Vulnerability & Patch Roundup — November 2024

  • December 20, 2024
Sucuri November 2024 Vulnerability Roundup

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.

WordPress Core Updates

Named “Rollins” after jazz legend Sonny Rollins, WordPress 6.7 introduces the Twenty Twenty-Five theme, offering flexible design options for all blogs. New font management tools enhance typography control, and the Zoom Out feature allows for a macro view to better visualize your site.

Loginizer – Broken Authentication

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2024-10097
Number of Installations: 1,000,000+
Affected Software: Loginizer <= 1.9.2
Patched Versions: Loginizer 1.9.3

Mitigation steps: Update to Loginizer plugin version 1.9.3 or greater.

Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10367
Number of Installations: 300,000+
Affected Software: Otter Blocks <= 3.0.4
Patched Versions: Otter Blocks 3.0.5

Mitigation steps: Update to Otter Blocks plugin version 3.0.5 or greater.

Photo Gallery by 10Web – Mobile-Friendly Image Gallery – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9878
Number of Installations: 200,000+
Affected Software: Photo Gallery by 10Web <= 1.8.30
Patched Versions: Photo Gallery by 10Web 1.8.31

Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.31 or greater.

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9657
Number of Installations: 100,000+
Affected Software: Element Pack Elementor Addons <= 5.10.2
Patched Versions: Element Pack Elementor Addons 5.10.3

Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.10.3 or greater.

Media Library Assistant – Remote Code Execution (RCE)

Security Risk: Critical
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: CVE-2024-51661
Number of Installations: 70,000+
Affected Software: Media Library Assistant <= 3.19
Patched Versions: Media Library Assistant 3.20

Mitigation steps: Update to Media Library Assistant plugin version 3.20 or greater.

Elementor Header & Footer Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10325
Number of Installations: 2,000,000+
Affected Software: Elementor Header & Footer Builder <= 1.6.45
Patched Versions: Elementor Header & Footer Builder 1.6.46

Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.46 or greater.

Safe SVG – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8378
Number of Installations: 1,000,000+
Affected Software: Safe SVG <= 2.2.5
Patched Versions: Safe SVG 2.2.6

Mitigation steps: Update to Safe SVG plugin version 2.2.6 or greater.

Happy Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10538
Number of Installations: 400,000+
Affected Software: Happy Addons for Elementor <= 3.12.5
Patched Versions: Happy Addons for Elementor 3.12.6

Mitigation steps: Update to Happy Addons for Elementor plugin version 3.12.6 or greater.

Admin and Site Enhancements (ASE) – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Custom
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10790
Number of Installations: 100,000+
Affected Software: Admin and Site Enhancements (ASE) <= 7.5.1
Patched Versions: Admin and Site Enhancements (ASE) 7.5.2

Mitigation steps: Update to Admin and Site Enhancements (ASE) plugin version 7.5.2 or greater.

Prime Slider – Addons For Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8442
Number of Installations: 100,000+
Affected Software: Prime Slider <= 3.15.18
Patched Versions: Prime Slider 3.15.19

Mitigation steps: Update to Prime Slider plugin version 3.15.19 or greater.

Contact Form 7 – Dynamic Text Extension – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-10084
Number of Installations: 100,000+
Affected Software: Contact Form 7 – Dynamic Text Extension <= 4.5.0
Patched Versions: Contact Form 7 – Dynamic Text Extension 4.5.1

Mitigation steps: Update to Contact Form 7 – Dynamic Text Extension plugin version 4.5.1 or greater.

Pods – Custom Content Types and Fields – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9883
Number of Installations: 100,000+
Affected Software: Pods <= 3.2.7
Patched Versions: Pods 3.2.7.1

Mitigation steps: Update to Pods plugin version 3.2.7.1 or greater.

WP ULike – All-in-One Engagement Toolkit – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-7879
Number of Installations: 80,000+
Affected Software: WP ULike <= 4.7.4
Patched Versions: WP ULike 4.7.5

Mitigation steps: Update to WP ULike plugin version 4.7.5 or greater.

WP Booking Calendar – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10027
Number of Installations: 50,000+
Affected Software: WP Booking Calendar <= 10.6.2
Patched Versions: WP Booking Calendar 10.6.3

Mitigation steps: Update to WP Booking Calendar plugin version 10.6.3 or greater.

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10265
Number of Installations: 50,000+
Affected Software: Form Maker by 10Web <= 1.15.30
Patched Versions: Form Maker by 10Web 1.15.31

Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.31 or greater.

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) – Broken Authentication

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2024-10924
Number of Installations: 4,000,000+
Affected Software: Really Simple Security <= 9.1.1
Patched Versions: Really Simple Security 9.1.2

Mitigation steps: Update to Really Simple Security plugin version 9.1.2 or greater.

Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-8979
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 6.0.9
Patched Versions: Essential Addons for Elementor 6.0.10

Mitigation steps: Update to Essential Addons for Elementor plugin version 6.0.10 or greater.

Google for WooCommerce – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-10486
Number of Installations: 900,000+
Affected Software: Google for WooCommerce <= 2.8.6
Patched Versions: Google for WooCommerce 2.8.7

Mitigation steps: Update to Google for WooCommerce plugin version 2.8.7 or greater.

Migration, Backup, Staging – WPvivid Backup & Migration – PHP Object Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2024-10962
Number of Installations: 600,000+
Affected Software: WPvivid Backup & Migration <= 0.9.107
Patched Versions: WPvivid Backup & Migration 0.9.108

Mitigation steps: Update to WPvivid Backup & Migration plugin version 0.9.108 or greater.

Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – SQL Injection

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-52436
Number of Installations: 400,000+
Affected Software: Post SMTP <= 2.9.9
Patched Versions: Post SMTP 2.9.10

Mitigation steps: Update to Post SMTP plugin version 2.9.10 or greater.

Hide My WP Ghost – Security & Firewall – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10825
Number of Installations: 200,000+
Affected Software: Hide My WP Ghost <= 5.3.01
Patched Versions: Hide My WP Ghost 5.3.02

Mitigation steps: Update to Hide My WP Ghost plugin version 5.3.02 or greater.

WP Activity Log – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10793
Number of Installations: 200,000+
Affected Software: WP Activity Log <= 5.2.1
Patched Versions: WP Activity Log 5.2.2

Mitigation steps: Update to WP Activity Log plugin version 5.2.2 or greater.

Simple Local Avatars – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-10786
Number of Installations: 100,000+
Affected Software: Simple Local Avatars <= 2.7.9
Patched Versions: Simple Local Avatars 2.8.0

Mitigation steps: Update to Simple Local Avatars plugin version 2.8.0 or greater.

Advanced Order Export For WooCommerce – PHP Object Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2024-10828
Number of Installations: 100,000+
Affected Software: Advanced Order Export For WooCommerce <= 3.5.5
Patched Versions: Advanced Order Export For WooCommerce 3.5.6

Mitigation steps: Update to Advanced Order Export For WooCommerce plugin version 3.5.6 or greater.

WP Chat App – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-10533
Number of Installations: 100,000+
Affected Software: WP Chat App <= 3.6.8
Patched Versions: WP Chat App 3.6.9

Mitigation steps: Update to WP Chat App plugin version 3.6.9 or greater.

Customer Reviews for WooCommerce – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-10614
Number of Installations: 70,000+
Affected Software: Customer Reviews for WooCommerce <= 5.61.9
Patched Versions: Customer Reviews for WooCommerce 5.62.0

Mitigation steps: Update to Customer Reviews for WooCommerce plugin version 5.62.0 or greater.

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-7056
Number of Installations: 6,000,000+
Affected Software: WPForms <= 1.9.1.5
Patched Versions: WPForms 1.9.1.6

Mitigation steps: Update to WPForms plugin version 1.9.1.6 or greater.

Rank Math SEO – AI SEO Tools to Dominate SEO Rankings – Remote Code Execution (RCE)

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: CVE-2024-11620
Number of Installations: 3,000,000+
Affected Software: Rank Math SEO <= 1.0.231
Patched Versions: Rank Math SEO 1.0.232

Mitigation steps: Update to Rank Math SEO plugin version 1.0.232 or greater.

MailPoet – Newsletters, Email Marketing, and Automation – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10103
Number of Installations: 600,000+
Affected Software: MailPoet <= 5.3.1
Patched Versions: MailPoet 5.3.2

Mitigation steps: Update to MailPoet plugin version 5.3.2 or greater.

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-6393
Number of Installations: 500,000+
Affected Software: NextGEN Gallery <= 3.59.4
Patched Versions: NextGEN Gallery 3.59.5

Mitigation steps: Update to NextGEN Gallery plugin version 3.59.5 or greater.

Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-11188
Number of Installations: 400,000+
Affected Software: Formidable Forms <= 6.16.1
Patched Versions: Formidable Forms 6.16.2

Mitigation steps: Update to Formidable Forms plugin version 6.16.2 or greater.

Gutenberg Blocks with AI by Kadence WP – Page Builder Features – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10785
Number of Installations: 400,000+
Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.3.3
Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.3.4

Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.3.4 or greater.

Royal Elementor Addons and Templates – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9682
Number of Installations: 400,000+
Affected Software: Royal Elementor Addons <= 1.7.1001
Patched Versions: Royal Elementor Addons 1.7.1002

Mitigation steps: Update to Royal Elementor Addons plugin version 1.7.1002 or greater.

Activity Log – Monitor & Record User Changes – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10788
Number of Installations: 300,000+
Affected Software: Activity Log <= 2.11.1
Patched Versions: Activity Log 2.11.2

Mitigation steps: Update to Activity Log plugin version 2.11.2 or greater.

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider – PHP Object Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2024-9511
Number of Installations: 300,000+
Affected Software: FluentSMTP <= 2.2.82
Patched Versions: FluentSMTP 2.2.83

Mitigation steps: Update to FluentSMTP plugin version 2.2.83 or greater.

Spam protection, Anti-Spam, FireWall by CleanTalk – Broken Authentication

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2024-10542
Number of Installations: 200,000+
Affected Software: CleanTalk <= 6.43
Patched Versions: CleanTalk 6.44

Mitigation steps: Update to CleanTalk plugin version 6.44 or greater.

Jeg Elementor Kit – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10308
Number of Installations: 200,000+
Affected Software: Jeg Elementor Kit <= 2.6.9
Patched Versions: Jeg Elementor Kit 2.6.10

Mitigation steps: Update to Jeg Elementor Kit plugin version 2.6.10 or greater.

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-10528
Number of Installations: 200,000+
Affected Software: Ultimate Member <= 2.8.9
Patched Versions: Ultimate Member 2.9.0

Mitigation steps: Update to Ultimate Member plugin version 2.9.0 or greater.

SEO Plugin by Squirrly SEO – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10515
Number of Installations: 100,000+
Affected Software: Squirrly SEO <= 12.3.20
Patched Versions: Squirrly SEO 12.3.21

Mitigation steps: Update to Squirrly SEO plugin version 12.3.21 or greater.

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-10365
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 6.0.3
Patched Versions: The Plus Addons for Elementor 6.0.4

Mitigation steps: Update to The Plus Addons for Elementor plugin version 6.0.4 or greater.

HUSKY – Products Filter Professional for WooCommerce – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-11400
Number of Installations: 100,000+
Affected Software: HUSKY <= 1.3.6.3
Patched Versions: HUSKY 1.3.6.4

Mitigation steps: Update to HUSKY plugin version 1.3.6.4 or greater.

Hustle – Email Marketing, Lead Generation, Optins, Popups – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-10579
Number of Installations: 100,000+
Affected Software: Hustle <= 7.8.5
Patched Versions: Hustle 7.8.6

Mitigation steps: Update to Hustle plugin version 7.8.6 or greater.

Parsi Date – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-11032
Number of Installations: 100,000+
Affected Software: Parsi Date <= 5.1.1
Patched Versions: Parsi Date 5.1.2

Mitigation steps: Update to Parsi Date plugin version 5.1.2 or greater.

Tutor LMS – eLearning and online course solution – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2024-10400
Number of Installations: 90,000+
Affected Software: Tutor LMS <= 2.7.6
Patched Versions: Tutor LMS 2.7.7

Mitigation steps: Update to Tutor LMS plugin version 2.7.7 or greater.

Clone – PHP Object Injection

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2024-10913
Number of Installations: 70,000+
Affected Software: Clone <= 2.4.6
Patched Versions: Clone 2.4.7

Mitigation steps: Update to Clone plugin version 2.4.7 or greater.

Increase Maximum Upload File Size | Increase Execution Time – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-11265
Number of Installations: 70,000+
Affected Software: Increase Maximum Upload File Size <= 1.1.3
Patched Versions: Increase Maximum Upload File Size 1.1.4

Mitigation steps: Update to Increase Maximum Upload File Size plugin version 1.1.4 or greater.

Getwid – Gutenberg Blocks – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10872
Number of Installations: 60,000+
Affected Software: Getwid <= 2.0.12
Patched Versions: Getwid 2.0.13

Mitigation steps: Update to Getwid plugin version 2.0.13 or greater.

FOX – Currency Switcher Professional for WooCommerce – Arbitrary Code Execution

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Arbitrary Code Execution
CVE: CVE-2024-10640
Number of Installations: 60,000+
Affected Software: FOX <= 1.4.2.2
Patched Versions: FOX 1.4.2.3

Mitigation steps: Update to FOX plugin version 1.4.2.3 or greater.

Booster for WooCommerce – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9239
Number of Installations: 50,000+
Affected Software: Booster for WooCommerce <= 7.2.3
Patched Versions: Booster for WooCommerce 7.2.4

Mitigation steps: Update to Booster for WooCommerce plugin version 7.2.4 or greater.

Elementor Website Builder – More than Just a Page Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8236
Number of Installations: 10,000,000+
Affected Software: Elementor Website Builder <= 3.25.7
Patched Versions: Elementor Website Builder 3.25.8

Mitigation steps: Update to Elementor Website Builder plugin version 3.25.8 or greater.

Royal Elementor Addons and Templates – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-10798
Number of Installations: 500,000+
Affected Software: Royal Elementor Addons <= 1.7.1003
Patched Versions: Royal Elementor Addons 1.7.1004

Mitigation steps: Update to Royal Elementor Addons plugin version 1.7.1004 or greater.

Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE – Path Traversal

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Path Traversal
CVE: CVE-2024-11219
Number of Installations: 300,000+
Affected Software: Otter Blocks <= 3.0.6
Patched Versions: Otter Blocks 3.0.7

Mitigation steps: Update to Otter Blocks plugin version 3.0.7 or greater.

Spam protection, Anti-Spam, FireWall by CleanTalk – Broken Authentication

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2024-10781
Number of Installations: 200,000+
Affected Software: CleanTalk <= 6.44
Patched Versions: CleanTalk 6.45

Mitigation steps: Update to CleanTalk plugin version 6.45 or greater.

Jeg Elementor Kit – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-8899
Number of Installations: 200,000+
Affected Software: Jeg Elementor Kit <= 2.6.9
Patched Versions: Jeg Elementor Kit 2.6.10

Mitigation steps: Update to Jeg Elementor Kit plugin version 2.6.10 or greater.

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-11083
Number of Installations: 200,000+
Affected Software: ProfilePress <= 4.15.18
Patched Versions: ProfilePress 4.15.19

Mitigation steps: Update to ProfilePress plugin version 4.15.19 or greater.

EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-11203
Number of Installations: 100,000+
Affected Software: EmbedPress <= 4.1.3
Patched Versions: EmbedPress 4.1.4

Mitigation steps: Update to EmbedPress plugin version 4.1.4 or greater.

Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease! – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10471
Number of Installations: 100,000+
Affected Software: Everest Forms <= 3.0.4.1
Patched Versions: Everest Forms 3.0.4.2

Mitigation steps: Update to Everest Forms plugin version 3.0.4.2 or greater.

Social Sharing Plugin – Sassy Social Share – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-11252
Number of Installations: 100,000+
Affected Software: Sassy Social Share <= 3.3.69
Patched Versions: Sassy Social Share 3.3.70

Mitigation steps: Update to Sassy Social Share plugin version 3.3.70 or greater.

Widget Options – The #1 WordPress Widget & Block Control Plugin – Remote Code Execution (RCE)

Security Risk: Critical
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: CVE-2024-8672
Number of Installations: 100,000+
Affected Software: Widget Options <= 4.0.7
Patched Versions: Widget Options 4.0.8

Mitigation steps: Update to Widget Options plugin version 4.0.8 or greater.

Hustle – Email Marketing, Lead Generation, Optins, Popups – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-10580
Number of Installations: 100,000+
Affected Software: Hustle <= 7.8.5
Patched Versions: Hustle 7.8.6

Mitigation steps: Update to Hustle plugin version 7.8.6 or greater.

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid – Remote Code Execution (RCE)

Security Risk: Critical
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: CVE-2024-9461
Number of Installations: 70,000+
Affected Software: Total Upkeep <= 1.16.6
Patched Versions: Total Upkeep 1.16.7

Mitigation steps: Update to Total Upkeep plugin version 1.16.7 or greater.

File Manager Pro – Filester – Path Traversal

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Path Traversal
CVE: CVE-2024-9669
Number of Installations: 70,000+
Affected Software: Filester <= 1.8.5
Patched Versions: Filester 1.8.6

Mitigation steps: Update to Filester plugin version 1.8.6 or greater.

File Manager Pro – Filester – Arbitrary File Upload

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2024-8066
Number of Installations: 70,000+
Affected Software: Filester <= 1.8.4
Patched Versions: Filester 1.8.5

Mitigation steps: Update to Filester plugin version 1.8.5 or greater.

Storely – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-51794
Number of Downloads: 435,857
Affected Software: Storely
Patched Versions: No Fix

Mitigation steps: Consider disabling the theme or finding an alternative solution, as no fix is currently available.

Top Store – Arbitrary Code Execution

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary Code Execution
CVE: CVE-2024-10673
Number of Downloads: 198,806
Affected Software: Top Store <= 1.5.4
Patched Versions: Top Store 1.5.5

Mitigation steps: Update to Top Store theme version 1.5.5 or greater.

Bard – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9830
Number of Downloads: 934,286
Affected Software: Bard <= 2.216
Patched Versions: Bard 2.217

Mitigation steps: Update to Bard theme version 2.217 or greater.

Ashe – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9777
Number of Downloads: 2,043,009
Affected Software: Ashe <= 2.243
Patched Versions: Ashe 2.244

Mitigation steps: Update to Ashe theme version 2.244 or greater.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.

Chat now

We are a group of website security professionals who are passionate about discovering emerging web-based malware and software vulnerabilities. Not only do we create tools and detection rules for our customers, we also bring awareness to the website security community. Our mission is to help make the internet a safer place.

Related Tags
Related Categories
You May Also Like