Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
WordPress 6.6.1 Maintenance Release
WordPress 6.6.1 has been released, featuring 7 Core bug fixes and 9 Block Editor bug fixes. Read the Release Candidate announcement for a detailed overview of the changes.
We strongly encourage WordPress users to always keep their CMS patched with the latest core updates to mitigate risk and protect the WordPress environment.
WP Mail SMTP by WPForms – Sensitive Data Exposure
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-6694 Number of Installations: 3,000,000+ Affected Software: WP Mail SMTP by WPForms <= 4.0.9 Patched Versions: WP Mail SMTP by WPForms 4.1.0
Mitigation steps: Update to WP Mail SMTP by WPForms plugin version 4.1.0 or greater.
Elementor Header & Footer Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-33933 Number of Installations: 2,000,000+ Affected Software: Elementor Header & Footer Builder <= 1.6.35 Patched Versions: Elementor Header & Footer Builder 1.6.36
Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.36 or greater.
Rank Math SEO – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4627 Number of Installations: 2,000,000+ Affected Software: Rank Math SEO <= 1.0.218 Patched Versions: Rank Math SEO 1.0.219
Mitigation steps: Update to Rank Math SEO plugin version 1.0.219 or greater.
Duplicator Migration & Backup Plugin – Full Path Disclosure (FPD)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Security Misconfiguration CVE: CVE-2024-6210 Number of Installations: 1,000,000+ Affected Software: Duplicator <= 1.5.9 Patched Versions: Duplicator 1.5.10
Mitigation steps: Update to Duplicator plugin version 1.5.10 or greater.
ElementsKit Elementor addons – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-6455 Number of Installations: 1,000,000+ Affected Software: ElementsKit Elementor addons <= 3.2.0 Patched Versions: ElementsKit Elementor addons 3.2.1
Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.2.1 or greater.
Redux Framework – Cross Site Scripting (XSS)
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6828 Number of Installations: 1,000,000+ Affected Software: Redux Framework <= 4.4.17 Patched Versions: Redux Framework 4.4.18
Mitigation steps: Update to Redux Framework plugin version 4.4.18 or greater.
Security Optimizer – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-38774 Number of Installations: 1,000,000+ Affected Software: Security Optimizer <= 1.5.0 Patched Versions: Security Optimizer 1.5.1
Mitigation steps: Update to Security Optimizer plugin version 1.5.1 or greater.
WPS Hide Login – Bypass Vulnerability
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2024-6289 Number of Installations: 1,000,000+ Affected Software: WPS Hide Login <= 1.9.16.3 Patched Versions: WPS Hide Login 1.9.16.4
Mitigation steps: Update to WPS Hide Login plugin version 1.9.16.4 or greater.
Ninja Forms – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-37934 Number of Installations: 800,000+ Affected Software: Ninja Forms <= 3.8.4 Patched Versions: Ninja Forms 3.8.5
Mitigation steps: Update to Ninja Forms plugin version 3.8.5 or greater.
Spectra – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-37517 Number of Installations: 800,000+ Affected Software: Spectra <= 2.13.7 Patched Versions: Spectra 2.13.8
Mitigation steps: Update to Spectra plugin version 2.13.8 or greater.
Premium Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6495 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.36 Patched Versions: Premium Addons for Elementor 4.10.37
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.37 or greater.
Ocean Extra – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-37489 Number of Installations: 600,000+ Affected Software: Ocean Extra <= 2.2.9 Patched Versions: Ocean Extra 2.3.0
Mitigation steps: Update to Ocean Extra plugin version 2.3.0 or greater.
Easy Table of Contents – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6334 Number of Installations: 500,000+ Affected Software: Easy Table of Contents <= 2.0.67 Patched Versions: Easy Table of Contents 2.0.67.1
Mitigation steps: Update to Easy Table of Contents plugin version 2.0.67.1 or greater.
NextGEN Gallery – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-39627 Number of Installations: 500,000+ Affected Software: NextGEN Gallery <= 3.59.3 Patched Versions: NextGEN Gallery 3.59.4
Mitigation steps: Update to NextGEN Gallery plugin version 3.59.4 or greater.
Gutenberg – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-37492 Number of Installations: 300,000+ Affected Software: Gutenberg <= 18.6.0 Patched Versions: Gutenberg 18.6.1
Mitigation steps: Update to Gutenberg plugin version 18.6.1 or greater.
Unlimited Elements For Elementor – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6169 Number of Installations: 200,000+ Affected Software: Unlimited Elements For Elementor <= 1.5.112 Patched Versions: Unlimited Elements For Elementor 1.5.113
Mitigation steps: Update to Unlimited Elements For Elementor plugin version 1.5.113 or greater.
User Feedback – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5902 Number of Installations: 200,000+ Affected Software: User Feedback <= 1.0.15 Patched Versions: User Feedback 1.0.16
Mitigation steps: Update to User Feedback plugin version 1.0.16 or greater.
Feeds for YouTube – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6256 Number of Installations: 100,000+ Affected Software: Feeds for YouTube <= 2.2.1 Patched Versions: Feeds for YouTube 2.2.2
Mitigation steps: Update to Feeds for YouTube plugin version 2.2.2 or greater.
HT Mega – Absolute Addons For Elementor
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Path Traversal CVE: CVE-2024-38706 Number of Installations: 100,000+ Affected Software: HT Mega <= 2.5.7 Patched Versions: HT Mega 2.5.8
Mitigation steps: Update to HT Mega plugin version 2.5.8 or greater.
Inline Related Posts – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5626 Number of Installations: 100,000+ Affected Software: Inline Related Posts <= 3.6.9 Patched Versions: Inline Related Posts 3.7.0
Mitigation steps: Update to Inline Related Posts plugin version 3.7.0 or greater.
WordPress MaxButtons – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3026 Number of Installations: 100,000+ Affected Software: MaxButtons <= 9.7.7 Patched Versions: MaxButtons 9.7.8
Mitigation steps: Update to MaxButtons plugin version 9.7.8 or greater.
HUSKY – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2024-6457 Number of Installations: 100,000+ Affected Software: HUSKY <= 1.3.6 Patched Versions: HUSKY 1.3.6.1
Mitigation steps: Update to HUSKY plugin version 1.3.6.1 or greater.
Element Pack Elementor Addons – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5555 Number of Installations: 100,000+ Affected Software: Element Pack Elementor Addons <= 5.6.5 Patched Versions: Element Pack Elementor Addons 5.6.6
Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.6.6 or greater.
GiveWP – Insecure Direct Object References (IDOR)
Security Risk: Low Exploitation Level: Requires GiveWP Worker privileges. Vulnerability: Broken Access Control CVE: CVE-2024-5977 Number of Installations: 100,000+ Affected Software: GiveWP <= 3.13.9 Patched Versions: GiveWP 3.14.0
Mitigation steps: Update to GiveWP plugin version 3.14.0 or greater.
Schema & Structured Data for WP & AMP – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5582 Number of Installations: 100,000+ Affected Software: Schema & Structured Data for WP & AMP <= 1.34.0 Patched Versions: Schema & Structured Data for WP & AMP 1.34.1
Mitigation steps: Update to Schema & Structured Data for WP & AMP plugin version 1.34.1 or greater.
CTX Feed – Privilege Escalation
Security Risk: High Exploitation Level: Requires Shop Manager level authentication. Vulnerability: Privilege Escalation CVE: CVE-2024-38775 Number of Installations: 100,000+ Affected Software: CTX Feed <= 6.5.6 Patched Versions: CTX Feed 6.5.7
Mitigation steps: Update to CTX Feed plugin version 6.5.7 or greater.
Mercado Pago payments for WooCommerce – Arbitrary File Download
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2024-3934 Number of Installations: 100,000+ Affected Software: Mercado Pago <= 7.6.1 Patched Versions: Mercado Pago 7.6.2
Mitigation steps: Update to Mercado Pago plugin version 7.6.2 or greater.
Beaver Builder – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-37500 Number of Installations: 100,000+ Affected Software: Beaver Builder <= 2.8.2 Patched Versions: Beaver Builder 2.8.3
Mitigation steps: Update to Beaver Builder plugin version 2.8.3 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4482 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 5.6.1 Patched Versions: The Plus Addons for Elementor 5.6.2
Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.6.2 or greater.
Featured Image from URL (FIFU) – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-37516 Number of Installations: 90,000+ Affected Software: FIFU <= 4.8.2 Patched Versions: FIFU 4.8.3
Mitigation steps: Update to Featured Image from URL plugin version 4.8.3 or greater.
LearnPress – Local File Inclusion
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2024-6589 Number of Installations: 90,000+ Affected Software: LearnPress <= 4.2.6.8.2 Patched Versions: LearnPress 4.2.6.9
Mitigation steps: Update to LearnPress plugin version 4.2.6.9 or greater.
Paid Memberships Pro – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-37486 Number of Installations: 90,000+ Affected Software: Paid Memberships Pro <= 3.0.5 Patched Versions: Paid Memberships Pro 3.0.6
Mitigation steps: Update to Paid Memberships Pro plugin version 3.0.6 or greater.
The Post Grid – Broken Access Control
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-37483 Number of Installations: 90,000+ Affected Software: The Post Grid <= 7.7.4 Patched Versions: The Post Grid 7.7.5
Mitigation steps: Update to The Post Grid plugin version 7.7.5 or greater.
Email Subscribers by Icegram Express – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-5703 Number of Installations: 90,000+ Affected Software: Email Subscribers by Icegram Express <= 5.7.26 Patched Versions: Email Subscribers by Icegram Express 5.7.27
Mitigation steps: Update to Email Subscribers by Icegram Express plugin version 5.7.27 or greater.
EmbedPress – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-38707 Number of Installations: 90,000+ Affected Software: EmbedPress <= 4.0.4 Patched Versions: EmbedPress 4.0.5
Mitigation steps: Update to EmbedPress plugin version 4.0.5 or greater.
Tutor LMS – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-37947 Number of Installations: 90,000+ Affected Software: Tutor LMS <= 2.7.2 Patched Versions: Tutor LMS 2.7.3
Mitigation steps: Update to Tutor LMS plugin version 2.7.3 or greater.
Brizy Page Builder – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-1937 Number of Installations: 80,000+ Affected Software: Brizy <= 2.4.44 Patched Versions: Brizy 2.4.45
Mitigation steps: Update to Brizy plugin version 2.4.45 or greater.
YITH WooCommerce Ajax Product Filter – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-37943 Number of Installations: 80,000+ Affected Software: YITH WooCommerce Ajax Product Filter <= 5.1.9 Patched Versions: YITH WooCommerce Ajax Product Filter 5.2.0
Mitigation steps: Update to YITH WooCommerce Ajax Product Filter plugin version 5.2.0 or greater.
Booking for Appointments and Events Calendar Amelia – Backdoor
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Backdoor Number of Installations: 70,000+ Affected Software: Amelia <= 1.1.8 Patched Versions: Amelia 1.1.9
Mitigation steps: Update to Amelia plugin version 1.1.9 or greater.
Media Library Assistant – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5544 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.17 Patched Versions: Media Library Assistant 3.18
Mitigation steps: Update to Media Library Assistant plugin version 3.18 or greater.
Form Maker by 10Web – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6130 Number of Installations: 50,000+ Affected Software: Form Maker by 10Web <= 1.15.25 Patched Versions: Form Maker by 10Web 1.15.26
Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.26 or greater.
Sina Extension for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5260 Number of Installations: 50,000+ Affected Software: Sina Extension for Elementor <= 3.5.5 Patched Versions: Sina Extension for Elementor 3.5.6
Mitigation steps: Update to Sina Extension for Elementor plugin version 3.5.6 or greater.
Ultimate Blocks Gutenberg Blocks – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4655 Number of Installations: 50,000+ Affected Software: Ultimate Blocks <= 3.1.9 Patched Versions: Ultimate Blocks 3.2.0
Mitigation steps: Update to Ultimate Blocks Gutenberg Blocks plugin version 3.2.0 or greater.
Pixel Manager for WooCommerce – Backdoor
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Backdoor Number of Installations: 50,000+ Affected Software: Pixel Manager for WooCommerce <= 1.43.3 Patched Versions: Pixel Manager for WooCommerce 1.43.4
Mitigation steps: Update to Pixel Manager for WooCommerce plugin version 1.43.4 or greater.
Premium Portfolio Features for Phlox theme – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3587 Number of Installations: 50,000+ Affected Software: Premium Portfolio Features for Phlox theme <= 2.3.2 Patched Versions: Premium Portfolio Features for Phlox theme 2.3.3
Mitigation steps: Update to Premium Portfolio Features for Phlox theme plugin version 2.3.3 or greater.
Getwid Gutenberg Blocks – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-6491 Number of Installations: 50,000+ Affected Software: Getwid <= 2.0.10 Patched Versions: Getwid 2.0.11
Mitigation steps: Update to Getwid plugin version 2.0.11 or greater.
Image Hover Effects – Elementor Addon – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4780 Number of Installations: 50,000+ Affected Software: Image Hover Effects – Elementor Addon <= 1.4.3 Patched Versions: Image Hover Effects – Elementor Addon 1.4.4
Mitigation steps: Update to Image Hover Effects – Elementor Addon plugin version 1.4.4 or greater.
RSS Aggregator – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-6621 Number of Installations: 50,000+ Affected Software: RSS Aggregator <= 4.23.11 Patched Versions: RSS Aggregator 4.23.12
Mitigation steps: Update to RSS Aggregator plugin version 4.23.12 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Denis Sinegubko
Ben Martin
Celise Davison
Daniel Cid
Marc-Alexandre Montpas
Northon Torga
Nikki Gerren