Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Elementor Website Builder – Cross-Site Scripting (XSS)
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-0506 Number of Installations: 5,000,000+ Affected Software: Elementor Website Builder <= 3.18.3 Patched Versions: Elementor Website Builder 3.19.0
Mitigation steps: Update to Elementor Website Builder plugin version 3.19.0 or greater.
Elementor – Arbitrary File Deletion & PHAR Deserialization
Security Risk: High Vulnerability: Path Traversal Exploitation Level: Requires Contributor or higher level authentication. CVE: CVE-2024-24934 Number of Installations: 5,000,000+ Affected Software: Elementor Website Builder – More than Just a Page Builder <= 3.19.0 Patched Versions: Elementor Website Builder – More than Just a Page Builder 3.19.1
Mitigation steps: Update to Elementor Website Builder plugin version 3.19.1 or greater.
LiteSpeed Cache – Cross-Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting (XSS) (XSS) CVE: CVE-2023-40000 Number of Installations: 5,000,000+ Affected Software: LiteSpeed Cache <= 5.7 Patched Versions: LiteSpeed Cache 5.7.0.1
Mitigation steps: Update LiteSpeed Cache to version 5.7.0.1 or newer.
Essential Addons for Elementor – Cross-Site Scripting (XSS)
Security Risk: High Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Requires Contributor or higher level authentication. CVE: CVE-2024-1236 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 5.9.8 Patched Versions: Essential Addons for Elementor 5.9.9
Mitigation steps: Update to Essential Addons for Elementor plugin version 5.9.9 or greater.
All-In-One Security (AIOS) Security and Firewall – Cross-Site Scripting (XSS)
Security Risk: Low Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: No authentication required. CVE: CVE-2024-1037 Number of Installations: 1,000,000+ Affected Software: All-In-One Security (AIOS) – Security and Firewall <= 5.2.5 Patched Versions: All-In-One Security (AIOS) – Security and Firewall 5.2.6
Mitigation steps: Update to All-In-One Security (AIOS) – Security and Firewall plugin version 5.2.6 or greater.
Meta Box – WordPress Custom Fields Framework – Cross-Site Scripting (XSS)
Security Risk: Medium Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Requires Contributor or higher level authentication. CVE: CVE-2023-6526 Number of Installations: 700,000+ Affected Software: Meta Box – WordPress Custom Fields Framework <= 5.9.2 Patched Versions: Meta Box – WordPress Custom Fields Framework 5.9.3
Mitigation steps: Update to Meta Box – WordPress Custom Fields Framework plugin version 5.9.3 or greater.
Premium Addons for Elementor – Cross-Site Scripting (XSS)
Security Risk: Medium Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Requires Contributor or higher level authentication. CVE: CVE-2024-1242 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.18 Patched Versions: Premium Addons for Elementor 4.10.19
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.19 or greater.
Broken Link Checker – Cross-Site Scripting
Security Risk: Low Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Requires Admin level authentication. CVE: CVE-2024-25592 Number of Installations: 600,000+ Affected Software: Broken Link Checker <= 2.2.3 Patched Versions: Broken Link Checker 2.2.4
Mitigation steps: Update to Broken Link Checker plugin version 2.2.4 or greater.
Ocean Extra – Cross-Site Scripting (XSS)
Security Risk: Medium Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Requires Contributor or higher level authentication. CVE: CVE-2024-1277 Number of Installations: 700,000+ Affected Software: Ocean Extra <= 2.2.4 Patched Versions: Ocean Extra 2.2.5
Mitigation steps: Update to Ocean Extra plugin version 2.2.5 or greater.
WP Shortcodes Plugin — Shortcodes Ultimate – Cross-Site Scripting (XSS)
Security Risk: Medium Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Requires Contributor or higher level authentication. CVE: CVE-2024-1510 Number of Installations: 600,000+ Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.2 Patched Versions: WP Shortcodes Plugin — Shortcodes Ultimate 7.0.3
Mitigation steps: Update to WP Shortcodes Plugin — Shortcodes Ultimate version 7.0.3 or greater.
SiteOrigin Widgets Bundle – Cross-Site Scripting (XSS)
Security Risk: Medium Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Requires Contributor or higher level authentication. CVE: CVE-2024-1070 Number of Installations: 600,000+ Affected Software: SiteOrigin Widgets Bundle <= 1.58.3 Patched Versions: SiteOrigin Widgets Bundle 1.58.4
Mitigation steps: Update to SiteOrigin Widgets Bundle version 1.58.4 or greater.
Happy Addons for Elementor – Cross-Site Scripting (XSS)
Security Risk: Medium Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Requires Contributor or higher level authentication. CVE: CVE-2024-0438 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor <= 3.10.1 Patched Versions: Happy Addons for Elementor 3.10.2
Mitigation steps: Update to Happy Addons for Elementor version 3.10.2 or greater.
Password Protected Ultimate Plugin – Cross-Site Scripting (XSS)
Security Risk: Low Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Requires Admin level authentication. CVE: CVE-2024-0656 Number of Installations: 400,000+ Affected Software: Password Protected <= 2.6.6 Patched Versions: Password Protected 2.6.7
Mitigation steps: Update to Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease version 2.6.7 or greater.
Royal Elementor Addons and Templates – Cross-Site Scripting (XSS)
Security Risk: Medium Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Requires Contributor or higher level authentication. CVE: CVE-2024-0442 Number of Installations: 300,000+ Affected Software: Royal Elementor Addons and Templates <= 1.3.87 Patched Versions: Royal Elementor Addons and Templates 1.3.88
Mitigation steps: Update to Royal Elementor Addons and Templates version 1.3.88 or greater.
Backuply – Backup, Restore, Migrate and Clone – Denial of Service
Security Risk: High Vulnerability: Denial of Service Exploitation Level: No authentication required. CVE: CVE-2024-0842 Number of Installations: 200,000+ Affected Software: Backuply – Backup, Restore, Migrate and Clone <= 1.2.6 Patched Versions: Backuply – Backup, Restore, Migrate and Clone 1.2.7
Mitigation steps: Update to Backuply – Backup, Restore, Migrate and Clone version 1.2.7 or greater.
InfiniteWP Client – Sensitive Information Exposure
Security Risk: Low Vulnerability: Sensitive Information Exposure Exploitation Level: No authentication required. CVE: CVE-2023-6565 Number of Installations: 200,000+ Affected Software: InfiniteWP Client <= 1.12.3 Patched Versions: InfiniteWP Client 1.12.3.1
Mitigation steps: Update to InfiniteWP Client version 1.12.3.1 or greater.
ProfilePress – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1409 Number of Installations: 200,000+ Affected Software: Paid Membership Plugin ProfilePress <= 4.15.0 Patched Versions: Paid Membership Plugin ProfilePress 4.15.1
Mitigation steps: Update to ProfilePress plugin version 4.15.1 or greater.
User Feedback – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-0903 Number of Installations: 200,000+ Affected Software: User Feedback <= 1.0.13 Patched Versions: User Feedback 1.0.14
Mitigation steps: Update to User Feedback plugin version 1.0.14 or greater.
Page Builder: Pagelayer – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1590 Number of Installations: 200,000+ Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.2 Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 1.8.3
Mitigation steps: Update to Page Builder: Pagelayer plugin version 1.8.3 or greater.
PowerPack Addons for Elementor – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1411 Number of Installations: 100,000+ Affected Software: PowerPack Addons for Elementor <= 2.7.15 Patched Versions: PowerPack Addons for Elementor 2.7.16
Mitigation steps: Update to PowerPack Addons for Elementor plugin version 2.7.16 or greater.
Elementor Addon Elements – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1392 Number of Installations: 100,000+ Affected Software: Elementor Addon Elements <= 1.12.12 Patched Versions: Elementor Addon Elements 1.12.13
Mitigation steps: Update to Elementor Addon Elements plugin version 1.12.13 or greater
Elementor Addon Elements – Directory Traversal to Local File Inclusion
Security Risk: High Exploitation Level: Contributor or higher level authentication. Vulnerability: Directory Traversal CVE: CVE-2024-1358 Number of Installations: 100,000+ Affected Software: Elementor Addon Elements <= 1.12.12 Patched Versions: Elementor Addon Elements 1.13
Mitigation steps: Update to Elementor Addon Elements version 1.13 or greater.
PDF Flipbook, 3D Flipbook – DearFlip – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-0895 Number of Installations: 100,000+ Affected Software: PDF Flipbook, 3D Flipbook – DearFlip <= 2.2.26 Patched Versions: PDF Flipbook, 3D Flipbook – DearFlip 2.2.27
Mitigation steps: Update to PDF Flipbook, 3D Flipbook – DearFlip plugin version 2.2.27 or newer.
Insert PHP Code Snippet – Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Admin level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-0658 Number of Installations: 100,000+ Affected Software: Insert PHP Code Snippet <= 1.3.4 Patched Versions: Insert PHP Code Snippet 1.3.5
Mitigation steps: Update to Insert PHP Code Snippet plugin version 1.3.5 or newer.
Best WordPress Gallery Plugin – FooGallery – Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-0604 Number of Installations: 100,000+ Affected Software: Best WordPress Gallery Plugin - FooGallery <= 2.4.7 Patched Versions: Best WordPress Gallery Plugin - FooGallery 2.4.9
Mitigation steps: Update to Best WordPress Gallery Plugin – FooGallery version 2.4.9 or newer.
YARPP – Yet Another Related Posts Plugin – Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-0602 Number of Installations: 100,000+ Affected Software: YARPP - Yet Another Related Posts Plugin <= 5.30.9 Patched Versions: YARPP - Yet Another Related Posts Plugin 5.30.10
Mitigation steps: Update to YARPP – Yet Another Related Posts Plugin version 5.30.10 or newer.
Sassy Social Share – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1448 Number of Installations: 100,000+ Affected Software: Social Sharing Plugin - Sassy Social Share <= 3.3.56 Patched Versions: Social Sharing Plugin - Sassy Social Share 3.3.57
Mitigation steps: Update to Social Sharing Plugin – Sassy Social Share version 3.3.57 or newer.
Beaver Builder – Cross-Site Scripting (XSS)
Security Risk: Medium Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Requires Contributor or higher level authentication. CVE: CVE-2024-0897 Number of Installations: 100,000+ Affected Software: Beaver Builder – WordPress Page Builder <= 2.7.4.2 Patched Versions: Beaver Builder – WordPress Page Builder 2.7.4.3
Mitigation steps: Update to Beaver Builder – WordPress Page Builder version 2.7.4.3 or newer.
Schema & Structured Data for WP & AMP – Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Admin or custom level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1586 Number of Installations: 100,000+ Affected Software: Schema & Structured Data for WP & AMP <= 1.26 Patched Versions: Schema & Structured Data for WP & AMP 1.27
Mitigation steps: Update to Schema & Structured Data for WP & AMP version 1.27 or newer.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.
Pedro Peixoto
Antony Garand
Denis Sinegubko
Dutch Hill
Puja Srivastava
Rianna MacLeod
Cesar Anjos
Krasimir Konov
Ben Martin