WordPress Vulnerability & Patch Roundup August 2024
2024-8-31 00:32:30 Author: blog.sucuri.net(查看原文) 阅读量:8 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.


WordPress 6.6.1 Maintenance Release

WordPress 6.6.1 has been released, featuring 7 Core bug fixes and 9 Block Editor bug fixes. Read the Release Candidate announcement for a detailed overview of the changes.

We strongly encourage WordPress users to always keep their CMS patched with the latest core updates to mitigate risk and protect the WordPress environment.


WooCommerce – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-39666
Number of Installations: 7,000,000+
Affected Software: WooCommerce <= 9.1.2
Patched Versions: WooCommerce 9.1.3

Mitigation steps: Update to WooCommerce plugin version 9.1.3 or greater.


LiteSpeed Cache – Privilege Escalation

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Privilege Escalation
CVE: CVE-2024-28000
Number of Installations: 5,000,000+
Affected Software: LiteSpeed Cache <= 6.3.0.1
Patched Versions: LiteSpeed Cache 6.4

Mitigation steps: Update to LiteSpeed Cache plugin version 6.4 or greater.


Essential Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-7092
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 5.9.27
Patched Versions: Essential Addons for Elementor 6.0.0

Mitigation steps: Update to Essential Addons for Elementor plugin version 6.0.0 or greater.


Spectra – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-7590
Number of Installations: 900,000+
Affected Software: Spectra <= 2.14.1
Patched Versions: Spectra 2.15.1

Mitigation steps: Update to Spectra plugin version 2.15.1 or greater.


Popup Maker – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-7054
Number of Installations: 700,000+
Affected Software: Popup Maker <= 1.19.0
Patched Versions: Popup Maker 1.19.1

Mitigation steps: Update to Popup Maker plugin version 1.19.1 or greater.


Premium Addons for Elementor – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-6824
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.10.38
Patched Versions: Premium Addons for Elementor 4.10.39

Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.39 or greater.


Meta Box – Broken Access Control

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43235
Number of Installations: 600,000+
Affected Software: Meta Box <= 5.9.10
Patched Versions: Meta Box 5.9.11

Mitigation steps: Update to Meta Box plugin version 5.9.11 or greater.


SiteOrigin Widgets Bundle – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-5901
Number of Installations: 600,000+
Affected Software: SiteOrigin Widgets Bundle <= 1.62.2
Patched Versions: SiteOrigin Widgets Bundle 1.62.3

Mitigation steps: Update to SiteOrigin Widgets Bundle plugin version 1.62.3 or greater.


Easy Table of Contents – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-7082
Number of Installations: 500,000+
Affected Software: Easy Table of Contents <= 2.0.67.1
Patched Versions: Easy Table of Contents 2.0.68

Mitigation steps: Update to Easy Table of Contents plugin version 2.0.68 or greater.


Formidable Forms – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-6725
Number of Installations: 400,000+
Affected Software: Formidable Forms <= 6.11.1
Patched Versions: Formidable Forms 6.11.2

Mitigation steps: Update to Formidable Forms plugin version 6.11.2 or greater.


Gutenberg Blocks with AI by Kadence WP – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-6884
Number of Installations: 400,000+
Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.2.38
Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.2.39

Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.2.39 or greater.


Fonts Plugin – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43302
Number of Installations: 200,000+
Affected Software: Fonts Plugin <= 3.7.7
Patched Versions: Fonts Plugin 3.7.8

Mitigation steps: Update to Fonts Plugin plugin version 3.7.8 or greater.


White Label CMS – Reflected Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: XSS
CVE: CVE-2024-43303
Number of Installations: 200,000+
Affected Software: White Label CMS <= 2.7.4
Patched Versions: White Label CMS 2.7.5

Mitigation steps: Update to White Label CMS plugin version 2.7.5 or greater.


Download Manager – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-6208
Number of Installations: 100,000+
Affected Software: Download Manager <= 3.2.97
Patched Versions: Download Manager 3.2.98

Mitigation steps: Update to Download Manager plugin version 3.2.98 or greater.


Essential Blocks – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-5595
Number of Installations: 100,000+
Affected Software: Essential Blocks < 4.7.0
Patched Versions: Essential Blocks 4.7.0

Mitigation steps: Update to Essential Blocks plugin version 4.7.0 or greater.


Inline Related Posts – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-6487
Number of Installations: 100,000+
Affected Software: Inline Related Posts < 3.8.0
Patched Versions: Inline Related Posts 3.8.0

Mitigation steps: Update to Inline Related Posts version 3.8.0 or greater.


My Sticky Bar – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-4090
Number of Installations: 100,000+
Affected Software: My Sticky Bar (formerly myStickymenu) <= 2.7.1
Patched Versions: My Sticky Bar (formerly myStickymenu) 2.7.2

Mitigation steps: Update to My Sticky Bar plugin version 2.7.2 or greater.


DearFlip – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-4367
Number of Installations: 100,000+
Affected Software: DearFlip <= 2.2.55
Patched Versions: DearFlip 2.2.56

Mitigation steps: Update to DearFlip plugin version 2.2.56 or greater.


AMP for WP – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43146
Number of Installations: 100,000+
Affected Software: AMP for WP <= 1.0.96.1
Patched Versions: AMP for WP 1.0.97

Mitigation steps: Update to AMP for WP plugin version 1.0.97 or greater.


Aruba HiSpeed Cache – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43119
Number of Installations: 100,000+
Affected Software: Aruba HiSpeed Cache <= 2.0.12
Patched Versions: Aruba HiSpeed Cache 2.0.13

Mitigation steps: Update to Aruba HiSpeed Cache plugin version 2.0.13 or greater.


Element Pack Elementor Addons – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-7247
Number of Installations: 100,000+
Affected Software: Element Pack Elementor Addons <= 5.7.2
Patched Versions: Element Pack Elementor Addons 5.7.3

Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.7.3 or greater.


Slider & Popup Builder by Depicter – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-43161
Number of Installations: 100,000+
Affected Software: Slider & Popup Builder by Depicter <= 3.1.2
Patched Versions: Slider & Popup Builder by Depicter 3.2.0

Mitigation steps: Update to Slider & Popup Builder by Depicter plugin version 3.2.0 or greater.


FooBox – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-5668
Number of Installations: 100,000+
Affected Software: FooBox <= 2.7.28
Patched Versions: FooBox 2.7.32

Mitigation steps: Update to FooBox plugin version 2.7.32 or greater.


Hummingbird Performance – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43118
Number of Installations: 100,000+
Affected Software: Hummingbird Performance <= 3.9.1
Patched Versions: Hummingbird Performance 3.9.2

Mitigation steps: Update to Hummingbird Performance plugin version 3.9.2 or greater.


Robin image optimizer – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43122
Number of Installations: 100,000+
Affected Software: Robin image optimizer <= 1.6.9
Patched Versions: Robin image optimizer 1.7.0

Mitigation steps: Update to Robin image optimizer plugin version 1.7.0 or greater.


GiveWP – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-5940, CVE-2024-5939
Number of Installations: 100,000+
Affected Software: GiveWP <= 3.13.9
Patched Versions: GiveWP 3.14.0

Mitigation steps: Update to GiveWP plugin version 3.14.0 or greater.


The Ultimate Video Player For WordPress – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43285
Number of Installations: 100,000+
Affected Software: The Ultimate Video Player For WordPress <= 3.0.2
Patched Versions: The Ultimate Video Player For WordPress 3.0.3

Mitigation steps: Update to The Ultimate Video Player For WordPress plugin version 3.0.3 or greater.


SEO Plugin by Squirrly SEO – SQL Injection

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-43286
Number of Installations: 100,000+
Affected Software: SEO Plugin by Squirrly SEO <= 12.3.19
Patched Versions: SEO Plugin by Squirrly SEO 12.3.20

Mitigation steps: Update to SEO Plugin by Squirrly SEO plugin version 12.3.20 or greater.


The Plus Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-5763
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 5.6.2
Patched Versions: The Plus Addons for Elementor 5.6.3

Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.6.3 or greater.


Asset CleanUp: Page Speed Booster – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43314
Number of Installations: 100,000+
Affected Software: Asset CleanUp: Page Speed Booster <= 1.3.9.3
Patched Versions: Asset CleanUp: Page Speed Booster 1.3.9.4

Mitigation steps: Update to Asset CleanUp: Page Speed Booster plugin version 1.3.9.4 or greater.


Email Encoder – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-4483
Number of Installations: 90,000+
Affected Software: Email Encoder <= 2.2.1
Patched Versions: Email Encoder 2.2.2

Mitigation steps: Update to Email Encoder plugin version 2.2.2 or greater.


Social Feed Gallery – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-39640
Number of Installations: 90,000+
Affected Software: Social Feed Gallery <= 4.3.9
Patched Versions: Social Feed Gallery 4.4.0

Mitigation steps: Update to Social Feed Gallery plugin version 4.4.0 or greater.


WP Mobile Menu – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-2508
Number of Installations: 90,000+
Affected Software: WP Mobile Menu <= 2.8.4.4
Patched Versions: WP Mobile Menu 2.8.5

Mitigation steps: Update to WP Mobile Menu plugin version 2.8.5 or greater.


LearnPress – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-7548
Number of Installations: 90,000+
Affected Software: LearnPress <= 4.2.6.9.3
Patched Versions: LearnPress 4.2.6.9.4

Mitigation steps: Update to LearnPress plugin version 4.2.6.9.4 or greater.


Tutor LMS – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Instructor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-43231
Number of Installations: 90,000+
Affected Software: Tutor LMS <= 2.7.3
Patched Versions: Tutor LMS 2.7.4

Mitigation steps: Update to Tutor LMS plugin version 2.7.4 or greater.


Tutor LMS – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Tutor Instructor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43142
Number of Installations: 90,000+
Affected Software: Tutor LMS <= 2.7.3
Patched Versions: Tutor LMS 2.7.4

Mitigation steps: Update to Tutor LMS plugin version 2.7.4 or greater.


Ajax Search Lite – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-7084
Number of Installations: 80,000+
Affected Software: Ajax Search Lite <= 4.12
Patched Versions: Ajax Search Lite 4.12.1

Mitigation steps: Update to Ajax Search Lite plugin version 4.12.1 or greater.


Folders – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-7317
Number of Installations: 80,000+
Affected Software: Folders <= 3.0.3
Patched Versions: Folders 3.0.4

Mitigation steps: Update to Folders plugin version 3.0.4 or greater.


3D FlipBook – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-43152
Number of Installations: 70,000+
Affected Software: 3D FlipBook <= 1.15.6
Patched Versions: 3D FlipBook 1.15.7

Mitigation steps: Update to 3D FlipBook plugin version 1.15.7 or greater.


Clone – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43298
Number of Installations: 70,000+
Affected Software: Clone <= 2.4.5
Patched Versions: Clone 2.4.6

Mitigation steps: Update to Clone plugin version 2.4.6 or greater.


FOX – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43297
Number of Installations: 60,000+
Affected Software: FOX <= 1.4.2
Patched Versions: FOX 1.4.2.1

Mitigation steps: Update to FOX plugin version 1.4.2.1 or greater.


WP Table Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-43125
Number of Installations: 60,000+
Affected Software: WP Table Builder <= 1.4.15
Patched Versions: WP Table Builder 1.5.0

Mitigation steps: Update to WP Table Builder plugin version 1.5.0 or greater.


Blog2Social – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-7302
Number of Installations: 60,000+
Affected Software: Blog2Social <= 7.5.4
Patched Versions: Blog2Social 7.5.5

Mitigation steps: Update to Blog2Social plugin version 7.5.5 or greater.


Bold Page Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-7100
Number of Installations: 50,000+
Affected Software: Bold Page Builder <= 5.0.2
Patched Versions: Bold Page Builder 5.0.3

Mitigation steps: Update to Bold Page Builder plugin version 5.0.3 or greater.


Easy Digital Downloads – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQLi
CVE: CVE-2024-5057
Number of Installations: 50,000+
Affected Software: Easy Digital Downloads <= 3.2.12
Patched Versions: Easy Digital Downloads 3.3.1

Mitigation steps: Update to Easy Digital Downloads plugin version 3.3.1 or greater.


User Profile Builder – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-6366
Number of Installations: 50,000+
Affected Software: User Profile Builder <= 3.11.7
Patched Versions: User Profile Builder 3.11.8

Mitigation steps: Update to User Profile Builder plugin version 3.11.8 or greater.


Category Posts Widget – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-6158
Number of Installations: 50,000+
Affected Software: Category Posts Widget <= 4.9.16
Patched Versions: Category Posts Widget 4.9.17

Mitigation steps: Update to Category Posts Widget plugin version 4.9.17 or greater.


Easy Digital Downloads – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: XSS
CVE: CVE-2024-6692
Number of Installations: 50,000+
Affected Software: Easy Digital Downloads <= 3.3.2
Patched Versions: Easy Digital Downloads 3.3.3

Mitigation steps: Update to Easy Digital Downloads plugin version 3.3.3 or greater.


Easy Digital Downloads – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43162
Number of Installations: 50,000+
Affected Software: Easy Digital Downloads <= 3.2.12
Patched Versions: Easy Digital Downloads 3.3.1

Mitigation steps: Update to Easy Digital Downloads plugin version 3.3.1 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.


文章来源: https://blog.sucuri.net/2024/08/wordpress-vulnerability-patch-roundup-august-2024.html
如有侵权请联系:admin#unsafe.sh