Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
WordPress Core Updates
Named “Rollins” after jazz legend Sonny Rollins, WordPress 6.7 introduces the Twenty Twenty-Five theme, offering flexible design options for all blogs. New font management tools enhance typography control, and the Zoom Out feature allows for a macro view to better visualize your site.
Loginizer – Broken Authentication
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2024-10097 Number of Installations: 1,000,000+ Affected Software: Loginizer <= 1.9.2 Patched Versions: Loginizer 1.9.3
Mitigation steps: Update to Loginizer plugin version 1.9.3 or greater.
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10367 Number of Installations: 300,000+ Affected Software: Otter Blocks <= 3.0.4 Patched Versions: Otter Blocks 3.0.5
Mitigation steps: Update to Otter Blocks plugin version 3.0.5 or greater.
Photo Gallery by 10Web – Mobile-Friendly Image Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9878 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web <= 1.8.30 Patched Versions: Photo Gallery by 10Web 1.8.31
Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.31 or greater.
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9657 Number of Installations: 100,000+ Affected Software: Element Pack Elementor Addons <= 5.10.2 Patched Versions: Element Pack Elementor Addons 5.10.3
Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.10.3 or greater.
Media Library Assistant – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2024-51661 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.19 Patched Versions: Media Library Assistant 3.20
Mitigation steps: Update to Media Library Assistant plugin version 3.20 or greater.
Elementor Header & Footer Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10325 Number of Installations: 2,000,000+ Affected Software: Elementor Header & Footer Builder <= 1.6.45 Patched Versions: Elementor Header & Footer Builder 1.6.46
Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.46 or greater.
Safe SVG – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8378 Number of Installations: 1,000,000+ Affected Software: Safe SVG <= 2.2.5 Patched Versions: Safe SVG 2.2.6
Mitigation steps: Update to Safe SVG plugin version 2.2.6 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10538 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor <= 3.12.5 Patched Versions: Happy Addons for Elementor 3.12.6
Mitigation steps: Update to Happy Addons for Elementor plugin version 3.12.6 or greater.
Admin and Site Enhancements (ASE) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Custom Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10790 Number of Installations: 100,000+ Affected Software: Admin and Site Enhancements (ASE) <= 7.5.1 Patched Versions: Admin and Site Enhancements (ASE) 7.5.2
Mitigation steps: Update to Admin and Site Enhancements (ASE) plugin version 7.5.2 or greater.
Prime Slider – Addons For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8442 Number of Installations: 100,000+ Affected Software: Prime Slider <= 3.15.18 Patched Versions: Prime Slider 3.15.19
Mitigation steps: Update to Prime Slider plugin version 3.15.19 or greater.
Contact Form 7 – Dynamic Text Extension – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-10084 Number of Installations: 100,000+ Affected Software: Contact Form 7 – Dynamic Text Extension <= 4.5.0 Patched Versions: Contact Form 7 – Dynamic Text Extension 4.5.1
Mitigation steps: Update to Contact Form 7 – Dynamic Text Extension plugin version 4.5.1 or greater.
Pods – Custom Content Types and Fields – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9883 Number of Installations: 100,000+ Affected Software: Pods <= 3.2.7 Patched Versions: Pods 3.2.7.1
Mitigation steps: Update to Pods plugin version 3.2.7.1 or greater.
WP ULike – All-in-One Engagement Toolkit – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-7879 Number of Installations: 80,000+ Affected Software: WP ULike <= 4.7.4 Patched Versions: WP ULike 4.7.5
Mitigation steps: Update to WP ULike plugin version 4.7.5 or greater.
WP Booking Calendar – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10027 Number of Installations: 50,000+ Affected Software: WP Booking Calendar <= 10.6.2 Patched Versions: WP Booking Calendar 10.6.3
Mitigation steps: Update to WP Booking Calendar plugin version 10.6.3 or greater.
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10265 Number of Installations: 50,000+ Affected Software: Form Maker by 10Web <= 1.15.30 Patched Versions: Form Maker by 10Web 1.15.31
Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.31 or greater.
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) – Broken Authentication
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2024-10924 Number of Installations: 4,000,000+ Affected Software: Really Simple Security <= 9.1.1 Patched Versions: Really Simple Security 9.1.2
Mitigation steps: Update to Really Simple Security plugin version 9.1.2 or greater.
Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-8979 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.0.9 Patched Versions: Essential Addons for Elementor 6.0.10
Mitigation steps: Update to Essential Addons for Elementor plugin version 6.0.10 or greater.
Google for WooCommerce – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-10486 Number of Installations: 900,000+ Affected Software: Google for WooCommerce <= 2.8.6 Patched Versions: Google for WooCommerce 2.8.7
Mitigation steps: Update to Google for WooCommerce plugin version 2.8.7 or greater.
Migration, Backup, Staging – WPvivid Backup & Migration – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2024-10962 Number of Installations: 600,000+ Affected Software: WPvivid Backup & Migration <= 0.9.107 Patched Versions: WPvivid Backup & Migration 0.9.108
Mitigation steps: Update to WPvivid Backup & Migration plugin version 0.9.108 or greater.
Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-52436 Number of Installations: 400,000+ Affected Software: Post SMTP <= 2.9.9 Patched Versions: Post SMTP 2.9.10
Mitigation steps: Update to Post SMTP plugin version 2.9.10 or greater.
Hide My WP Ghost – Security & Firewall – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10825 Number of Installations: 200,000+ Affected Software: Hide My WP Ghost <= 5.3.01 Patched Versions: Hide My WP Ghost 5.3.02
Mitigation steps: Update to Hide My WP Ghost plugin version 5.3.02 or greater.
WP Activity Log – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10793 Number of Installations: 200,000+ Affected Software: WP Activity Log <= 5.2.1 Patched Versions: WP Activity Log 5.2.2
Mitigation steps: Update to WP Activity Log plugin version 5.2.2 or greater.
Simple Local Avatars – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-10786 Number of Installations: 100,000+ Affected Software: Simple Local Avatars <= 2.7.9 Patched Versions: Simple Local Avatars 2.8.0
Mitigation steps: Update to Simple Local Avatars plugin version 2.8.0 or greater.
Advanced Order Export For WooCommerce – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2024-10828 Number of Installations: 100,000+ Affected Software: Advanced Order Export For WooCommerce <= 3.5.5 Patched Versions: Advanced Order Export For WooCommerce 3.5.6
Mitigation steps: Update to Advanced Order Export For WooCommerce plugin version 3.5.6 or greater.
WP Chat App – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-10533 Number of Installations: 100,000+ Affected Software: WP Chat App <= 3.6.8 Patched Versions: WP Chat App 3.6.9
Mitigation steps: Update to WP Chat App plugin version 3.6.9 or greater.
Customer Reviews for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-10614 Number of Installations: 70,000+ Affected Software: Customer Reviews for WooCommerce <= 5.61.9 Patched Versions: Customer Reviews for WooCommerce 5.62.0
Mitigation steps: Update to Customer Reviews for WooCommerce plugin version 5.62.0 or greater.
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-7056 Number of Installations: 6,000,000+ Affected Software: WPForms <= 1.9.1.5 Patched Versions: WPForms 1.9.1.6
Mitigation steps: Update to WPForms plugin version 1.9.1.6 or greater.
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings – Remote Code Execution (RCE)
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2024-11620 Number of Installations: 3,000,000+ Affected Software: Rank Math SEO <= 1.0.231 Patched Versions: Rank Math SEO 1.0.232
Mitigation steps: Update to Rank Math SEO plugin version 1.0.232 or greater.
MailPoet – Newsletters, Email Marketing, and Automation – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10103 Number of Installations: 600,000+ Affected Software: MailPoet <= 5.3.1 Patched Versions: MailPoet 5.3.2
Mitigation steps: Update to MailPoet plugin version 5.3.2 or greater.
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6393 Number of Installations: 500,000+ Affected Software: NextGEN Gallery <= 3.59.4 Patched Versions: NextGEN Gallery 3.59.5
Mitigation steps: Update to NextGEN Gallery plugin version 3.59.5 or greater.
Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11188 Number of Installations: 400,000+ Affected Software: Formidable Forms <= 6.16.1 Patched Versions: Formidable Forms 6.16.2
Mitigation steps: Update to Formidable Forms plugin version 6.16.2 or greater.
Gutenberg Blocks with AI by Kadence WP – Page Builder Features – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10785 Number of Installations: 400,000+ Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.3.3 Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.3.4
Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.3.4 or greater.
Royal Elementor Addons and Templates – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9682 Number of Installations: 400,000+ Affected Software: Royal Elementor Addons <= 1.7.1001 Patched Versions: Royal Elementor Addons 1.7.1002
Mitigation steps: Update to Royal Elementor Addons plugin version 1.7.1002 or greater.
Activity Log – Monitor & Record User Changes – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10788 Number of Installations: 300,000+ Affected Software: Activity Log <= 2.11.1 Patched Versions: Activity Log 2.11.2
Mitigation steps: Update to Activity Log plugin version 2.11.2 or greater.
FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2024-9511 Number of Installations: 300,000+ Affected Software: FluentSMTP <= 2.2.82 Patched Versions: FluentSMTP 2.2.83
Mitigation steps: Update to FluentSMTP plugin version 2.2.83 or greater.
Spam protection, Anti-Spam, FireWall by CleanTalk – Broken Authentication
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2024-10542 Number of Installations: 200,000+ Affected Software: CleanTalk <= 6.43 Patched Versions: CleanTalk 6.44
Mitigation steps: Update to CleanTalk plugin version 6.44 or greater.
Jeg Elementor Kit – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10308 Number of Installations: 200,000+ Affected Software: Jeg Elementor Kit <= 2.6.9 Patched Versions: Jeg Elementor Kit 2.6.10
Mitigation steps: Update to Jeg Elementor Kit plugin version 2.6.10 or greater.
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-10528 Number of Installations: 200,000+ Affected Software: Ultimate Member <= 2.8.9 Patched Versions: Ultimate Member 2.9.0
Mitigation steps: Update to Ultimate Member plugin version 2.9.0 or greater.
SEO Plugin by Squirrly SEO – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10515 Number of Installations: 100,000+ Affected Software: Squirrly SEO <= 12.3.20 Patched Versions: Squirrly SEO 12.3.21
Mitigation steps: Update to Squirrly SEO plugin version 12.3.21 or greater.
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-10365 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 6.0.3 Patched Versions: The Plus Addons for Elementor 6.0.4
Mitigation steps: Update to The Plus Addons for Elementor plugin version 6.0.4 or greater.
HUSKY – Products Filter Professional for WooCommerce – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11400 Number of Installations: 100,000+ Affected Software: HUSKY <= 1.3.6.3 Patched Versions: HUSKY 1.3.6.4
Mitigation steps: Update to HUSKY plugin version 1.3.6.4 or greater.
Hustle – Email Marketing, Lead Generation, Optins, Popups – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-10579 Number of Installations: 100,000+ Affected Software: Hustle <= 7.8.5 Patched Versions: Hustle 7.8.6
Mitigation steps: Update to Hustle plugin version 7.8.6 or greater.
Parsi Date – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11032 Number of Installations: 100,000+ Affected Software: Parsi Date <= 5.1.1 Patched Versions: Parsi Date 5.1.2
Mitigation steps: Update to Parsi Date plugin version 5.1.2 or greater.
Tutor LMS – eLearning and online course solution – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2024-10400 Number of Installations: 90,000+ Affected Software: Tutor LMS <= 2.7.6 Patched Versions: Tutor LMS 2.7.7
Mitigation steps: Update to Tutor LMS plugin version 2.7.7 or greater.
Clone – PHP Object Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2024-10913 Number of Installations: 70,000+ Affected Software: Clone <= 2.4.6 Patched Versions: Clone 2.4.7
Mitigation steps: Update to Clone plugin version 2.4.7 or greater.
Increase Maximum Upload File Size | Increase Execution Time – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-11265 Number of Installations: 70,000+ Affected Software: Increase Maximum Upload File Size <= 1.1.3 Patched Versions: Increase Maximum Upload File Size 1.1.4
Mitigation steps: Update to Increase Maximum Upload File Size plugin version 1.1.4 or greater.
Getwid – Gutenberg Blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10872 Number of Installations: 60,000+ Affected Software: Getwid <= 2.0.12 Patched Versions: Getwid 2.0.13
Mitigation steps: Update to Getwid plugin version 2.0.13 or greater.
FOX – Currency Switcher Professional for WooCommerce – Arbitrary Code Execution
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary Code Execution CVE: CVE-2024-10640 Number of Installations: 60,000+ Affected Software: FOX <= 1.4.2.2 Patched Versions: FOX 1.4.2.3
Mitigation steps: Update to FOX plugin version 1.4.2.3 or greater.
Booster for WooCommerce – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9239 Number of Installations: 50,000+ Affected Software: Booster for WooCommerce <= 7.2.3 Patched Versions: Booster for WooCommerce 7.2.4
Mitigation steps: Update to Booster for WooCommerce plugin version 7.2.4 or greater.
Elementor Website Builder – More than Just a Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8236 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder <= 3.25.7 Patched Versions: Elementor Website Builder 3.25.8
Mitigation steps: Update to Elementor Website Builder plugin version 3.25.8 or greater.
Royal Elementor Addons and Templates – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-10798 Number of Installations: 500,000+ Affected Software: Royal Elementor Addons <= 1.7.1003 Patched Versions: Royal Elementor Addons 1.7.1004
Mitigation steps: Update to Royal Elementor Addons plugin version 1.7.1004 or greater.
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE – Path Traversal
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Path Traversal CVE: CVE-2024-11219 Number of Installations: 300,000+ Affected Software: Otter Blocks <= 3.0.6 Patched Versions: Otter Blocks 3.0.7
Mitigation steps: Update to Otter Blocks plugin version 3.0.7 or greater.
Spam protection, Anti-Spam, FireWall by CleanTalk – Broken Authentication
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2024-10781 Number of Installations: 200,000+ Affected Software: CleanTalk <= 6.44 Patched Versions: CleanTalk 6.45
Mitigation steps: Update to CleanTalk plugin version 6.45 or greater.
Jeg Elementor Kit – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-8899 Number of Installations: 200,000+ Affected Software: Jeg Elementor Kit <= 2.6.9 Patched Versions: Jeg Elementor Kit 2.6.10
Mitigation steps: Update to Jeg Elementor Kit plugin version 2.6.10 or greater.
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-11083 Number of Installations: 200,000+ Affected Software: ProfilePress <= 4.15.18 Patched Versions: ProfilePress 4.15.19
Mitigation steps: Update to ProfilePress plugin version 4.15.19 or greater.
EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11203 Number of Installations: 100,000+ Affected Software: EmbedPress <= 4.1.3 Patched Versions: EmbedPress 4.1.4
Mitigation steps: Update to EmbedPress plugin version 4.1.4 or greater.
Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease! – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10471 Number of Installations: 100,000+ Affected Software: Everest Forms <= 3.0.4.1 Patched Versions: Everest Forms 3.0.4.2
Mitigation steps: Update to Everest Forms plugin version 3.0.4.2 or greater.
Social Sharing Plugin – Sassy Social Share – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11252 Number of Installations: 100,000+ Affected Software: Sassy Social Share <= 3.3.69 Patched Versions: Sassy Social Share 3.3.70
Mitigation steps: Update to Sassy Social Share plugin version 3.3.70 or greater.
Widget Options – The #1 WordPress Widget & Block Control Plugin – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2024-8672 Number of Installations: 100,000+ Affected Software: Widget Options <= 4.0.7 Patched Versions: Widget Options 4.0.8
Mitigation steps: Update to Widget Options plugin version 4.0.8 or greater.
Hustle – Email Marketing, Lead Generation, Optins, Popups – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-10580 Number of Installations: 100,000+ Affected Software: Hustle <= 7.8.5 Patched Versions: Hustle 7.8.6
Mitigation steps: Update to Hustle plugin version 7.8.6 or greater.
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2024-9461 Number of Installations: 70,000+ Affected Software: Total Upkeep <= 1.16.6 Patched Versions: Total Upkeep 1.16.7
Mitigation steps: Update to Total Upkeep plugin version 1.16.7 or greater.
File Manager Pro – Filester – Path Traversal
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Path Traversal CVE: CVE-2024-9669 Number of Installations: 70,000+ Affected Software: Filester <= 1.8.5 Patched Versions: Filester 1.8.6
Mitigation steps: Update to Filester plugin version 1.8.6 or greater.
File Manager Pro – Filester – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2024-8066 Number of Installations: 70,000+ Affected Software: Filester <= 1.8.4 Patched Versions: Filester 1.8.5
Mitigation steps: Update to Filester plugin version 1.8.5 or greater.
Storely – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-51794 Number of Downloads: 435,857 Affected Software: Storely Patched Versions: No Fix
Mitigation steps: Consider disabling the theme or finding an alternative solution, as no fix is currently available.
Top Store – Arbitrary Code Execution
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary Code Execution CVE: CVE-2024-10673 Number of Downloads: 198,806 Affected Software: Top Store <= 1.5.4 Patched Versions: Top Store 1.5.5
Mitigation steps: Update to Top Store theme version 1.5.5 or greater.
Bard – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9830 Number of Downloads: 934,286 Affected Software: Bard <= 2.216 Patched Versions: Bard 2.217
Mitigation steps: Update to Bard theme version 2.217 or greater.
Ashe – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9777 Number of Downloads: 2,043,009 Affected Software: Ashe <= 2.243 Patched Versions: Ashe 2.244
Mitigation steps: Update to Ashe theme version 2.244 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Juliana Lewis
Alycia Mitchell
Fioravante Souza
Denis Sinegubko
Rianna MacLeod
Luke Leal
Pilar Garcia
Ben Martin