Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
WordPress 6.5.3 – Maintenance Release
A new update for WordPress has been released which features a number of bug fixes in WordPress 6.5.3. This latest short-cycle maintenance release includes 12 bug fixes on Core and 9 bug fixes for the Block editor.
We strongly encourage you to always keep your CMS patched with the latest core updates to mitigate risk and protect your WordPress website.
Elementor Website Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4619 Number of Installations: 5,000,000+ Affected Software: Elementor Website Builder – More than Just a Page Builder <= 3.21.5 Patched Versions: Elementor Website Builder – More than Just a Page Builder 3.21.6
Mitigation steps: Update to Elementor Website Builder plugin version 3.21.6 or greater.
Yoast SEO – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4984 Number of Installations: 5,000,000+ Affected Software: Yoast SEO <= 22.6 Patched Versions: Yoast SEO 22.7
Mitigation steps: Update to Yoast SEO plugin version 22.7 or greater.
Jetpack – WP Security, Backup, Speed, & Growth – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4392 Number of Installations: 4,000,000+ Affected Software: Jetpack <= 13.3 Patched Versions: Jetpack 13.4
Mitigation steps: Update to Jetpack plugin version 13.4 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4624 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 5.9.20 Patched Versions: Essential Addons for Elementor 5.9.21
Mitigation steps: Update to Essential Addons for Elementor plugin version 5.9.21 or greater.
Rank Math SEO – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4617 Number of Installations: 2,000,000+ Affected Software: Rank Math SEO with AI Best SEO Tools <= 1.0.218 Patched Versions: Rank Math SEO with AI Best SEO Tools 1.0.219
Mitigation steps: Update to Rank Math SEO plugin version 1.0.219-beta or greater.
ElementsKit Elementor and Templates Library – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3650 Number of Installations: 1,000,000+ Affected Software: ElementsKit <= 3.1.2 Patched Versions: ElementsKit 3.1.3
Mitigation steps: Update to ElementsKit plugin version 3.1.3 or greater.
Starter Templates
Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4630 Number of Installations: 1,000,000+ Affected Software: Starter Templates <= 4.2.1 Patched Versions: Starter Templates 4.2.2
Mitigation steps: Update to Starter Templates plugin version 4.2.2 or greater.
One Click Demo Import – PHP Object Injection
Security Risk: Low Exploitation Level: Requires Administrator level authentication. Vulnerability: PHP Object Injection CVE: CVE-2024-34433 Number of Installations: 1,000,000+ Affected Software: One Click Demo Import <= 3.2.0 Patched Versions: One Click Demo Import 3.2.1
Mitigation steps: Update to One Click Demo Import plugin version 3.2.1 or greater.
Elementor Header & Footer Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4634 Number of Installations: 1,000,000+ Affected Software: Elementor Header & Footer Builder <= 1.6.28 Patched Versions: Elementor Header & Footer Builder 1.6.29
Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.29 or greater.
Page Builder by SiteOrigin – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4361 Number of Installations: 700,000+ Affected Software: Page Builder by SiteOrigin <= 2.29.15 Patched Versions: Page Builder by SiteOrigin 2.29.16
Mitigation steps: Update to Page Builder by SiteOrigin plugin version 2.29.16 or greater.
Premium Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4203 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.30 Patched Versions: Premium Addons for Elementor 4.10.31
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.31 or greater.
–
The Events Calendar – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4180 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.4.0 Patched Versions: The Events Calendar 6.4.0.1
Mitigation steps: Update to The Events Calendar plugin version 6.4.0.1 or greater.
Shortcodes Ultimate – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3550 Number of Installations: 600,000+ Affected Software: WP Shortcodes Plugin <= 7.1.5 Patched Versions: WP Shortcodes Plugin 7.1.6
Mitigation steps: Update to WP Shortcodes Plugin version 7.1.6 or greater.
NextGEN Gallery – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2744 Number of Installations: 500,000+ Affected Software: NextGEN Gallery <= 3.59.0 Patched Versions: NextGEN Gallery 3.59.1
Mitigation steps: Update to NextGEN Gallery plugin version 3.59.1 or greater.
Contact Form Plugin by Fluent Forms – Privilege Escalation
Security Risk: High Exploitation No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4709 Number of Installations: 400,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.16 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.17
Mitigation steps: Update to Contact Form Plugin by Fluent Forms plugin version 5.1.17 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4865 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor <= 3.10.8 Patched Versions: Happy Addons for Elementor 3.10.9
Mitigation steps: Update to Happy Addons for Elementor plugin version 3.10.9 or greater.
Gutenberg Blocks with AI by Kadence WP – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3189 Number of Installations: 400,000+ Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.2.37 Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.2.38
Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.2.38 or greater.
Password Protected – Broken Access Control
Security Risk: Low Exploitation Level: Requires Subscriber level authentication or higher. Vulnerability: Broken Access Control CVE: CVE-2024-0437 Number of Installations: 400,000+ Affected Software: Password Protected <= 2.6.6 Patched Versions: Password Protected 2.6.7
Mitigation steps: Update to Password Protected plugin version 2.6.7 or greater.
Royal Elementor Addons and Templates – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3887 Number of Installations: 300,000+ Affected Software: Royal Elementor Addons and Templates <= 1.3.974 Patched Versions: Royal Elementor Addons and Templates 1.3.975
Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.3.975 or greater.
Blocksy Companion – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4487 Number of Installations: 200,000+ Affected Software: Blocksy Companion <= 2.0.45 Patched Versions: Blocksy Companion 2.0.46
Mitigation steps: Update to Blocksy Companion plugin version 2.0.46 or greater.
Unlimited Elements For Elementor – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: SQL Injection CVE: CVE-2024-3055 Number of Installations: 200,000+ Affected Software: Unlimited Elements For Elementor <= 1.5.104 Patched Versions: Unlimited Elements For Elementor 1.5.105
Mitigation steps: Update to Unlimited Elements For Elementor plugin version 1.5.105 or greater.
White Label CMS – Broken Access Control
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-4280 Number of Installations: 200,000+ Affected Software: White Label CMS <= 2.7.3 Patched Versions: White Label CMS 2.7.4
Mitigation steps: Update to White Label CMS plugin version 2.7.4 or greater.
Menu Icons by ThemeIsle – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Author level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4635 Number of Installations: 200,000+ Affected Software: Menu Icons by ThemeIsle <= 0.13.13 Patched Versions: Menu Icons by ThemeIsle 0.13.14
Mitigation steps: Update to Menu Icons by ThemeIsle plugin version 0.13.14 or greater.
Image Optimization by Optimole – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Author level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4636 Number of Installations: 200,000+ Affected Software: Image Optimization by Optimole <= 3.12.9 Patched Versions: Image Optimization by Optimole 3.13.0
Mitigation steps: Update to Image Optimization by Optimole plugin version 3.13.0 or greater.
Supreme Modules Lite – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4334 Number of Installations: 200,000+ Affected Software: Supreme Modules Lite <= 2.5.3 Patched Versions: Supreme Modules Lite 2.5.4
Mitigation steps: Update to Supreme Modules Lite plugin version 2.5.4 or greater.
Essential Blocks for Gutenberg – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4891 Number of Installations: 100,000+ Affected Software: Essential Blocks <= 4.5.12 Patched Versions: Essential Blocks 4.5.13
Mitigation steps: Update to Essential Blocks for Gutenberg plugin version 4.5.13 or greater.
BuddyPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3974 Number of Installations: 100,000+ Affected Software: BuddyPress <= 12.4.0 Patched Versions: BuddyPress 12.4.1
Mitigation steps: Update to BuddyPress plugin version 12.4.1 or greater.
–
Advanced Ads – Ad Manager & AdSense – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3952 Number of Installations: 100,000+ Affected Software: Advanced Ads <= 1.52.1 Patched Versions: Advanced Ads 1.52.2
Mitigation steps: Update to Advanced Ads plugin version 1.52.2 or greater.
GiveWP – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3714 Number of Installations: 100,000+ Affected Software: GiveWP <= 3.10.9 Patched Versions: GiveWP 3.11.0
Mitigation steps: Update to GiveWP plugin version 3.11.0 or greater.
Prime Slider Addons For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4339 Number of Installations: 100,000+ Affected Software: Prime Slider <= 3.14.3 Patched Versions: Prime Slider 3.14.4
Mitigation steps: Update to Prime Slider plugin version 3.14.4 or greater.
HT Mega – Absolute Addons For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4876 Number of Installations: 100,000+ Affected Software: HT Mega <= 2.5.2 Patched Versions: HT Mega 2.5.3
Mitigation steps: Update to HT Mega plugin version 2.5.3 or greater.
ShopLentor All in One Solution (formerly WooLentor) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3345 Number of Installations: 100,000+ Affected Software: ShopLentor <= 2.8.8 Patched Versions: ShopLentor 2.8.9
Mitigation steps: Update to ShopLentor plugin version 2.8.9 or greater.
Beaver Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4430 Number of Installations: 100,000+ Affected Software: Beaver Builder <= 2.8.1.2 Patched Versions: Beaver Builder 2.8.1.3
Mitigation steps: Update to Beaver Builder plugin version 2.8.1.3 or greater.
Content Views – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4446 Number of Installations: 100,000+ Affected Software: Content Views <= 3.7.1 Patched Versions: Content Views 3.7.2
Mitigation steps: Update to Content Views plugin version 3.7.2 or greater.
Pods – Custom Content Types and Fields – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3956 Number of Installations: 100,000+ Affected Software: Pods <= 3.2.1 Patched Versions: Pods 3.2.1.1
Mitigation steps: Update to Pods plugin version 3.2.1.1 or greater.
Content Views – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4446 Number of Installations: 100,000+ Affected Software: Content Views <= 3.7.1 Patched Versions: Content Views 3.7.2
Mitigation steps: Update to Content Views plugin version 3.7.2 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-34373 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 5.4.9 Patched Versions: The Plus Addons for Elementor 5.5.0
Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.5.0 or greater.
ShopLentor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-6327 Number of Installations: 100,000+ Affected Software: ShopLentor <= 2.8.8 Patched Versions: ShopLentor 2.8.9
Mitigation steps: Update to ShopLentor plugin version 2.8.9 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Luke Leal
Denis Sinegubko
John Castro
Rodrigo Escobar
Puja Srivastava
Cesar Anjos
Alycia Mitchell