcher

Rafie Muhammad

FloristPress <= 7.3.0 – Missing Authorization to Sensitive Data Exposure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-53799
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
FloristPress – Customize your Woo store for your Florist
Researcher

Mika

Gold Addons for Elementor <= 1.3.2 – Missing Authorization to Authenticated (Subscriber+) License Activation/Deactivation

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12110
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Gold Addons for Elementor
Researcher

BrokenAC ignore

IdeaPush <= 8.71 – Missing Authorization to Board Term Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-11844
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
IdeaPush
Researcher

Lucio Sá

Knowledge Base documentation & wiki plugin – BasePress Docs <= 2.16.3.3 – Missing Authorization to Authenticated (Subscriber+) Database Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10664
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
Knowledge Base documentation & wiki plugin – BasePress Docs
Researcher

BrokenAC ignore

LA-Studio Element Kit for Elementor <= 1.4.4 – Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10787
Patch Status
Patched
Published
Dec 3, 2024

Affected Software
LA-Studio Element Kit for Elementor
Researcher

Francesco Carlucci

Maspik – Spam blacklist <= 2.2.7 – Cross-Site Request Forgery to Plugin Settings Change

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-53806
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Maspik – Advanced Spam Protection
Researcher

Mika

Message Filter for Contact Form 7 <= 1.6.3 – Missing Authorization to Authenticated (Subscriber+) Filter Updates/Deletions

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12027
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Message Filter for Contact Form 7
Researcher

Tieu Pham Trong Nhan

Message Filter for Contact Form 7 <= 1.6.3 – Missing Authorization to Authenticated (Subscriber+) New Filter Creation

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12026
Patch Status
Patched
Published
Dec 6, 2024

Affected Software
Message Filter for Contact Form 7
Researcher

Tieu Pham Trong Nhan

Namaste! LMS <= 2.6.4.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-53809
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Namaste! LMS
Researcher

a00n

Poll Maker <= 5.5.4 – Cross-Site Request Forgery to Poll Duplication

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12115
Patch Status
Patched
Published
Dec 6, 2024

Affected Software
Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Researcher

Noah Stead (TurtleBurg)

PowerPack Elementor Addons (Free Widgets, Extensions and Templates) <= 2.8.1 – Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10692
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
PowerPack Elementor Addons (Free Widgets, Extensions and Templates)
Researcher

Francesco Carlucci

Prodigy Commerce <= 3.0.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-54250
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Prodigy Commerce
Researcher

Khalid Yusuf

Prodigy Commerce <= 3.0.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-54251
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
Prodigy Commerce
Researcher

Khalid Yusuf

Simple Redirection <= 1.5 – Cross-Site Request Forgery to Arbitrary Site Redirect

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-11341
Patch Status
Patched
Published
Dec 4, 2024

Affected Software
Simple Redirection
Researcher

SOPROBRO

SMS for Lead Capture Forms <= 1.1.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-11353
Patch Status
Unpatched
Published
Dec 6, 2024

Affected Software
SMS for Lead Capture Forms
Researcher

Mika

Tutor LMS Elementor Addons <= 2.1.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-53816
Patch Status
Patched
Published
Dec 2, 2024

Affected Software
Tutor LMS Elementor Addons
Researcher

Ananda Dhakal

Ultimate Coming Soon & Maintenance <= 1.0.9 – Missing Authorization to Authenticated (Subscriber+) Template Name Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9705
Patch Status
Unpatched
Published
Dec 5, 2024

Affected Software
Ultimate Coming Soon & Maintenance
Researcher

Tieu Pham Trong Nhan

XLTab – Accordions and Tabs for Elementor Page Builder <= 1.4 – Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10689
Patch Status
Patched
Published
Dec 5, 2024

Affected Software
XLTab – Accordions and Tabs for Elementor Page Builder
Researcher

Francesco Carlucci


As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (December 2, 2024 to December 8, 2024) appeared first on Wordfence.

Adicionar aos favoritos o Link permanente.