Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Contact Form 7 – Reflected Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Reflected Cross-Site Scripting CVE: CVE-2024-2242 Number of Installations: 5,000,000+ Affected Software: Contact Form 7 <= 5.9 Patched Versions: Contact Form 7 5.9.2
Mitigation steps: Update to Contact Form 7 plugin version 5.9.2 or greater.
Essential Addons for Elementor – Stored Cross-Site Scripting
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1537 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 5.9.9 Patched Versions: Essential Addons for Elementor 5.9.10
Mitigation steps: Update to Essential Addons for Elementor plugin version 5.9.10 or greater.
ElementsKit Elementor addons – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1239 Number of Installations: 1,000,000+ Affected Software: ElementsKit Elementor addons <= 3.0.4 Patched Versions: ElementsKit Elementor addons 3.0.5
Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.0.5 or greater.
Elementor Header & Footer Builder – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1237 Number of Installations: 1,000,000+ Affected Software: Elementor Header & Footer Builder <= 1.6.24 Patched Versions: Elementor Header & Footer Builder 1.6.25
Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.25 or greater.
ElementsKit Elementor addons – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-2042 Number of Installations: 1,000,000+ Affected Software: ElementsKit Elementor addons <= 3.0.5 Patched Versions: ElementsKit Elementor addons 3.0.6
Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.0.6 or greater.
Premium Addons for Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-0326 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.17 Patched Versions: Premium Addons for Elementor 4.10.18
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.18 or greater.
WP Statistics – Stored Cross-Site Scripting
Security Risk: High Exploitation Level: No authentication required.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-2194 Number of Installations: 600,000+ Affected Software: WP Statistics <= 14.5 Patched Versions: WP Statistics 14.5.1
Mitigation steps: Update to WP Statistics plugin version 14.5.1 or greater.
Happy Addons for Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1366 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor <= 3.10.3 Patched Versions: Happy Addons for Elementor 3.10.4
Mitigation steps: Update to Happy Addons for Elementor plugin version 3.10.4 or greater.
Fluent Forms – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-6957 Number of Installations: 400,000+ Affected Software: Fluent Forms <= 5.1.9 Patched Versions: Fluent Forms 5.1.10
Mitigation steps: Update to Fluent Forms plugin version 5.1.10 or greater.
WP Go Maps – Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-4839 Number of Installations: 400,000+ Affected Software: WP Go Maps <= 9.0.32 Patched Versions: WP Go Maps 9.0.33
Mitigation steps: Update to WP Go Maps plugin version 9.0.33 or greater.
Royal Elementor Addons and Templates – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1500 Number of Installations: 300,000+ Affected Software: Royal Elementor Addons and Templates <= 1.3.91 Patched Versions: Royal Elementor Addons and Templates 1.3.92
Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.3.92 or greater.
Otter Blocks – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-2226 Number of Installations: 300,000+ Affected Software: Otter Blocks <= 2.6.4 Patched Versions: Otter Blocks 2.6.5
Mitigation steps: Update to Otter Blocks plugin version 2.6.5 or greater.
Page Builder: Pagelayer – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-2127 Number of Installations: 200,000+ Affected Software: Page Builder: Pagelayer <= 1.8.3 Patched Versions: Page Builder: Pagelayer 1.8.4
Mitigation steps: Update to Page Builder: Pagelayer plugin version 1.8.4 or greater.
ProfilePress – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1535 Number of Installations: 200,000+ Affected Software: ProfilePress <= 4.15.2 Patched Versions: ProfilePress 4.15.3
Mitigation steps: Update to ProfilePress plugin version 4.15.3 or greater.
Blocksy Companion – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-2392 Number of Installations: 200,000+ Affected Software: Blocksy Companion <= 2.0.31 Patched Versions: Blocksy 2.0.32
Mitigation steps: Update to Blocksy Companion version 2.0.32 or greater.
Qi Addons For Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-0826 Number of Installations: 100,000+ Affected Software: Qi Addons For Elementor <= 1.6.7 Patched Versions: Qi Addons For Elementor 1.6.8
Mitigation steps: Update to Qi Addons For Elementor version 1.6.8 or greater.
Advanced Access Manager – Reflected Cross-Site Scripting
Security Risk: Medium Exploitation Level: No authentication required.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-29127 Number of Installations: 100,000+ Affected Software: Advanced Access Manager <= 6.9.20 Patched Versions: Advanced Access Manager 6.9.21
Mitigation steps: Update to Advanced Access Manager version 6.9.21 or greater.
GiveWP – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1424 Number of Installations: 100,000+ Affected Software: GiveWP <= 3.5.1 Patched Versions: GiveWP 3.6.0
Mitigation steps: Update to GiveWP version 3.6.0 or greater.
Essential Blocks – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-2255 Number of Installations: 100,000+ Affected Software: Essential Blocks <= 4.5.2 Patched Versions: Essential Blocks 4.5.4
Mitigation steps: Update to Essential Blocks version 4.5.4 or greater.
WP Chat App – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1761 Number of Installations: 100,000+ Affected Software: WP Chat App <= 3.6.1 Patched Versions: WP Chat App 3.6.2
Mitigation steps: Update to WP Chat App plugin version 3.6.2 or greater.
Prime Slider – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1506 Number of Installations: 100,000+ Affected Software: Prime Slider <= 3.13.1 Patched Versions: Prime Slider 3.13.2
Mitigation steps: Update to Prime Slider plugin version 3.13.2 or greater.
Sassy Social Share – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1989 Number of Installations: 100,000+ Affected Software: Sassy Social Share <= 3.3.58 Patched Versions: Sassy Social Share 3.3.59
Mitigation steps: Update to Sassy Social Share plugin version 3.3.59 or greater.
The Plus Addons for Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1419 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 5.4.0 Patched Versions: The Plus Addons for Elementor 5.4.1
Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.4.1 or greater.
Prime Slider – Addons For Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1507 Number of Installations: 100,000+ Affected Software: Prime Slider <= 3.13.3 Patched Versions: Prime Slider 3.13.4
Mitigation steps: Update to Prime Slider plugin version 3.13.4 or greater.
ShopLentor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1960 Number of Installations: 100,000+ Affected Software: ShopLentor <= 2.8.1 Patched Versions: ShopLentor 2.8.2
Mitigation steps: Update to ShopLentor plugin version 2.8.2 or greater.
HUSKY – Products Filter for WooCommerce – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1796 Number of Installations: 100,000+ Affected Software: HUSKY <= 1.3.5.1 Patched Versions: HUSKY 1.3.5.2
Mitigation steps: Update to HUSKY plugin version 1.3.5.2 or greater.
Prime Slider – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1508 Number of Installations: 100,000+ Affected Software: Prime Slider <= 3.13.2 Patched Versions: Prime Slider 3.13.3
Mitigation steps: Update to Prime Slider plugin version 3.13.3 or greater.
HT Mega – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1397 Number of Installations: 100,000+ Affected Software: HT Mega <= 2.4.6 Patched Versions: HT Mega 2.4.7
Mitigation steps: Update to HT Mega plugin version 2.4.7 or greater.
Beaver Builder – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-1080 Number of Installations: 100,000+ Affected Software: Beaver Builder <= 2.7.4.4 Patched Versions: Beaver Builder 2.7.4.5
Mitigation steps: Update to Beaver Builder plugin version 2.7.4.5 or greater.
Permalink Manager Lite and Pro – Reflected Cross-Site Scripting
Security Risk: Medium Exploitation Level: No authentication required.or greater. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-2738 Number of Installations: 80,000+ Affected Software: Permalink Manager Lite and Pro <= 2.4.3.1 Patched Versions: Permalink Manager Lite and Pro 2.4.3.2
Mitigation steps: Update to Permalink Manager version 2.4.3.2 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.
Pedro Peixoto
Krasimir Konov
Eli Trevino
Antony Garand
Ben Martin
Luke Leal
John Castro
Chase Watts
Cesar Anjos