Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.

WordPress 6.1.1 Maintenance Release

A new minor release for WordPress is now available which features 7 bug fixes in WordPress core and 9 bug fixes for the Block editor.

We strongly encourage WordPress users to always keep their CMS patched with the latest core updates to mitigate risk and protect the WordPress environment.

WP Mail SMTP by WPForms – Sensitive Data Exposure

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-6694
Number of Installations: 3,000,000+
Affected Software: WP Mail SMTP by WPForms <= 4.0.9
Patched Versions: WP Mail SMTP by WPForms 4.1.0

Mitigation steps: Update to WP Mail SMTP by WPForms plugin version 4.1.0 or greater.

Elementor Header & Footer Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-33933
Number of Installations: 2,000,000+
Affected Software: Elementor Header & Footer Builder <= 1.6.35
Patched Versions: Elementor Header & Footer Builder 1.6.36

Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.36 or greater.

Rank Math SEO – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4627
Number of Installations: 2,000,000+
Affected Software: Rank Math SEO <= 1.0.218
Patched Versions: Rank Math SEO 1.0.219

Mitigation steps: Update to Rank Math SEO plugin version 1.0.219 or greater.

Duplicator Migration & Backup Plugin – Full Path Disclosure (FPD)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Security Misconfiguration
CVE: CVE-2024-6210
Number of Installations: 1,000,000+
Affected Software: Duplicator <= 1.5.9
Patched Versions: Duplicator 1.5.10

Mitigation steps: Update to Duplicator plugin version 1.5.10 or greater.

ElementsKit Elementor addons – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-6455
Number of Installations: 1,000,000+
Affected Software: ElementsKit Elementor addons <= 3.2.0
Patched Versions: ElementsKit Elementor addons 3.2.1

Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.2.1 or greater.

Redux Framework – Cross Site Scripting (XSS)

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-6828
Number of Installations: 1,000,000+
Affected Software: Redux Framework <= 4.4.17
Patched Versions: Redux Framework 4.4.18

Mitigation steps: Update to Redux Framework plugin version 4.4.18 or greater.

Security Optimizer – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-38774
Number of Installations: 1,000,000+
Affected Software: Security Optimizer <= 1.5.0
Patched Versions: Security Optimizer 1.5.1

Mitigation steps: Update to Security Optimizer plugin version 1.5.1 or greater.

WPS Hide Login – Bypass Vulnerability

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Bypass Vulnerability
CVE: CVE-2024-6289
Number of Installations: 1,000,000+
Affected Software: WPS Hide Login <= 1.9.16.3
Patched Versions: WPS Hide Login 1.9.16.4

Mitigation steps: Update to WPS Hide Login plugin version 1.9.16.4 or greater.

Ninja Forms – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-37934
Number of Installations: 800,000+
Affected Software: Ninja Forms <= 3.8.4
Patched Versions: Ninja Forms 3.8.5

Mitigation steps: Update to Ninja Forms plugin version 3.8.5 or greater.

Spectra – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-37517
Number of Installations: 800,000+
Affected Software: Spectra <= 2.13.7
Patched Versions: Spectra 2.13.8

Mitigation steps: Update to Spectra plugin version 2.13.8 or greater.

Premium Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-6495
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.10.36
Patched Versions: Premium Addons for Elementor 4.10.37

Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.37 or greater.

Ocean Extra – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-37489
Number of Installations: 600,000+
Affected Software: Ocean Extra <= 2.2.9
Patched Versions: Ocean Extra 2.3.0

Mitigation steps: Update to Ocean Extra plugin version 2.3.0 or greater.

Easy Table of Contents – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-6334
Number of Installations: 500,000+
Affected Software: Easy Table of Contents <= 2.0.67
Patched Versions: Easy Table of Contents 2.0.67.1

Mitigation steps: Update to Easy Table of Contents plugin version 2.0.67.1 or greater.

NextGEN Gallery  – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-39627
Number of Installations: 500,000+
Affected Software: NextGEN Gallery <= 3.59.3
Patched Versions: NextGEN Gallery 3.59.4

Mitigation steps: Update to NextGEN Gallery plugin version 3.59.4 or greater.

Gutenberg – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-37492
Number of Installations: 300,000+
Affected Software: Gutenberg <= 18.6.0
Patched Versions: Gutenberg 18.6.1

Mitigation steps: Update to Gutenberg plugin version 18.6.1 or greater.

Unlimited Elements For Elementor – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-6169
Number of Installations: 200,000+
Affected Software: Unlimited Elements For Elementor <= 1.5.112
Patched Versions: Unlimited Elements For Elementor 1.5.113

Mitigation steps: Update to Unlimited Elements For Elementor plugin version 1.5.113 or greater.

User Feedback – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5902
Number of Installations: 200,000+
Affected Software: User Feedback <= 1.0.15
Patched Versions: User Feedback 1.0.16

Mitigation steps: Update to User Feedback plugin version 1.0.16 or greater.

Feeds for YouTube – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-6256
Number of Installations: 100,000+
Affected Software: Feeds for YouTube <= 2.2.1
Patched Versions: Feeds for YouTube 2.2.2

Mitigation steps: Update to Feeds for YouTube plugin version 2.2.2 or greater.

HT Mega – Absolute Addons For Elementor

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Path Traversal
CVE: CVE-2024-38706
Number of Installations: 100,000+
Affected Software: HT Mega <= 2.5.7
Patched Versions: HT Mega 2.5.8

Mitigation steps: Update to HT Mega plugin version 2.5.8 or greater.

Inline Related Posts – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5626
Number of Installations: 100,000+
Affected Software: Inline Related Posts <= 3.6.9
Patched Versions: Inline Related Posts 3.7.0

Mitigation steps: Update to Inline Related Posts plugin version 3.7.0 or greater.

WordPress MaxButtons – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3026
Number of Installations: 100,000+
Affected Software: MaxButtons <= 9.7.7
Patched Versions: MaxButtons 9.7.8

Mitigation steps: Update to MaxButtons plugin version 9.7.8 or greater.

HUSKY – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2024-6457
Number of Installations: 100,000+
Affected Software: HUSKY <= 1.3.6
Patched Versions: HUSKY 1.3.6.1

Mitigation steps: Update to HUSKY plugin version 1.3.6.1 or greater.

Element Pack Elementor Addons – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5555
Number of Installations: 100,000+
Affected Software: Element Pack Elementor Addons <= 5.6.5
Patched Versions: Element Pack Elementor Addons 5.6.6

Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.6.6 or greater.

GiveWP – Insecure Direct Object References (IDOR)

Security Risk: Low
Exploitation Level: Requires GiveWP Worker privileges.
Vulnerability: Broken Access Control
CVE: CVE-2024-5977
Number of Installations: 100,000+
Affected Software: GiveWP <= 3.13.9
Patched Versions: GiveWP 3.14.0

Mitigation steps: Update to GiveWP plugin version 3.14.0 or greater.

Schema & Structured Data for WP & AMP – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5582
Number of Installations: 100,000+
Affected Software: Schema & Structured Data for WP & AMP <= 1.34.0
Patched Versions: Schema & Structured Data for WP & AMP 1.34.1

Mitigation steps: Update to Schema & Structured Data for WP & AMP plugin version 1.34.1 or greater.

CTX Feed – Privilege Escalation

Security Risk: High
Exploitation Level: Requires Shop Manager level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2024-38775
Number of Installations: 100,000+
Affected Software: CTX Feed <= 6.5.6
Patched Versions: CTX Feed 6.5.7

Mitigation steps: Update to CTX Feed plugin version 6.5.7 or greater.

Mercado Pago payments for WooCommerce – Arbitrary File Download

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Arbitrary File Download
CVE: CVE-2024-3934
Number of Installations: 100,000+
Affected Software: Mercado Pago <= 7.6.1
Patched Versions: Mercado Pago 7.6.2

Mitigation steps: Update to Mercado Pago plugin version 7.6.2 or greater.

Beaver Builder – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-37500
Number of Installations: 100,000+
Affected Software: Beaver Builder <= 2.8.2
Patched Versions: Beaver Builder 2.8.3

Mitigation steps: Update to Beaver Builder plugin version 2.8.3 or greater.

The Plus Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4482
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 5.6.1
Patched Versions: The Plus Addons for Elementor 5.6.2

Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.6.2 or greater.

Featured Image from URL (FIFU) – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-37516
Number of Installations: 90,000+
Affected Software: FIFU <= 4.8.2
Patched Versions: FIFU 4.8.3

Mitigation steps: Update to Featured Image from URL plugin version 4.8.3 or greater.

LearnPress –  Local File Inclusion

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability:  Local File Inclusion
CVE: CVE-2024-6589
Number of Installations: 90,000+
Affected Software: LearnPress <= 4.2.6.8.2
Patched Versions: LearnPress 4.2.6.9

Mitigation steps: Update to LearnPress plugin version 4.2.6.9 or greater.

Paid Memberships Pro –  SQL Injection

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-37486
Number of Installations: 90,000+
Affected Software: Paid Memberships Pro <= 3.0.5
Patched Versions: Paid Memberships Pro 3.0.6

Mitigation steps: Update to Paid Memberships Pro plugin version 3.0.6 or greater.

The Post Grid – Broken Access Control

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-37483
Number of Installations: 90,000+
Affected Software: The Post Grid <= 7.7.4
Patched Versions: The Post Grid 7.7.5

Mitigation steps: Update to The Post Grid plugin version 7.7.5 or greater.

Email Subscribers by Icegram Express – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-5703
Number of Installations: 90,000+
Affected Software: Email Subscribers by Icegram Express <= 5.7.26
Patched Versions: Email Subscribers by Icegram Express 5.7.27

Mitigation steps: Update to Email Subscribers by Icegram Express plugin version 5.7.27 or greater.

EmbedPress – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-38707
Number of Installations: 90,000+
Affected Software: EmbedPress <= 4.0.4
Patched Versions: EmbedPress 4.0.5

Mitigation steps: Update to EmbedPress plugin version 4.0.5 or greater.

Tutor LMS – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-37947
Number of Installations: 90,000+
Affected Software: Tutor LMS <= 2.7.2
Patched Versions: Tutor LMS 2.7.3

Mitigation steps: Update to Tutor LMS plugin version 2.7.3 or greater.

Brizy Page Builder – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-1937
Number of Installations: 80,000+
Affected Software: Brizy <= 2.4.44
Patched Versions: Brizy 2.4.45

Mitigation steps: Update to Brizy plugin version 2.4.45 or greater.

YITH WooCommerce Ajax Product Filter – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-37943
Number of Installations: 80,000+
Affected Software: YITH WooCommerce Ajax Product Filter <= 5.1.9
Patched Versions: YITH WooCommerce Ajax Product Filter 5.2.0

Mitigation steps: Update to YITH WooCommerce Ajax Product Filter plugin version 5.2.0 or greater.

Booking for Appointments and Events Calendar Amelia – Backdoor

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Backdoor
Number of Installations: 70,000+
Affected Software: Amelia <= 1.1.8
Patched Versions: Amelia 1.1.9

Mitigation steps: Update to Amelia plugin version 1.1.9 or greater.

Media Library Assistant – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5544
Number of Installations: 70,000+
Affected Software: Media Library Assistant <= 3.17
Patched Versions: Media Library Assistant 3.18

Mitigation steps: Update to Media Library Assistant plugin version 3.18 or greater.

Form Maker by 10Web – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-6130
Number of Installations: 50,000+
Affected Software: Form Maker by 10Web <= 1.15.25
Patched Versions: Form Maker by 10Web 1.15.26

Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.26 or greater.

Sina Extension for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5260
Number of Installations: 50,000+
Affected Software: Sina Extension for Elementor <= 3.5.5
Patched Versions: Sina Extension for Elementor 3.5.6

Mitigation steps: Update to Sina Extension for Elementor plugin version 3.5.6 or greater.

Ultimate Blocks Gutenberg Blocks – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4655
Number of Installations: 50,000+
Affected Software: Ultimate Blocks <= 3.1.9
Patched Versions: Ultimate Blocks 3.2.0

Mitigation steps: Update to Ultimate Blocks Gutenberg Blocks plugin version 3.2.0 or greater.

Pixel Manager for WooCommerce – Backdoor

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Backdoor
Number of Installations: 50,000+
Affected Software: Pixel Manager for WooCommerce <= 1.43.3
Patched Versions: Pixel Manager for WooCommerce 1.43.4

Mitigation steps: Update to Pixel Manager for WooCommerce plugin version 1.43.4 or greater.

Premium Portfolio Features for Phlox theme – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3587
Number of Installations: 50,000+
Affected Software: Premium Portfolio Features for Phlox theme <= 2.3.2
Patched Versions: Premium Portfolio Features for Phlox theme 2.3.3

Mitigation steps: Update to Premium Portfolio Features for Phlox theme plugin version 2.3.3 or greater.

Getwid Gutenberg Blocks – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-6491
Number of Installations: 50,000+
Affected Software: Getwid <= 2.0.10
Patched Versions: Getwid 2.0.11

Mitigation steps: Update to Getwid plugin version 2.0.11 or greater.

Image Hover Effects – Elementor Addon – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4780
Number of Installations: 50,000+
Affected Software: Image Hover Effects – Elementor Addon <= 1.4.3
Patched Versions: Image Hover Effects – Elementor Addon 1.4.4

Mitigation steps: Update to Image Hover Effects – Elementor Addon plugin version 1.4.4 or greater.

RSS Aggregator – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-6621
Number of Installations: 50,000+
Affected Software: RSS Aggregator <= 4.23.11
Patched Versions: RSS Aggregator 4.23.12

Mitigation steps: Update to RSS Aggregator plugin version 4.23.12 or greater.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.