Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
A new minor release for WordPress is now available which features 7 bug fixes in WordPress core and 9 bug fixes for the Block editor.
We strongly encourage WordPress users to always keep their CMS patched with the latest core updates to mitigate risk and protect the WordPress environment.
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-6694 Number of Installations: 3,000,000+ Affected Software: WP Mail SMTP by WPForms <= 4.0.9 Patched Versions: WP Mail SMTP by WPForms 4.1.0
Mitigation steps: Update to WP Mail SMTP by WPForms plugin version 4.1.0 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-33933 Number of Installations: 2,000,000+ Affected Software: Elementor Header & Footer Builder <= 1.6.35 Patched Versions: Elementor Header & Footer Builder 1.6.36
Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.36 or greater.
Security Risk: Low Exploitation Level: Requires Administrator authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4627 Number of Installations: 2,000,000+ Affected Software: Rank Math SEO <= 1.0.218 Patched Versions: Rank Math SEO 1.0.219
Mitigation steps: Update to Rank Math SEO plugin version 1.0.219 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Security Misconfiguration CVE: CVE-2024-6210 Number of Installations: 1,000,000+ Affected Software: Duplicator <= 1.5.9 Patched Versions: Duplicator 1.5.10
Mitigation steps: Update to Duplicator plugin version 1.5.10 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-6455 Number of Installations: 1,000,000+ Affected Software: ElementsKit Elementor addons <= 3.2.0 Patched Versions: ElementsKit Elementor addons 3.2.1
Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.2.1 or greater.
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6828 Number of Installations: 1,000,000+ Affected Software: Redux Framework <= 4.4.17 Patched Versions: Redux Framework 4.4.18
Mitigation steps: Update to Redux Framework plugin version 4.4.18 or greater.
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-38774 Number of Installations: 1,000,000+ Affected Software: Security Optimizer <= 1.5.0 Patched Versions: Security Optimizer 1.5.1
Mitigation steps: Update to Security Optimizer plugin version 1.5.1 or greater.
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2024-6289 Number of Installations: 1,000,000+ Affected Software: WPS Hide Login <= 1.9.16.3 Patched Versions: WPS Hide Login 1.9.16.4
Mitigation steps: Update to WPS Hide Login plugin version 1.9.16.4 or greater.
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-37934 Number of Installations: 800,000+ Affected Software: Ninja Forms <= 3.8.4 Patched Versions: Ninja Forms 3.8.5
Mitigation steps: Update to Ninja Forms plugin version 3.8.5 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-37517 Number of Installations: 800,000+ Affected Software: Spectra <= 2.13.7 Patched Versions: Spectra 2.13.8
Mitigation steps: Update to Spectra plugin version 2.13.8 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6495 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.36 Patched Versions: Premium Addons for Elementor 4.10.37
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.37 or greater.
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-37489 Number of Installations: 600,000+ Affected Software: Ocean Extra <= 2.2.9 Patched Versions: Ocean Extra 2.3.0
Mitigation steps: Update to Ocean Extra plugin version 2.3.0 or greater.
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6334 Number of Installations: 500,000+ Affected Software: Easy Table of Contents <= 2.0.67 Patched Versions: Easy Table of Contents 2.0.67.1
Mitigation steps: Update to Easy Table of Contents plugin version 2.0.67.1 or greater.
Security Risk: Low Exploitation Level: Requires Administrator level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-39627 Number of Installations: 500,000+ Affected Software: NextGEN Gallery <= 3.59.3 Patched Versions: NextGEN Gallery 3.59.4
Mitigation steps: Update to NextGEN Gallery plugin version 3.59.4 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-37492 Number of Installations: 300,000+ Affected Software: Gutenberg <= 18.6.0 Patched Versions: Gutenberg 18.6.1
Mitigation steps: Update to Gutenberg plugin version 18.6.1 or greater.
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6169 Number of Installations: 200,000+ Affected Software: Unlimited Elements For Elementor <= 1.5.112 Patched Versions: Unlimited Elements For Elementor 1.5.113
Mitigation steps: Update to Unlimited Elements For Elementor plugin version 1.5.113 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5902 Number of Installations: 200,000+ Affected Software: User Feedback <= 1.0.15 Patched Versions: User Feedback 1.0.16
Mitigation steps: Update to User Feedback plugin version 1.0.16 or greater.
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6256 Number of Installations: 100,000+ Affected Software: Feeds for YouTube <= 2.2.1 Patched Versions: Feeds for YouTube 2.2.2
Mitigation steps: Update to Feeds for YouTube plugin version 2.2.2 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Path Traversal CVE: CVE-2024-38706 Number of Installations: 100,000+ Affected Software: HT Mega <= 2.5.7 Patched Versions: HT Mega 2.5.8
Mitigation steps: Update to HT Mega plugin version 2.5.8 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5626 Number of Installations: 100,000+ Affected Software: Inline Related Posts <= 3.6.9 Patched Versions: Inline Related Posts 3.7.0
Mitigation steps: Update to Inline Related Posts plugin version 3.7.0 or greater.
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3026 Number of Installations: 100,000+ Affected Software: MaxButtons <= 9.7.7 Patched Versions: MaxButtons 9.7.8
Mitigation steps: Update to MaxButtons plugin version 9.7.8 or greater.
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2024-6457 Number of Installations: 100,000+ Affected Software: HUSKY <= 1.3.6 Patched Versions: HUSKY 1.3.6.1
Mitigation steps: Update to HUSKY plugin version 1.3.6.1 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5555 Number of Installations: 100,000+ Affected Software: Element Pack Elementor Addons <= 5.6.5 Patched Versions: Element Pack Elementor Addons 5.6.6
Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.6.6 or greater.
Security Risk: Low Exploitation Level: Requires GiveWP Worker privileges. Vulnerability: Broken Access Control CVE: CVE-2024-5977 Number of Installations: 100,000+ Affected Software: GiveWP <= 3.13.9 Patched Versions: GiveWP 3.14.0
Mitigation steps: Update to GiveWP plugin version 3.14.0 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5582 Number of Installations: 100,000+ Affected Software: Schema & Structured Data for WP & AMP <= 1.34.0 Patched Versions: Schema & Structured Data for WP & AMP 1.34.1
Mitigation steps: Update to Schema & Structured Data for WP & AMP plugin version 1.34.1 or greater.
Security Risk: High Exploitation Level: Requires Shop Manager level authentication. Vulnerability: Privilege Escalation CVE: CVE-2024-38775 Number of Installations: 100,000+ Affected Software: CTX Feed <= 6.5.6 Patched Versions: CTX Feed 6.5.7
Mitigation steps: Update to CTX Feed plugin version 6.5.7 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2024-3934 Number of Installations: 100,000+ Affected Software: Mercado Pago <= 7.6.1 Patched Versions: Mercado Pago 7.6.2
Mitigation steps: Update to Mercado Pago plugin version 7.6.2 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-37500 Number of Installations: 100,000+ Affected Software: Beaver Builder <= 2.8.2 Patched Versions: Beaver Builder 2.8.3
Mitigation steps: Update to Beaver Builder plugin version 2.8.3 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4482 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 5.6.1 Patched Versions: The Plus Addons for Elementor 5.6.2
Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.6.2 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-37516 Number of Installations: 90,000+ Affected Software: FIFU <= 4.8.2 Patched Versions: FIFU 4.8.3
Mitigation steps: Update to Featured Image from URL plugin version 4.8.3 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2024-6589 Number of Installations: 90,000+ Affected Software: LearnPress <= 4.2.6.8.2 Patched Versions: LearnPress 4.2.6.9
Mitigation steps: Update to LearnPress plugin version 4.2.6.9 or greater.
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-37486 Number of Installations: 90,000+ Affected Software: Paid Memberships Pro <= 3.0.5 Patched Versions: Paid Memberships Pro 3.0.6
Mitigation steps: Update to Paid Memberships Pro plugin version 3.0.6 or greater.
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-37483 Number of Installations: 90,000+ Affected Software: The Post Grid <= 7.7.4 Patched Versions: The Post Grid 7.7.5
Mitigation steps: Update to The Post Grid plugin version 7.7.5 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-5703 Number of Installations: 90,000+ Affected Software: Email Subscribers by Icegram Express <= 5.7.26 Patched Versions: Email Subscribers by Icegram Express 5.7.27
Mitigation steps: Update to Email Subscribers by Icegram Express plugin version 5.7.27 or greater.
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-38707 Number of Installations: 90,000+ Affected Software: EmbedPress <= 4.0.4 Patched Versions: EmbedPress 4.0.5
Mitigation steps: Update to EmbedPress plugin version 4.0.5 or greater.
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-37947 Number of Installations: 90,000+ Affected Software: Tutor LMS <= 2.7.2 Patched Versions: Tutor LMS 2.7.3
Mitigation steps: Update to Tutor LMS plugin version 2.7.3 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-1937 Number of Installations: 80,000+ Affected Software: Brizy <= 2.4.44 Patched Versions: Brizy 2.4.45
Mitigation steps: Update to Brizy plugin version 2.4.45 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-37943 Number of Installations: 80,000+ Affected Software: YITH WooCommerce Ajax Product Filter <= 5.1.9 Patched Versions: YITH WooCommerce Ajax Product Filter 5.2.0
Mitigation steps: Update to YITH WooCommerce Ajax Product Filter plugin version 5.2.0 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Backdoor Number of Installations: 70,000+ Affected Software: Amelia <= 1.1.8 Patched Versions: Amelia 1.1.9
Mitigation steps: Update to Amelia plugin version 1.1.9 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5544 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.17 Patched Versions: Media Library Assistant 3.18
Mitigation steps: Update to Media Library Assistant plugin version 3.18 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6130 Number of Installations: 50,000+ Affected Software: Form Maker by 10Web <= 1.15.25 Patched Versions: Form Maker by 10Web 1.15.26
Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.26 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5260 Number of Installations: 50,000+ Affected Software: Sina Extension for Elementor <= 3.5.5 Patched Versions: Sina Extension for Elementor 3.5.6
Mitigation steps: Update to Sina Extension for Elementor plugin version 3.5.6 or greater.
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4655 Number of Installations: 50,000+ Affected Software: Ultimate Blocks <= 3.1.9 Patched Versions: Ultimate Blocks 3.2.0
Mitigation steps: Update to Ultimate Blocks Gutenberg Blocks plugin version 3.2.0 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Backdoor Number of Installations: 50,000+ Affected Software: Pixel Manager for WooCommerce <= 1.43.3 Patched Versions: Pixel Manager for WooCommerce 1.43.4
Mitigation steps: Update to Pixel Manager for WooCommerce plugin version 1.43.4 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3587 Number of Installations: 50,000+ Affected Software: Premium Portfolio Features for Phlox theme <= 2.3.2 Patched Versions: Premium Portfolio Features for Phlox theme 2.3.3
Mitigation steps: Update to Premium Portfolio Features for Phlox theme plugin version 2.3.3 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-6491 Number of Installations: 50,000+ Affected Software: Getwid <= 2.0.10 Patched Versions: Getwid 2.0.11
Mitigation steps: Update to Getwid plugin version 2.0.11 or greater.
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4780 Number of Installations: 50,000+ Affected Software: Image Hover Effects – Elementor Addon <= 1.4.3 Patched Versions: Image Hover Effects – Elementor Addon 1.4.4
Mitigation steps: Update to Image Hover Effects – Elementor Addon plugin version 1.4.4 or greater.
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-6621 Number of Installations: 50,000+ Affected Software: RSS Aggregator <= 4.23.11 Patched Versions: RSS Aggregator 4.23.12
Mitigation steps: Update to RSS Aggregator plugin version 4.23.12 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.