WordPress Vulnerability & Patch Roundup September 2024
2024-10-1 03:17:16 Author: blog.sucuri.net(查看原文) 阅读量:6 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.


WordPress 6.6.2 Maintenance Release

WordPress version 6.6.2 has been released! This update includes 15 bug fixes in the Core and 11 in the Block Editor, fixing issues like unexpected CSS specificity changes in various themes.

We strongly encourage WordPress users to always keep their CMS patched with the latest core updates to mitigate risk and protect the WordPress environment.


Plugin Vulnerabilities


Elementor Website Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5416
Number of Installations: 10,000,000+
Affected Software: Elementor Website Builder <= 3.23.9
Patched Versions: Elementor Website Builder 3.24.0

Mitigation steps: Update to Elementor Website Builder plugin version 3.24.0 or greater.


LiteSpeed Cache – Broken Authentication

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2024-44000
Number of Installations: 6,000,000+
Affected Software: LiteSpeed Cache <= 6.5.0
Patched Versions: LiteSpeed Cache 6.5.0.1

Mitigation steps: Update to LiteSpeed Cache plugin version 6.5.0.1 or greater.


Essential Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8440
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 6.0.3
Patched Versions: Essential Addons for Elementor 6.0.4

Mitigation steps: Update to Essential Addons for Elementor plugin version 6.0.4 or greater.


MC4WP: Mailchimp for WordPress – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8850
Number of Installations: 2,000,000+
Affected Software: MC4WP: Mailchimp for WordPress 4.9.9 - 4.9.16
Patched Versions: MC4WP: Mailchimp for WordPress 4.9.17

Mitigation steps: Update to MC4WP: Mailchimp for WordPress plugin version 4.9.17 or greater.


MC4WP: Mailchimp for WordPress – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8680
Number of Installations: 2,000,000+
Affected Software: MC4WP: Mailchimp for WordPress <= 4.9.16
Patched Versions: MC4WP: Mailchimp for WordPress 4.9.17

Mitigation steps: Update to MC4WP: Mailchimp for WordPress plugin version 4.9.17 or greater.


W3 Total Cache – Sensitive Data Exposure

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2023-5359
Number of Installations: 1,000,000+
Affected Software: W3 Total Cache <= 2.7.5
Patched Versions: W3 Total Cache 2.7.6

Mitigation steps: Update to W3 Total Cache plugin version 2.7.6 or greater.


Ninja Forms – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: N/A
Number of Installations: 800,000+
Affected Software: Ninja Forms <= 3.8.10
Patched Versions: Ninja Forms 3.8.11

Mitigation steps: Update to Ninja Forms plugin version 3.8.11 or greater.


Ninja Forms – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43999
Number of Installations: 800,000+
Affected Software: Ninja Forms <= 3.8.11
Patched Versions: Ninja Forms 3.8.12

Mitigation steps: Update to Ninja Forms plugin version 3.8.12 or greater.


Popup Maker – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5561
Number of Installations: 700,000+
Affected Software: Popup Maker <= 1.19.0
Patched Versions: Popup Maker 1.19.1

Mitigation steps: Update to Popup Maker plugin version 1.19.1 or greater.


Migration, Backup, Staging – WPvivid – Sensitive Data Exposure

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-7315
Number of Installations: 500,000+
Affected Software: WPvivid <= 0.9.105
Patched Versions: WPvivid 0.9.106

Mitigation steps: Update to WPvivid plugin version 0.9.106 or greater.


Page Builder Gutenberg Blocks – CoBlocks – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-7132
Number of Installations: 400,000+
Affected Software: CoBlocks <= 3.1.12
Patched Versions: CoBlocks 3.1.13

Mitigation steps: Update to CoBlocks plugin version 3.1.13 or greater.


Contact Form Plugin by Fluent Forms – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-5053
Number of Installations: 400,000+
Affected Software: Fluent Forms <= 5.1.18
Patched Versions: Fluent Forms 5.1.19

Mitigation steps: Update to Fluent Forms plugin version 5.1.19 or greater.


PixelYourSite – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-7870
Number of Installations: 400,000+
Affected Software: PixelYourSite <= 9.7.1
Patched Versions: PixelYourSite 9.7.2

Mitigation steps: Update to PixelYourSite plugin version 9.7.2 or greater.


Royal Elementor Addons and Templates – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-44001
Number of Installations: 400,000+
Affected Software: Royal Elementor Addons <= 1.3.984
Patched Versions: Royal Elementor Addons 1.3.985

Mitigation steps: Update to Royal Elementor Addons plugin version 1.3.985 or greater.


HubSpot – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5879
Number of Installations: 300,000+
Affected Software: HubSpot <= 11.1.33
Patched Versions: HubSpot 11.1.34

Mitigation steps: Update to HubSpot plugin version 11.1.34 or greater.


Backuply – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-8669
Number of Installations: 200,000+
Affected Software: Backuply <= 1.3.4
Patched Versions: Backuply 1.3.5

Mitigation steps: Update to Backuply plugin version 1.3.5 or greater.


Jeg Elementor Kit – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-6804
Number of Installations: 200,000+
Affected Software: Jeg Elementor Kit <= 2.6.7
Patched Versions: Jeg Elementor Kit 2.6.8

Mitigation steps: Update to Jeg Elementor Kit plugin version 2.6.8 or greater.


Responsive Lightbox & Gallery – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-43924
Number of Installations: 200,000+
Affected Software: Responsive Lightbox & Gallery <= 2.4.7
Patched Versions: Responsive Lightbox & Gallery 2.4.8

Mitigation steps: Update to Responsive Lightbox & Gallery plugin version 2.4.8 or greater.


Photo Gallery by 10Web – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-44043
Number of Installations: 200,000+
Affected Software: Photo Gallery by 10Web <= 1.8.27
Patched Versions: Photo Gallery by 10Web 1.8.28

Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.28 or greater.


Popup Builder – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-2541
Number of Installations: 200,000+
Affected Software: Popup Builder <= 4.3.3
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Beaver Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-7895
Number of Installations: 100,000+
Affected Software: Beaver Builder <= 2.8.3.5
Patched Versions: Beaver Builder 2.8.3.6

Mitigation steps: Update to Beaver Builder plugin version 2.8.3.6 or greater.


Beaver Builder – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43926
Number of Installations: 100,000+
Affected Software: Beaver Builder <= 2.8.3.3
Patched Versions: Beaver Builder 2.8.3.4

Mitigation steps: Update to Beaver Builder plugin version 2.8.3.4 or greater.


EmbedPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43936
Number of Installations: 100,000+
Affected Software: EmbedPress <= 4.0.8
Patched Versions: EmbedPress 4.0.9

Mitigation steps: Update to EmbedPress plugin version 4.0.9 or greater.


My Sticky Bar – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-7133
Number of Installations: 100,000+
Affected Software: My Sticky Bar <= 2.7.2
Patched Versions: My Sticky Bar 2.7.3

Mitigation steps: Update to My Sticky Bar plugin version 2.7.3 or greater.


Envira Photo Gallery – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3899
Number of Installations: 100,000+
Affected Software: Envira Photo Gallery <= 1.8.14
Patched Versions: Envira Photo Gallery 1.8.15

Mitigation steps: Update to Envira Photo Gallery plugin version 1.8.15 or greater.


Envira Photo Gallery – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43925
Number of Installations: 100,000+
Affected Software: Envira Photo Gallery <= 1.8.14
Patched Versions: Envira Photo Gallery 1.8.15

Mitigation steps: Update to Envira Photo Gallery plugin version 1.8.15 or greater.


GiveWP – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-6551
Number of Installations: 100,000+
Affected Software: GiveWP <= 3.15.9
Patched Versions: GiveWP 3.16.0

Mitigation steps: Update to GiveWP plugin version 3.16.0 or greater.


Ivory Search – WordPress Search Plugin – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-6835
Number of Installations: 100,000+
Affected Software: Ivory Search – WordPress Search Plugin <= 5.5.6
Patched Versions: Ivory Search – WordPress Search Plugin 5.5.7

Mitigation steps: Update to Ivory Search plugin version 5.5.7 or greater.


NitroPack – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-43922
Number of Installations: 100,000+
Affected Software: NitroPack <= 1.16.7
Patched Versions: NitroPack 1.16.8

Mitigation steps: Update to NitroPack plugin version 1.16.8 or greater.


Page Builder: Pagelayer – Drag and Drop website builder – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43972
Number of Installations: 100,000+
Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.7
Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 1.8.8

Mitigation steps: Update to Page Builder: Pagelayer plugin version 1.8.8 or greater.


The Plus Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43977
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 5.6.2
Patched Versions: The Plus Addons for Elementor 5.6.3

Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.6.3 or greater.


The Plus Addons for Elementor – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-43932
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 5.6.2
Patched Versions: The Plus Addons for Elementor – 5.6.3

Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.6.3 or greater.


The Post Grid – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-7418
Number of Installations: 100,000+
Affected Software: The Post Grid <= 7.7.11
Patched Versions: The Post Grid – 7.7.12

Mitigation steps: Update to The Post Grid plugin version 7.7.12 or greater.


WooCommerce Multilingual & Multicurrency with WPML – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-44006
Number of Installations: 100,000+
Affected Software: WooCommerce Multilingual & Multicurrency with WPML <= 5.3.6
Patched Versions: WooCommerce Multilingual & Multicurrency with WPML 5.3.7

Mitigation steps: Update to WooCommerce Multilingual & Multicurrency with WPML plugin version 5.3.7 or greater.


YARPP – Yet Another Related Posts Plugin – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-43919
Number of Installations: 100,000+
Affected Software: YARPP – Yet Another Related Posts Plugin <= 5.30.10
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


LearnPress – WordPress LMS Plugin – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2024-8522
Number of Installations: 90,000+
Affected Software: LearnPress – WordPress LMS Plugin <= 4.2.7
Patched Versions: LearnPress – WordPress LMS Plugin 4.2.7.1

Mitigation steps: Update to LearnPress plugin version 4.2.7.1 or greater.


LearnPress – WordPress LMS Plugin – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2024-8529
Number of Installations: 90,000+
Affected Software: LearnPress – WordPress LMS Plugin <= 4.2.7
Patched Versions: LearnPress – WordPress LMS Plugin 4.2.7.1

Mitigation steps: Update to LearnPress plugin version 4.2.7.1 or greater.


Ninja Tables – Easiest Data Table Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-7304
Number of Installations: 90,000+
Affected Software: Ninja Tables – Easiest Data Table Builder <= 5.0.12
Patched Versions: Ninja Tables – Easiest Data Table Builder 5.0.13

Mitigation steps: Update to Ninja Tables plugin version 5.0.13 or greater.


Permalink Manager Lite – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-8195
Number of Installations: 90,000+
Affected Software: Permalink Manager Lite <= 2.4.4
Patched Versions: Permalink Manager Lite 2.4.4.1

Mitigation steps: Update to Permalink Manager Lite plugin version 2.4.4.1 or greater.


AI Engine – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-6723
Number of Installations: 80,000+
Affected Software: AI Engine <= 2.4.7
Patched Versions: AI Engine 2.4.8

Mitigation steps: Update to AI Engine plugin version 2.4.8 or greater.


WP ULike – The Ultimate Engagement Toolkit for Websites – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-6792
Number of Installations: 80,000+
Affected Software: WP ULike – The Ultimate Engagement Toolkit for Websites <= 4.7.2
Patched Versions: WP ULike – The Ultimate Engagement Toolkit for Websites 4.7.2.1

Mitigation steps: Update to WP ULike plugin version 4.7.2.1 or greater.


Reviews Feed – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-8199
Number of Installations: 70,000+
Affected Software: Reviews Feed <= 1.1.9
Patched Versions: Reviews Feed 1.2.0

Mitigation steps: Update to Reviews Feed plugin version 1.2.0 or greater.


FOX – Currency Switcher Professional for WooCommerce – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-8271
Number of Installations: 60,000+
Affected Software: FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.1
Patched Versions: FOX – Currency Switcher Professional for WooCommerce 1.4.2.2

Mitigation steps: Update to FOX plugin version 1.4.2.2 or greater.


WP Booking Calendar – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8274
Number of Installations: 50,000+
Affected Software: WP Booking Calendar <= 10.5.0
Patched Versions: WP Booking Calendar 10.5.1

Mitigation steps: Update to WP Booking Calendar plugin version 10.5.1 or greater.


Shield Security – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-7313
Number of Installations: 50,000+
Affected Software: Shield Security <= 20.0.5
Patched Versions: Shield Security 20.0.6

Mitigation steps: Update to Shield Security plugin version 20.0.6 or greater.


Pixel Cat – Conversion Pixel Manager – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8544
Number of Installations: 50,000+
Affected Software: Pixel Cat – Conversion Pixel Manager <= 3.0.5
Patched Versions: Pixel Cat – Conversion Pixel Manager 3.0.6

Mitigation steps: Update to Pixel Cat plugin version 3.0.6 or greater.


Visual CSS Style Editor – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43963
Number of Installations: 50,000+
Affected Software: Visual CSS Style Editor <= 7.6.3
Patched Versions: Visual CSS Style Editor 7.6.4

Mitigation steps: Update to Visual CSS Style Editor plugin version 7.6.4 or greater.


Premium Portfolio Features for Phlox theme – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-1384
Number of Installations: 50,000+
Affected Software: Premium Portfolio Features for Phlox theme <= 2.3.3
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Theme Vulnerabilities


Mantra – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-44056
Number of Downloads: 1,152,946
Affected Software: Mantra <= 3.3.2
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Nirvana – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-44057
Number of Downloads: 752,479
Affected Software: Nirvana <= 1.6.3
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Mystique – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43988
Number of Downloads: 705,708
Affected Software: Mystique <= 2.5.7
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited. However, this theme is abandoned and has not been updated in over a year. We recommend switching to a new theme.


Tempera – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43951
Number of Downloads: 703,523
Affected Software: Tempera <= 1.8.2
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Delicate – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5867
Number of Downloads: 686,668
Affected Software: Delicate <= 3.5.5
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited. However, this theme is abandoned and has not been updated in over a year. We recommend switching to a new theme.


Parabola – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-44058
Number of Downloads: 635,288
Affected Software: Parabola <= 2.4.1
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Sliding Door – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43987
Number of Downloads: 537,528
Affected Software: Sliding Door <= 3.6
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Fluida – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-44054
Number of Downloads: 486,615
Affected Software: Fluida <= 1.8.8
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Hotel Galaxy – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43991
Number of Downloads: 247,851
Affected Software: Hotel Galaxy <= 4.4.24
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Kahuna – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43994
Number of Downloads: 170,236
Affected Software: Kahuna <= 1.7.0
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


FotaWP – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-43980
Number of Downloads: 146,783
Affected Software: FotaWP <= 1.4.1
Patched Versions: FotaWP 1.4.2

Mitigation steps: Update to FotaWP theme version 1.4.2 or greater.


Septera – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-45452
Number of Downloads: 126,076
Affected Software: Septera <= 1.5.1
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Verbosa – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-44050
Number of Downloads: 108,792
Affected Software: Verbosa <= 1.2.3
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Roseta – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-45451
Number of Downloads: 97,031
Affected Software: Roseta <= 1.3.0
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Posterity – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43995
Number of Downloads: 96,548
Affected Software: Posterity <= 3.6
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Attire – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2024-7435
Number of Downloads: 72,378
Affected Software: Attire <= 2.0.6
Patched Versions: Attire 2.0.7

Mitigation steps: Update to Attire theme version 2.0.7 or greater.


Esotera – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-43952
Number of Downloads: 59,473
Affected Software: Esotera <= 1.2.5.1
Patched Versions: No Fix

Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.

Chat with Sucuri


文章来源: https://blog.sucuri.net/2024/09/wordpress-vulnerability-patch-roundup-september-2024.html
如有侵权请联系:admin#unsafe.sh