Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
WordPress 6.5.5 Security & Maintenance Release
A new security update for WordPress has been released which features 3 bug fixes in WordPress 6.5.5, including two cross-site scripting (XSS) vulnerabilities and one path traversal issue.
We strongly encourage you to always keep your CMS patched with the latest core updates to mitigate risk and protect your WordPress website.
WooCommerce – Cross Site Scripting (XSS)
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) Number of Installations: 7,000,000+ Affected Software: WooCommerce <= 8.9.2 Patched Versions: WooCommerce 8.9.3
Mitigation steps: Update to WooCommerce plugin version 8.9.3 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5189 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 5.9.23 Patched Versions: Essential Addons for Elementor 5.9.24
Mitigation steps: Update to Essential Addons for Elementor plugin version 5.9.24 or greater.
Elementor Header & Footer Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5757 Number of Installations: 2,000,000+ Affected Software: Elementor Header & Footer Builder <= 1.6.35 Patched Versions: Elementor Header & Footer Builder 1.6.36
Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.36 or greater.
WPS Hide Login – Bypass Vulnerability
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2024-2473 Number of Installations: 1,000,000+ Affected Software: WPS Hide Login <= 1.9.15 Patched Versions: WPS Hide Login 1.9.16
Mitigation steps: Update to WPS Hide Login plugin version 1.9.16 or greater.
Smush Image Optimization – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-3352 Number of Installations: 1,000,000+ Affected Software: Smush Image Optimization <= 3.16.4 Patched Versions: Smush Image Optimization 3.16.5
Mitigation steps: Update to Smush Image Optimization plugin version 3.16.5 or greater.
Solid Security – Denial of Service Attack
Security Risk: MediumLow Exploitation Level: No authentication required. Vulnerability: Denial of Service Attack CVE: CVE-2022-44593 Number of Installations: 900,000+ Affected Software: Solid Security <= 9.3.1 Patched Versions: Solid Security 9.3.2
Mitigation steps: Update to Solid Security plugin version 9.3.2 or greater.
Premium Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5553 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.33 Patched Versions: Premium Addons for Elementor 4.10.34
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.34 or greater.
Ocean Extra – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5531 Number of Installations: 600,000+ Affected Software: Ocean Extra <= 2.2.8 Patched Versions: Ocean Extra 2.2.9
Mitigation steps: Update to Ocean Extra plugin version 2.2.9 or greater.
SiteOrigin Widgets Bundle – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5090 Number of Installations: 600,000+ Affected Software: SiteOrigin Widgets Bundle <= 1.61.0 Patched Versions: SiteOrigin Widgets Bundle 1.62.0
Mitigation steps: Update to SiteOrigin Widgets Bundle plugin version 1.62.0 or greater.
SiteGuard WP Plugin – Bypass Vulnerability
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2024-37881 Number of Installations: 500,000+ Affected Software: SiteGuard WP Plugin <= 1.7.6 Patched Versions: SiteGuard WP Plugin 1.7.7
Mitigation steps: Update to SiteGuard WP Plugin version 1.7.7 or greater.
Gutenberg Blocks with AI by Kadence WP – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4863 Number of Installations: 400,000+ Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.2.38 Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.2.39
Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.2.39 or greater.
SEOPress – On-site SEO – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1168 Number of Installations: 300,000+ Affected Software: SEOPress <= 7.9.0 Patched Versions: SEOPress 7.9.1
Mitigation steps: Update to SEOPress plugin version 7.9.1 or greater.
MetForm – Sensitive Data Exposure
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-4266 Number of Installations: 300,000+ Affected Software: MetForm <= 3.8.8 Patched Versions: MetForm 3.8.9
Mitigation steps: Update to MetForm plugin version 3.8.9 or greater.
WP Go Maps (formerly WP Google Maps) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5994 Number of Installations: 300,000+ Affected Software: WP Go Maps <= 9.0.38 Patched Versions: WP Go Maps 9.0.39
Mitigation steps: Update to WP Go Maps plugin version 9.0.39 or greater.
WordPress Funnel Builder by CartFlows – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4632 Number of Installations: 200,000+ Affected Software: WooCommerce Checkout & Funnel Builder by CartFlows <= 2.0.7 Patched Versions: WooCommerce Checkout & Funnel Builder by CartFlows 2.0.8
Mitigation steps: Update to WordPress Funnel Builder by CartFlows plugin version 2.0.8 or greater.
Orbit Fox by ThemeIsle – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2484 Number of Installations: 200,000+ Affected Software: Orbit Fox by ThemeIsle <= 2.10.34 Patched Versions: Orbit Fox by ThemeIsle 2.10.35
Mitigation steps: Update to Orbit Fox by ThemeIsle plugin version 2.10.35 or greater.
Floating Chat Widget Chaty – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4149 Number of Installations: 200,000+ Affected Software: Floating Chat Widget– Chaty <= 3.2.2 Patched Versions: Floating Chat Widget Chaty 3.2.3
Mitigation steps: Update to Floating Chat Widget Chaty plugin version 3.2.3 or greater.
Jeg Elementor Kit – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4479 Number of Installations: 200,000+ Affected Software: Jeg Elementor Kit <= 2.6.5 Patched Versions: Jeg Elementor Kit 2.6.6
Mitigation steps: Update to Jeg Elementor Kit plugin version 2.6.6 or greater.
Popup Builder – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-6696, CVE-2024-2544 Number of Installations: 200,000+ Affected Software: Popup Builder <= 4.3.1 Patched Versions: Popup Builder 4.3.2
Mitigation steps: Update to Popup Builder plugin version 4.3.2 or greater.
Download Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1766 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.2.86 Patched Versions: Download Manager 3.2.87
Mitigation steps: Update to Download Manager plugin version 3.2.90 or greater.
FooGallery – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2122 Number of Installations: 100,000+ Affected Software: FooGallery <= 2.4.15 Patched Versions: FooGallery 2.4.16
Mitigation steps: Update to FooGallery plugin version 2.4.16 or greater.
PowerPack Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5787 Number of Installations: 100,000+ Affected Software: PowerPack Addons for Elementor <= 2.7.20 Patched Versions: PowerPack Addons for Elementor 2.7.21
Mitigation steps: Update to PowerPack Addons for Elementor plugin version 2.7.21 or greater.
Sassy Social Plugin – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4924 Number of Installations: 100,000+ Affected Software: Sassy Social Share <= 3.3.62 Patched Versions: Sassy Social Share 3.3.63
Mitigation steps: Update to Sassy Social Share plugin version 3.3.63 or greater.
Search & Replace – SQL Injection
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-4145 Number of Installations: 100,000+ Affected Software: Search & Replace <= 3.2.1 Patched Versions: Search & Replace 3.2.2
Mitigation steps: Update to Search & Replace plugin version 3.2.2 or greater.
ShopLentor – All in One Solution (formerly WooLentor) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5530 Number of Installations: 100,000+ Affected Software: ShopLentor <= 2.9.0 Patched Versions: ShopLentor 2.9.1
Mitigation steps: Update to ShopLentor plugin version 2.9.1 or greater.
Email Subscribers by Icegram Express – SQL Injection
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-37252 Number of Installations: 90,000+ Affected Software: Email Subscribers by Icegram Express <= 5.7.25 Patched Versions: Email Subscribers by Icegram Express 5.7.26
Mitigation steps: Update to Email Subscribers by Icegram Express plugin version 5.7.26 or greater.
Events Manager – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3492 Number of Installations: 90,000+ Affected Software: Events Manager – Calendar, Bookings, Tickets, and more! <= 6.4.7 Patched Versions: Events Manager – Calendar, Bookings, Tickets, and more! 6.4.8
Mitigation steps: Update to Events Manager – Calendar, Bookings, Tickets, and more! plugin version 6.4.8 or greater.
Defender Security – Malware Scanner, Login Security & Firewall – Broken Authentication
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2022-44581 Number of Installations: 90,000+ Affected Software: Defender Security <= 3.3.2 Patched Versions: Defender Security 3.3.3
Mitigation steps: Update to Defender Security plugin version 3.3.3 or greater.
Slider & Popup Builder by Depicter – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-4390 Number of Installations: 90,000+ Affected Software: Slider & Popup Builder by Depicter <= 3.0.9 Patched Versions: Slider & Popup Builder by Depicter 3.1.0
Mitigation steps: Update to Slider & Popup Builder by Depicter plugin version 3.1.0 or greater.
Email Subscribers by Icegram Express – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2024-37252 Number of Installations: 90,000+ Affected Software: Email Subscribers by Icegram Express <= 5.7.23 Patched Versions: Email Subscribers by Icegram Express 5.7.24
Mitigation steps: Update to Email Subscribers by Icegram Express plugin version 5.7.24 or greater.
Bookly – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5584 Number of Installations: 70,000+ Affected Software: WordPress Online Booking and Scheduling Plugin – Bookly <= 23.2 Patched Versions: WordPress Online Booking and Scheduling Plugin – Bookly 23.3
Mitigation steps: Update to WordPress Online Booking and Scheduling Plugin – Bookly plugin version 23.3 or greater.
Woody code snippets – Remote Code Execution (RCE)
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2024-3105 Number of Installations: 70,000+ Affected Software: Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0 Patched Versions: Woody code snippets – Insert Header Footer Code, AdSense Ads 2.5.1
Mitigation steps: Update to Woody code snippets – Insert Header Footer Code, AdSense Ads plugin version 2.5.1 or greater.
Blog2Social: Social Media Auto Post & Scheduler – SQL Injection
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-3549 Number of Installations: 60,000+ Affected Software: Blog2Social: Social Media Auto Post & Scheduler <= 7.4.1 Patched Versions: Blog2Social: Social Media Auto Post & Scheduler 7.4.2
Mitigation steps: Update to Blog2Social: Social Media Auto Post & Scheduler plugin version 7.4.2 or greater.
Media Library Assistant – SQL Injection
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-5605 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.16 Patched Versions: Media Library Assistant 3.17
Mitigation steps: Update to Media Library Assistant plugin version 3.17 or greater.
User Profile Picture – Broken Access Control
Security Risk: Low Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-5639 Number of Installations: 60,000+ Affected Software: User Profile Picture <= 2.6.1 Patched Versions: User Profile Picture 2.6.2
Mitigation steps: Update to User Profile Picture plugin version 2.6.2 or greater.
WP 2FA – Two-factor authentication for WordPress – Sensitive Data Exposure
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2022-44587 Number of Installations: 60,000+ Affected Software: WP 2FA <= 2.6.3 Patched Versions: WP 2FA 2.6.4
Mitigation steps: Update to WP 2FA plugin version 2.6.4 or greater.
ConvertKit – Broken Access Control
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-3961 Number of Installations: 50,000+ Affected Software: ConvertKit <= 2.4.9 Patched Versions: ConvertKit 2.4.9.1
Mitigation steps: Update to ConvertKit plugin version 2.4.9.1 or greater.
Sina Extension for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5036 Number of Installations: 50,000+ Affected Software: Sina Extension for Elementor <= 3.5.4 Patched Versions: Sina Extension for Elementor 3.5.5
Mitigation steps: Update to Sina Extension for Elementor plugin version 3.5.5 or greater.
Ultimate Blocks – WordPress Blocks Plugin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-6692 Number of Installations: 50,000+ Affected Software: Ultimate Blocks <= 3.1.0 Patched Versions: Ultimate Blocks 3.1.1
Mitigation steps: Update to Ultimate Blocks plugin version 3.1.1 or greater.
WP Maintenance – Bypass Vulnerability
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2024-0789 Number of Installations: 50,000+ Affected Software: WP Maintenance <= 6.1.9.2 Patched Versions: WP Maintenance 6.1.9.3
Mitigation steps: Update to WP Maintenance plugin version 6.1.9.3 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Denis Sinegubko
Krasimir Konov
Alycia Mitchell
Luke Leal
Juliana Lewis
Rodrigo Escobar
Rianna MacLeod
Bruno Zanelato