WordPress Vulnerability & Patch Roundup October 2024
2024-11-2 03:12:30 Author: blog.sucuri.net(查看原文) 阅读量:10 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.


WordPress Core Updates

Testing is now open for WordPress 6.7 Beta 3! This is a developmental build, so avoid installing it on production or mission-critical websites. Testing should be performed on a separate test environment.


Rank Math SEO – AI SEO Tools to Dominate SEO Rankings – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-9161
Number of Installations: 3,000,000+
Affected Software: Rank Math SEO <= 1.0.228
Patched Versions: Rank Math SEO 1.0.229

Mitigation steps: Update to Rank Math SEO plugin version 1.0.229 or greater.


Rank Math SEO – AI SEO Tools to Dominate SEO Rankings – PHP Object Injection

Security Risk: Medium
Exploitation Level: Administrator or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2024-9314
Number of Installations: 3,000,000+
Affected Software: Rank Math SEO <= 1.0.228
Patched Versions: Rank Math SEO 1.0.229

Mitigation steps: Update to Rank Math SEO plugin version 1.0.229 or greater.


Advanced Custom Fields (ACF) – Arbitrary Code Execution

Security Risk: Medium
Exploitation Level: Administrator or higher level authentication.
Vulnerability: Arbitrary Code Execution
CVE: CVE-2024-9529
Number of Installations: 2,000,000+
Affected Software: Advanced Custom Fields (ACF) <= 6.3.6
Patched Versions: Advanced Custom Fields (ACF) 6.3.6.1

Mitigation steps: Update to Advanced Custom Fields (ACF) plugin version 6.3.6.1 or greater.


Advanced Custom Fields (ACF) – Broken Access Control

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2021-20866, CVE-2021-20865, CVE-2021-20867
Number of Installations: 2,000,000+
Affected Software: Advanced Custom Fields (ACF) <= 5.10
Patched Versions: Advanced Custom Fields (ACF) 5.11

Mitigation steps: Update to Advanced Custom Fields (ACF) plugin version 5.11 or greater.


Broken Link Checker – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8981
Number of Installations: 600,000+
Affected Software: Broken Link Checker <= 2.4.0
Patched Versions: Broken Link Checker 2.4.1

Mitigation steps: Update to Broken Link Checker plugin version 2.4.1 or greater.


Contact Form Plugin by Fluent Forms – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9528
Number of Installations: 500,000+
Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19
Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20

Mitigation steps: Update to Contact Form Plugin by Fluent Forms version 5.1.20 or greater.


Royal Elementor Addons and Templates – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8482
Number of Installations: 400,000+
Affected Software: Royal Elementor Addons and Templates <= 1.3.986
Patched Versions: Royal Elementor Addons and Templates 1.3.987

Mitigation steps: Update to Royal Elementor Addons and Templates version 1.3.987 or greater.


Checkout Field Editor for WooCommerce – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8499
Number of Installations: 400,000+
Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3
Patched Versions: Checkout Field Editor for WooCommerce 2.0.4

Mitigation steps: Update to Checkout Field Editor for WooCommerce version 2.0.4 or greater.


SEOPress – On-site SEO – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9225
Number of Installations: 300,000+
Affected Software: SEOPress – On-site SEO <= 8.1
Patched Versions: SEOPress – On-site SEO 8.2

Mitigation steps: Update to SEOPress – On-site SEO version 8.2 or greater.


Ultimate Member – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8519
Number of Installations: 200,000+
Affected Software: Ultimate Member <= 2.8.6
Patched Versions: Ultimate Member 2.8.7

Mitigation steps: Update to Ultimate Member version 2.8.7 or greater.


Smart Custom 404 Error Page – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9204
Number of Installations: 100,000+
Affected Software: Smart Custom 404 Error Page <= 11.4.7
Patched Versions: Smart Custom 404 Error Page 11.4.8

Mitigation steps: Update to Smart Custom 404 Error Page version 11.4.8 or greater.


Shortcodes and extra features for Phlox theme – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8486
Number of Installations: 100,000+
Affected Software: Shortcodes and extra features for Phlox theme <= 2.16.3
Patched Versions: Shortcodes and extra features for Phlox theme 2.16.4

Mitigation steps: Update to Shortcodes and extra features for Phlox theme version 2.16.4 or greater.


WooCommerce Multilingual & Multicurrency with WPML – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8629
Number of Installations: 100,000+
Affected Software: WooCommerce Multilingual & Multicurrency with WPML <= 5.3.7
Patched Versions: WooCommerce Multilingual & Multicurrency with WPML 5.3.8

Mitigation steps: Update to WooCommerce Multilingual & Multicurrency with WPML version 5.3.8 or greater.


Email Subscribers by Icegram Express – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-8254
Number of Installations: 80,000+
Affected Software: Email Subscribers by Icegram Express <= 5.7.34
Patched Versions: Email Subscribers by Icegram Express 5.7.35

Mitigation steps: Update to Email Subscribers by Icegram Express version 5.7.35 or greater.


WordPress Infinite Scroll – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8505
Number of Installations: 50,000+
Affected Software: WordPress Infinite Scroll <= 7.1.2
Patched Versions: WordPress Infinite Scroll 7.1.3

Mitigation steps: Update to WordPress Infinite Scroll version 7.1.3 or greater.


WP Booking Calendar – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9306
Number of Installations: 50,000+
Affected Software: WP Booking Calendar <= 10.6.0
Patched Versions: WP Booking Calendar 10.6.1

Mitigation steps: Update to WP Booking Calendar version 10.6.1 or greater.


Photo Gallery, Images, Slider in Rbs Image Gallery – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-8431
Number of Installations: 50,000+
Affected Software: Photo Gallery, Images, Slider in Rbs Image Gallery <= 3.2.21
Patched Versions: Photo Gallery, Images, Slider in Rbs Image Gallery 3.2.22

Mitigation steps: Update to Photo Gallery, Images, Slider in Rbs Image Gallery version 3.2.22 or greater.


TI WooCommerce Wishlist – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2024-9156
Number of Installations: 100,000+
Affected Software: TI WooCommerce Wishlist
Patched Versions: No Fix

Mitigation steps: Currently, there is no fix available. Consider disabling the plugin until a patch is released.


Elementor Website Builder – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-6757
Number of Installations: 10,000,000+
Affected Software: Elementor Website Builder <= 3.24.5
Patched Versions: Elementor Website Builder 3.24.6

Mitigation steps: Update to Elementor Website Builder plugin version 3.24.6 or greater.


WooCommerce – Content Injection

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Content Injection
CVE: CVE-2024-9944
Number of Installations: 7,000,000+
Affected Software: WooCommerce <= 9.0.9
Patched Versions: WooCommerce 9.1.0

Mitigation steps: Update to WooCommerce plugin version 9.1.0 or greater.


Jetpack – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-9926
Number of Installations: 4,000,000+
Affected Software: Jetpack <= 13.9.0
Patched Versions: Jetpack 13.9.1

Mitigation steps: Update to Jetpack plugin version 13.9.1 or greater.


Secure Custom Fields – Arbitrary Code Execution

Security Risk: Medium
Exploitation Level: Administrator or higher level authentication.
Vulnerability: Arbitrary Code Execution
CVE: CVE-2024-9529
Number of Installations: 2,000,000+
Affected Software: Secure Custom Fields <= 6.3.6
Patched Versions: Secure Custom Fields 6.3.6.1

Mitigation steps: Update to Secure Custom Fields plugin version 6.3.6.1 or greater.


TablePress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9595
Number of Installations: 700,000+
Affected Software: TablePress <= 2.4.2
Patched Versions: TablePress 2.4.3

Mitigation steps: Update to TablePress plugin version 2.4.3 or greater.


Happy Addons for Elementor – Broken Access Control

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-48045
Number of Installations: 400,000+
Affected Software: Happy Addons for Elementor <= 3.12.3
Patched Versions: Happy Addons for Elementor 3.12.4

Mitigation steps: Update to Happy Addons for Elementor plugin version 3.12.4 or greater.


Royal Elementor Addons and Templates – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8482
Number of Installations: 400,000+
Affected Software: Royal Elementor Addons and Templates <= 1.3.986
Patched Versions: Royal Elementor Addons and Templates 1.3.987

Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.3.987 or greater.


Ad Inserter – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-49248
Number of Installations: 300,000+
Affected Software: Ad Inserter <= 2.7.37
Patched Versions: Ad Inserter 2.7.38

Mitigation steps: Update to Ad Inserter plugin version 2.7.38 or greater.


ShortPixel Image Optimizer – Broken Access Control

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-48044
Number of Installations: 300,000+
Affected Software: ShortPixel Image Optimizer <= 5.6.3
Patched Versions: ShortPixel Image Optimizer 5.6.4

Mitigation steps: Update to ShortPixel Image Optimizer plugin version 5.6.4 or greater.


ShortPixel Image Optimizer – SQL Injection

Security Risk: High
Exploitation Level: Editor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-48043
Number of Installations: 300,000+
Affected Software: ShortPixel Image Optimizer <= 5.6.3
Patched Versions: ShortPixel Image Optimizer 5.6.4

Mitigation steps: Update to ShortPixel Image Optimizer plugin version 5.6.4 or greater.


Photo Gallery by 10Web – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5968
Number of Installations: 200,000+
Affected Software: Photo Gallery by 10Web <= 1.8.27
Patched Versions: Photo Gallery by 10Web 1.8.28

Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.28 or greater.


Elementor Addon Elements – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-8902
Number of Installations: 100,000+
Affected Software: Elementor Addon Elements <= 1.13.8
Patched Versions: Elementor Addon Elements 1.13.9

Mitigation steps: Update to Elementor Addon Elements plugin version 1.13.9 or greater.


Custom Twitter Feeds – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8983
Number of Installations: 100,000+
Affected Software: Custom Twitter Feeds <= 2.2.2
Patched Versions: Custom Twitter Feeds 2.2.3

Mitigation steps: Update to Custom Twitter Feeds plugin version 2.2.3 or greater.


Relevanssi – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9021
Number of Installations: 100,000+
Affected Software: Relevanssi <= 4.23.0
Patched Versions: Relevanssi 4.23.1

Mitigation steps: Update to Relevanssi plugin version 4.23.1 or greater.


Stackable – Broken Access Control

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-8760
Number of Installations: 100,000+
Affected Software: Stackable <= 3.13.6
Patched Versions: Stackable 3.13.7

Mitigation steps: Update to Stackable plugin version 3.13.7 or greater.


The Plus Addons for Elementor – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-8913
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 5.6.11
Patched Versions: The Plus Addons for Elementor 5.6.12

Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.6.12 or greater.


WooCommerce Multilingual & Multicurrency with WPML – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8629
Number of Installations: 100,000+
Affected Software: WooCommerce Multilingual & Multicurrency with WPML <= 5.3.7
Patched Versions: WooCommerce Multilingual & Multicurrency with WPML 5.3.8

Mitigation steps: Update to WooCommerce Multilingual & Multicurrency with WPML plugin version 5.3.8 or greater.


ShopLentor – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-9538
Number of Installations: 100,000+
Affected Software: ShopLentor <= 2.9.8
Patched Versions: ShopLentor 2.9.9

Mitigation steps: Update to ShopLentor plugin version 2.9.9 or greater.


SlimStat Analytics – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9548
Number of Installations: 90,000+
Affected Software: SlimStat Analytics <= 5.2.6
Patched Versions: SlimStat Analytics 5.2.7

Mitigation steps: Update to SlimStat Analytics plugin version 5.2.7 or greater.


Photo Gallery, Images, Slider in Rbs Image Gallery – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-8431
Number of Installations: 50,000+
Affected Software: Photo Gallery, Images, Slider in Rbs Image Gallery <= 3.2.21
Patched Versions: Photo Gallery, Images, Slider in Rbs Image Gallery 3.2.22

Mitigation steps: Update to Photo Gallery, Images, Slider in Rbs Image Gallery plugin version 3.2.22 or greater.


All-in-One WP Migration and Backup – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-8852
Number of Installations: 5,000,000+
Affected Software: All-in-One WP Migration and Backup <= 7.86
Patched Versions: All-in-One WP Migration and Backup 7.87

Mitigation steps: Update to All-in-One WP Migration and Backup plugin version 7.87 or greater.


Simple Custom Post Order – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-49321
Number of Installations: 300,000+
Affected Software: Simple Custom Post Order <= 2.5.7
Patched Versions: Simple Custom Post Order 2.5.8

Mitigation steps: Update to Simple Custom Post Order plugin version 2.5.8 or greater.


GiveWP – Donation Plugin and Fundraising Platform – PHP Object Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2024-9634
Number of Installations: 100,000+
Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 3.16.3
Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 3.16.4

Mitigation steps: Update to GiveWP – Donation Plugin and Fundraising Platform version 3.16.4 or greater.


Translate WordPress – Google Language Translator – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2021-4452
Number of Installations: 100,000+
Affected Software: Translate WordPress – Google Language Translator <= 6.0.9
Patched Versions: Translate WordPress – Google Language Translator 6.0.10

Mitigation steps: Update to Translate WordPress – Google Language Translator version 6.0.10 or greater.


Discount Rules for WooCommerce – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8541
Number of Installations: 100,000+
Affected Software: Discount Rules for WooCommerce <= 2.6.5
Patched Versions: Discount Rules for WooCommerce 2.6.6

Mitigation steps: Update to Discount Rules for WooCommerce version 2.6.6 or greater.


SlimStat Analytics – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9548
Number of Installations: 90,000+
Affected Software: SlimStat Analytics <= 5.2.6
Patched Versions: SlimStat Analytics 5.2.7

Mitigation steps: Update to SlimStat Analytics version 5.2.7 or greater.


WP-Members Membership Plugin – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9231
Number of Installations: 60,000+
Affected Software: WP-Members Membership Plugin <= 3.4.9.5
Patched Versions: WP-Members Membership Plugin 3.4.9.6

Mitigation steps: Update to WP-Members Membership Plugin version 3.4.9.6 or greater.


Calculated Fields Form – Content Injection

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Content Injection
CVE: CVE-2024-9940
Number of Installations: 50,000+
Affected Software: Calculated Fields Form <= 5.2.45
Patched Versions: Calculated Fields Form 5.2.46

Mitigation steps: Update to Calculated Fields Form version 5.2.46 or greater.


Sina Extension for Elementor – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-9540
Number of Installations: 50,000+
Affected Software: Sina Extension for Elementor <= 3.5.7
Patched Versions: Sina Extension for Elementor 3.5.8

Mitigation steps: Update to Sina Extension for Elementor version 3.5.8 or greater.


All-in-One WP Migration and Backup – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-8852
Number of Installations: 5,000,000+
Affected Software: All-in-One WP Migration and Backup <= 7.86
Patched Versions: All-in-One WP Migration and Backup 7.87

Mitigation steps: Update to All-in-One WP Migration and Backup version 7.87 or greater.


Elementor Header & Footer Builder – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-10050
Number of Installations: 2,000,000+
Affected Software: Elementor Header & Footer Builder <= 1.6.43
Patched Versions: Elementor Header & Footer Builder 1.6.44

Mitigation steps: Update to Elementor Header & Footer Builder version 1.6.44 or greater.


ElementsKit Elementor addons – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10091
Number of Installations: 1,000,000+
Affected Software: ElementsKit Elementor addons <= 3.2.9
Patched Versions: ElementsKit Elementor addons 3.3.0

Mitigation steps: Update to ElementsKit Elementor addons version 3.3.0 or greater.


Forminator Forms – Broken Access Control

Security Risk: High
Exploitation Level: Administrator or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-10402
Number of Installations: 500,000+
Affected Software: Forminator Forms <= 1.35.9
Patched Versions: Forminator Forms 1.36.0

Mitigation steps: Update to Forminator Forms version 1.36.0 or greater.


WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8500
Number of Installations: 500,000+
Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.2.9
Patched Versions: WP Shortcodes Plugin — Shortcodes Ultimate 7.3.0

Mitigation steps: Update to WP Shortcodes Plugin — Shortcodes Ultimate version 7.3.0 or greater.


Breeze – WordPress Cache Plugin – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-50422
Number of Installations: 300,000+
Affected Software: Breeze – WordPress Cache Plugin <= 2.1.14
Patched Versions: Breeze – WordPress Cache Plugin 2.1.15

Mitigation steps: Update to Breeze – WordPress Cache Plugin version 2.1.15 or greater.


Templately – Elementor & Gutenberg Template Library – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-50424
Number of Installations: 300,000+
Affected Software: Templately – Elementor & Gutenberg Template Library <= 3.1.5
Patched Versions: Templately – Elementor & Gutenberg Template Library 3.1.6

Mitigation steps: Update to Templately – Elementor & Gutenberg Template Library version 3.1.6 or greater.


PDF Invoices & Packing Slips for WooCommerce – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-50421
Number of Installations: 300,000+
Affected Software: PDF Invoices & Packing Slips for WooCommerce <= 3.8.6
Patched Versions: PDF Invoices & Packing Slips for WooCommerce 3.8.7

Mitigation steps: Update to PDF Invoices & Packing Slips for WooCommerce version 3.8.7 or greater.


Qi Addons For Elementor – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-9530
Number of Installations: 200,000+
Affected Software: Qi Addons For Elementor <= 1.8.0
Patched Versions: Qi Addons For Elementor 1.8.1

Mitigation steps: Update to Qi Addons For Elementor plugin version 1.8.1 or greater.


Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8717
Number of Installations: 100,000+
Affected Software: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.3.41
Patched Versions: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer 2.3.42

Mitigation steps: Update to Dear Flipbook plugin version 2.3.42 or greater.


BuddyPress – Directory Traversal

Security Risk: High
Exploitation Level: Subscriber or higher level authentication.
Vulnerability: Directory Traversal
CVE: CVE-2024-10011
Number of Installations: 100,000+
Affected Software: BuddyPress <= 14.2.0
Patched Versions: BuddyPress 14.2.1

Mitigation steps: Update to BuddyPress plugin version 14.2.1 or greater.


Download Monitor – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-10092
Number of Installations: 90,000+
Affected Software: Download Monitor <= 5.0.12
Patched Versions: Download Monitor 5.0.13

Mitigation steps: Update to Download Monitor plugin version 5.0.13 or greater.


Import and export users and customers – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-50413
Number of Installations: 80,000+
Affected Software: Import and export users and customers <= 1.27.5
Patched Versions: Import and export users and customers 1.27.6

Mitigation steps: Update to Import and export users and customers plugin version 1.27.6 or greater.


Comments – wpDiscuz – Broken Authentication

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2024-9488
Number of Installations: 80,000+
Affected Software: Comments – wpDiscuz <= 7.6.24
Patched Versions: Comments – wpDiscuz 7.6.25

Mitigation steps: Update to Comments – wpDiscuz plugin version 7.6.25 or greater.


Call / Contact Button – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-50414
Number of Installations: 60,000+
Affected Software: Call / Contact Button <= 4.7.9.1
Patched Versions: Call / Contact Button 4.7.10

Mitigation steps: Update to Call / Contact Button plugin version 4.7.10 or greater.


Exclusive Addons for Elementor – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-10312
Number of Installations: 60,000+
Affected Software: Exclusive Addons for Elementor <= 2.7.4
Patched Versions: Exclusive Addons for Elementor 2.7.5

Mitigation steps: Update to Exclusive Addons for Elementor plugin version 2.7.5 or greater.


WP-Members Membership Plugin – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10374
Number of Installations: 60,000+
Affected Software: WP-Members Membership Plugin <= 3.4.9.5
Patched Versions: WP-Members Membership Plugin 3.4.9.6

Mitigation steps: Update to WP-Members Membership Plugin version 3.4.9.6 or greater.


Bold Page Builder – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-50417
Number of Installations: 50,000+
Affected Software: Bold Page Builder <= 5.1.3
Patched Versions: Bold Page Builder 5.1.4

Mitigation steps: Update to Bold Page Builder plugin version 5.1.4 or greater.


WP Recipe Maker – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9650
Number of Installations: 50,000+
Affected Software: WP Recipe Maker <= 9.6.9
Patched Versions: WP Recipe Maker 9.7.0

Mitigation steps: Update to WP Recipe Maker plugin version 9.7.0 or greater.


RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-9583
Number of Installations: 50,000+
Affected Software: RSS Aggregator <= 4.23.12
Patched Versions: RSS Aggregator 4.23.13

Mitigation steps: Update to RSS Aggregator plugin version 4.23.13 or greater.


Secure Custom Fields – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: N/A
Number of Installations: 2,000,000+
Affected Software: Secure Custom Fields <= 6.3.6.2
Patched Versions: Secure Custom Fields 6.3.6.3

Mitigation steps: Update to Secure Custom Fields plugin version 6.3.6.3 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.

Chat with Sucuri


文章来源: https://blog.sucuri.net/2024/11/wordpress-vulnerability-patch-roundup-october-2024.html
如有侵权请联系:admin#unsafe.sh