Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
WordPress 6.6.2 Maintenance Release
WordPress version 6.6.2 has been released! This update includes 15 bug fixes in the Core and 11 in the Block Editor, fixing issues like unexpected CSS specificity changes in various themes.
We strongly encourage WordPress users to always keep their CMS patched with the latest core updates to mitigate risk and protect the WordPress environment.
Plugin Vulnerabilities
Elementor Website Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5416 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder <= 3.23.9 Patched Versions: Elementor Website Builder 3.24.0
Mitigation steps: Update to Elementor Website Builder plugin version 3.24.0 or greater.
LiteSpeed Cache – Broken Authentication
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2024-44000 Number of Installations: 6,000,000+ Affected Software: LiteSpeed Cache <= 6.5.0 Patched Versions: LiteSpeed Cache 6.5.0.1
Mitigation steps: Update to LiteSpeed Cache plugin version 6.5.0.1 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8440 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.0.3 Patched Versions: Essential Addons for Elementor 6.0.4
Mitigation steps: Update to Essential Addons for Elementor plugin version 6.0.4 or greater.
MC4WP: Mailchimp for WordPress – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8850 Number of Installations: 2,000,000+ Affected Software: MC4WP: Mailchimp for WordPress 4.9.9 - 4.9.16 Patched Versions: MC4WP: Mailchimp for WordPress 4.9.17
Mitigation steps: Update to MC4WP: Mailchimp for WordPress plugin version 4.9.17 or greater.
MC4WP: Mailchimp for WordPress – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8680 Number of Installations: 2,000,000+ Affected Software: MC4WP: Mailchimp for WordPress <= 4.9.16 Patched Versions: MC4WP: Mailchimp for WordPress 4.9.17
Mitigation steps: Update to MC4WP: Mailchimp for WordPress plugin version 4.9.17 or greater.
W3 Total Cache – Sensitive Data Exposure
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2023-5359 Number of Installations: 1,000,000+ Affected Software: W3 Total Cache <= 2.7.5 Patched Versions: W3 Total Cache 2.7.6
Mitigation steps: Update to W3 Total Cache plugin version 2.7.6 or greater.
Ninja Forms – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: N/A Number of Installations: 800,000+ Affected Software: Ninja Forms <= 3.8.10 Patched Versions: Ninja Forms 3.8.11
Mitigation steps: Update to Ninja Forms plugin version 3.8.11 or greater.
Ninja Forms – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43999 Number of Installations: 800,000+ Affected Software: Ninja Forms <= 3.8.11 Patched Versions: Ninja Forms 3.8.12
Mitigation steps: Update to Ninja Forms plugin version 3.8.12 or greater.
Popup Maker – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5561 Number of Installations: 700,000+ Affected Software: Popup Maker <= 1.19.0 Patched Versions: Popup Maker 1.19.1
Mitigation steps: Update to Popup Maker plugin version 1.19.1 or greater.
Migration, Backup, Staging – WPvivid – Sensitive Data Exposure
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-7315 Number of Installations: 500,000+ Affected Software: WPvivid <= 0.9.105 Patched Versions: WPvivid 0.9.106
Mitigation steps: Update to WPvivid plugin version 0.9.106 or greater.
Page Builder Gutenberg Blocks – CoBlocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-7132 Number of Installations: 400,000+ Affected Software: CoBlocks <= 3.1.12 Patched Versions: CoBlocks 3.1.13
Mitigation steps: Update to CoBlocks plugin version 3.1.13 or greater.
Contact Form Plugin by Fluent Forms – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-5053 Number of Installations: 400,000+ Affected Software: Fluent Forms <= 5.1.18 Patched Versions: Fluent Forms 5.1.19
Mitigation steps: Update to Fluent Forms plugin version 5.1.19 or greater.
PixelYourSite – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-7870 Number of Installations: 400,000+ Affected Software: PixelYourSite <= 9.7.1 Patched Versions: PixelYourSite 9.7.2
Mitigation steps: Update to PixelYourSite plugin version 9.7.2 or greater.
Royal Elementor Addons and Templates – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-44001 Number of Installations: 400,000+ Affected Software: Royal Elementor Addons <= 1.3.984 Patched Versions: Royal Elementor Addons 1.3.985
Mitigation steps: Update to Royal Elementor Addons plugin version 1.3.985 or greater.
HubSpot – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5879 Number of Installations: 300,000+ Affected Software: HubSpot <= 11.1.33 Patched Versions: HubSpot 11.1.34
Mitigation steps: Update to HubSpot plugin version 11.1.34 or greater.
Backuply – SQL Injection
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-8669 Number of Installations: 200,000+ Affected Software: Backuply <= 1.3.4 Patched Versions: Backuply 1.3.5
Mitigation steps: Update to Backuply plugin version 1.3.5 or greater.
Jeg Elementor Kit – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6804 Number of Installations: 200,000+ Affected Software: Jeg Elementor Kit <= 2.6.7 Patched Versions: Jeg Elementor Kit 2.6.8
Mitigation steps: Update to Jeg Elementor Kit plugin version 2.6.8 or greater.
Responsive Lightbox & Gallery – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-43924 Number of Installations: 200,000+ Affected Software: Responsive Lightbox & Gallery <= 2.4.7 Patched Versions: Responsive Lightbox & Gallery 2.4.8
Mitigation steps: Update to Responsive Lightbox & Gallery plugin version 2.4.8 or greater.
Photo Gallery by 10Web – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-44043 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web <= 1.8.27 Patched Versions: Photo Gallery by 10Web 1.8.28
Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.28 or greater.
Popup Builder – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-2541 Number of Installations: 200,000+ Affected Software: Popup Builder <= 4.3.3 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Beaver Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-7895 Number of Installations: 100,000+ Affected Software: Beaver Builder <= 2.8.3.5 Patched Versions: Beaver Builder 2.8.3.6
Mitigation steps: Update to Beaver Builder plugin version 2.8.3.6 or greater.
Beaver Builder – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43926 Number of Installations: 100,000+ Affected Software: Beaver Builder <= 2.8.3.3 Patched Versions: Beaver Builder 2.8.3.4
Mitigation steps: Update to Beaver Builder plugin version 2.8.3.4 or greater.
EmbedPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43936 Number of Installations: 100,000+ Affected Software: EmbedPress <= 4.0.8 Patched Versions: EmbedPress 4.0.9
Mitigation steps: Update to EmbedPress plugin version 4.0.9 or greater.
My Sticky Bar – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-7133 Number of Installations: 100,000+ Affected Software: My Sticky Bar <= 2.7.2 Patched Versions: My Sticky Bar 2.7.3
Mitigation steps: Update to My Sticky Bar plugin version 2.7.3 or greater.
Envira Photo Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3899 Number of Installations: 100,000+ Affected Software: Envira Photo Gallery <= 1.8.14 Patched Versions: Envira Photo Gallery 1.8.15
Mitigation steps: Update to Envira Photo Gallery plugin version 1.8.15 or greater.
Envira Photo Gallery – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43925 Number of Installations: 100,000+ Affected Software: Envira Photo Gallery <= 1.8.14 Patched Versions: Envira Photo Gallery 1.8.15
Mitigation steps: Update to Envira Photo Gallery plugin version 1.8.15 or greater.
GiveWP – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-6551 Number of Installations: 100,000+ Affected Software: GiveWP <= 3.15.9 Patched Versions: GiveWP 3.16.0
Mitigation steps: Update to GiveWP plugin version 3.16.0 or greater.
Ivory Search – WordPress Search Plugin – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-6835 Number of Installations: 100,000+ Affected Software: Ivory Search – WordPress Search Plugin <= 5.5.6 Patched Versions: Ivory Search – WordPress Search Plugin 5.5.7
Mitigation steps: Update to Ivory Search plugin version 5.5.7 or greater.
NitroPack – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-43922 Number of Installations: 100,000+ Affected Software: NitroPack <= 1.16.7 Patched Versions: NitroPack 1.16.8
Mitigation steps: Update to NitroPack plugin version 1.16.8 or greater.
Page Builder: Pagelayer – Drag and Drop website builder – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43972 Number of Installations: 100,000+ Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.7 Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 1.8.8
Mitigation steps: Update to Page Builder: Pagelayer plugin version 1.8.8 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43977 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 5.6.2 Patched Versions: The Plus Addons for Elementor 5.6.3
Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.6.3 or greater.
The Plus Addons for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43932 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 5.6.2 Patched Versions: The Plus Addons for Elementor – 5.6.3
Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.6.3 or greater.
The Post Grid – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-7418 Number of Installations: 100,000+ Affected Software: The Post Grid <= 7.7.11 Patched Versions: The Post Grid – 7.7.12
Mitigation steps: Update to The Post Grid plugin version 7.7.12 or greater.
WooCommerce Multilingual & Multicurrency with WPML – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-44006 Number of Installations: 100,000+ Affected Software: WooCommerce Multilingual & Multicurrency with WPML <= 5.3.6 Patched Versions: WooCommerce Multilingual & Multicurrency with WPML 5.3.7
Mitigation steps: Update to WooCommerce Multilingual & Multicurrency with WPML plugin version 5.3.7 or greater.
YARPP – Yet Another Related Posts Plugin – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-43919 Number of Installations: 100,000+ Affected Software: YARPP – Yet Another Related Posts Plugin <= 5.30.10 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
LearnPress – WordPress LMS Plugin – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2024-8522 Number of Installations: 90,000+ Affected Software: LearnPress – WordPress LMS Plugin <= 4.2.7 Patched Versions: LearnPress – WordPress LMS Plugin 4.2.7.1
Mitigation steps: Update to LearnPress plugin version 4.2.7.1 or greater.
LearnPress – WordPress LMS Plugin – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2024-8529 Number of Installations: 90,000+ Affected Software: LearnPress – WordPress LMS Plugin <= 4.2.7 Patched Versions: LearnPress – WordPress LMS Plugin 4.2.7.1
Mitigation steps: Update to LearnPress plugin version 4.2.7.1 or greater.
Ninja Tables – Easiest Data Table Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-7304 Number of Installations: 90,000+ Affected Software: Ninja Tables – Easiest Data Table Builder <= 5.0.12 Patched Versions: Ninja Tables – Easiest Data Table Builder 5.0.13
Mitigation steps: Update to Ninja Tables plugin version 5.0.13 or greater.
Permalink Manager Lite – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-8195 Number of Installations: 90,000+ Affected Software: Permalink Manager Lite <= 2.4.4 Patched Versions: Permalink Manager Lite 2.4.4.1
Mitigation steps: Update to Permalink Manager Lite plugin version 2.4.4.1 or greater.
AI Engine – SQL Injection
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-6723 Number of Installations: 80,000+ Affected Software: AI Engine <= 2.4.7 Patched Versions: AI Engine 2.4.8
Mitigation steps: Update to AI Engine plugin version 2.4.8 or greater.
WP ULike – The Ultimate Engagement Toolkit for Websites – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6792 Number of Installations: 80,000+ Affected Software: WP ULike – The Ultimate Engagement Toolkit for Websites <= 4.7.2 Patched Versions: WP ULike – The Ultimate Engagement Toolkit for Websites 4.7.2.1
Mitigation steps: Update to WP ULike plugin version 4.7.2.1 or greater.
Reviews Feed – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-8199 Number of Installations: 70,000+ Affected Software: Reviews Feed <= 1.1.9 Patched Versions: Reviews Feed 1.2.0
Mitigation steps: Update to Reviews Feed plugin version 1.2.0 or greater.
FOX – Currency Switcher Professional for WooCommerce – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-8271 Number of Installations: 60,000+ Affected Software: FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.1 Patched Versions: FOX – Currency Switcher Professional for WooCommerce 1.4.2.2
Mitigation steps: Update to FOX plugin version 1.4.2.2 or greater.
WP Booking Calendar – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8274 Number of Installations: 50,000+ Affected Software: WP Booking Calendar <= 10.5.0 Patched Versions: WP Booking Calendar 10.5.1
Mitigation steps: Update to WP Booking Calendar plugin version 10.5.1 or greater.
Shield Security – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-7313 Number of Installations: 50,000+ Affected Software: Shield Security <= 20.0.5 Patched Versions: Shield Security 20.0.6
Mitigation steps: Update to Shield Security plugin version 20.0.6 or greater.
Pixel Cat – Conversion Pixel Manager – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8544 Number of Installations: 50,000+ Affected Software: Pixel Cat – Conversion Pixel Manager <= 3.0.5 Patched Versions: Pixel Cat – Conversion Pixel Manager 3.0.6
Mitigation steps: Update to Pixel Cat plugin version 3.0.6 or greater.
Visual CSS Style Editor – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43963 Number of Installations: 50,000+ Affected Software: Visual CSS Style Editor <= 7.6.3 Patched Versions: Visual CSS Style Editor 7.6.4
Mitigation steps: Update to Visual CSS Style Editor plugin version 7.6.4 or greater.
Premium Portfolio Features for Phlox theme – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1384 Number of Installations: 50,000+ Affected Software: Premium Portfolio Features for Phlox theme <= 2.3.3 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Theme Vulnerabilities
Mantra – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-44056 Number of Downloads: 1,152,946 Affected Software: Mantra <= 3.3.2 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Nirvana – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-44057 Number of Downloads: 752,479 Affected Software: Nirvana <= 1.6.3 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Mystique – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43988 Number of Downloads: 705,708 Affected Software: Mystique <= 2.5.7 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited. However, this theme is abandoned and has not been updated in over a year. We recommend switching to a new theme.
Tempera – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43951 Number of Downloads: 703,523 Affected Software: Tempera <= 1.8.2 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Delicate – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5867 Number of Downloads: 686,668 Affected Software: Delicate <= 3.5.5 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited. However, this theme is abandoned and has not been updated in over a year. We recommend switching to a new theme.
Parabola – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-44058 Number of Downloads: 635,288 Affected Software: Parabola <= 2.4.1 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Sliding Door – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43987 Number of Downloads: 537,528 Affected Software: Sliding Door <= 3.6 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Fluida – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-44054 Number of Downloads: 486,615 Affected Software: Fluida <= 1.8.8 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Hotel Galaxy – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43991 Number of Downloads: 247,851 Affected Software: Hotel Galaxy <= 4.4.24 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Kahuna – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43994 Number of Downloads: 170,236 Affected Software: Kahuna <= 1.7.0 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
FotaWP – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-43980 Number of Downloads: 146,783 Affected Software: FotaWP <= 1.4.1 Patched Versions: FotaWP 1.4.2
Mitigation steps: Update to FotaWP theme version 1.4.2 or greater.
Septera – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-45452 Number of Downloads: 126,076 Affected Software: Septera <= 1.5.1 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Verbosa – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-44050 Number of Downloads: 108,792 Affected Software: Verbosa <= 1.2.3 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Roseta – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-45451 Number of Downloads: 97,031 Affected Software: Roseta <= 1.3.0 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Posterity – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43995 Number of Downloads: 96,548 Affected Software: Posterity <= 3.6 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Attire – PHP Object Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2024-7435 Number of Downloads: 72,378 Affected Software: Attire <= 2.0.6 Patched Versions: Attire 2.0.7
Mitigation steps: Update to Attire theme version 2.0.7 or greater.
Esotera – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-43952 Number of Downloads: 59,473 Affected Software: Esotera <= 1.2.5.1 Patched Versions: No Fix
Mitigation steps: This vulnerability poses a low risk and is not likely to be exploited.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Daniel Cid
Victor Santoyo
Tony Perez
John Castro
Marc Kranat
Cesar Anjos
Art Martori
Denis Sinegubko