Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Spectra – WordPress Gutenberg Blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10484 Number of Installations: 1,000,000+ Affected Software: Spectra – WordPress Gutenberg Blocks <= 2.16.2 Patched Versions: Spectra – WordPress Gutenberg Blocks 2.16.3
Mitigation steps: Update to Spectra plugin version 2.16.3 or greater.
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5020 Number of Installations: 400,000+ Affected Software: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.4 Patched Versions: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery 3.59.5
Mitigation steps: Update to Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin version 3.59.5 or greater.
Firelight Lightbox – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5020 Number of Installations: 200,000+ Affected Software: Firelight Lightbox <= 2.3.3 Patched Versions: Firelight Lightbox 2.3.4
Mitigation steps: Update to Firelight Lightbox plugin version 2.3.4 or greater.
FileBird – WordPress Media Library Folders & File Manager – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-53825 Number of Installations: 200,000+ Affected Software: FileBird <= 6.3.3 Patched Versions: FileBird 6.3.4
Mitigation steps: Update to FileBird plugin version 6.3.4 or greater.
Element Pack Elementor Addons – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9058 Number of Installations: 100,000+ Affected Software: Element Pack Elementor Addons <= 5.10.5 Patched Versions: Element Pack Elementor Addons 5.10.6
Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.10.6 or greater.
Beaver Builder – WordPress Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-53797 Number of Installations: 100,000+ Affected Software: Beaver Builder <= 2.8.4.3 Patched Versions: Beaver Builder 2.8.4.4
Mitigation steps: Update to Beaver Builder plugin version 2.8.4.4 or greater.
Colibri Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5020 Number of Installations: 100,000+ Affected Software: Colibri Page Builder <= 1.0.287 Patched Versions: Colibri Page Builder 1.0.288
Mitigation steps: Update to Colibri Page Builder plugin version 1.0.288 or greater.
Slider & Popup Builder by Depicter – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4633 Number of Installations: 100,000+ Affected Software: Slider & Popup Builder by Depicter <= 3.2.1 Patched Versions: Slider & Popup Builder by Depicter 3.2.2
Mitigation steps: Update to Slider & Popup Builder by Depicter plugin version 3.2.2 or greater.
Gallery Plugin for WordPress – Envira Photo Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5020 Number of Installations: 100,000+ Affected Software: Envira Photo Gallery <= 1.8.15 Patched Versions: Envira Photo Gallery 1.8.16
Mitigation steps: Update to Envira Photo Gallery plugin version 1.8.16 or greater.
Advanced File Manager – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2024-11391 Number of Installations: 100,000+ Affected Software: Advanced File Manager <= 5.2.10 Patched Versions: Advanced File Manager 5.2.11
Mitigation steps: Update to Advanced File Manager plugin version 5.2.11 or greater.
FileOrganizer – Manage WordPress and Website Files – Path Traversal
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Path Traversal CVE: CVE-2024-11010 Number of Installations: 100,000+ Affected Software: FileOrganizer <= 1.1.4 Patched Versions: FileOrganizer 1.1.5
Mitigation steps: Update to FileOrganizer plugin version 1.1.5 or greater.
Responsive Lightbox & Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5020 Number of Installations: 100,000+ Affected Software: Responsive Lightbox & Gallery <= 2.4.8 Patched Versions: Responsive Lightbox & Gallery 2.4.9
Mitigation steps: Update to Responsive Lightbox & Gallery plugin version 2.4.9 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-53823 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 6.0.0 Patched Versions: The Plus Addons for Elementor 6.0.1
Mitigation steps: Update to The Plus Addons for Elementor plugin version 6.0.1 or greater.
TI WooCommerce Wishlist – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-10567 Number of Installations: 100,000+ Affected Software: TI WooCommerce Wishlist <= 2.9.1 Patched Versions: TI WooCommerce Wishlist 2.9.2
Mitigation steps: Update to TI WooCommerce Wishlist plugin version 2.9.2 or greater.
AnyWhere Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-10777 Number of Installations: 90,000+ Affected Software: AnyWhere Elementor <= 1.2.11 Patched Versions: AnyWhere Elementor 1.2.12
Mitigation steps: Update to AnyWhere Elementor plugin version 1.2.12 or greater.
PowerPack Elementor Addons – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-10692 Number of Installations: 90,000+ Affected Software: PowerPack Elementor Addons <= 2.8.1 Patched Versions: PowerPack Elementor Addons 2.8.2
Mitigation steps: Update to PowerPack Elementor Addons plugin version 2.8.2 or greater.
WPC Smart Quick View for WooCommerce – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5020 Number of Installations: 80,000+ Affected Software: WPC Smart Quick View for WooCommerce <= 4.1.1 Patched Versions: WPC Smart Quick View for WooCommerce 4.1.2
Mitigation steps: Update to WPC Smart Quick View for WooCommerce plugin version 4.1.2 or greater.
WP Hide & Security Enhancer – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-11585 Number of Installations: 70,000+ Affected Software: WP Hide & Security Enhancer <= 2.5.1 Patched Versions: WP Hide & Security Enhancer 2.5.2
Mitigation steps: Update to WP Hide & Security Enhancer plugin version 2.5.2 or greater.
Getwid – Gutenberg Blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5020 Number of Installations: 60,000+ Affected Software: Getwid – Gutenberg Blocks <= 2.0.11 Patched Versions: Getwid – Gutenberg Blocks 2.0.12
Mitigation steps: Update to Getwid – Gutenberg Blocks plugin version 2.0.12 or greater.
If Menu – Visibility control for Menus – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-7894 Number of Installations: 60,000+ Affected Software: If Menu <= 0.19.1 Patched Versions: If Menu 0.19.2
Mitigation steps: Update to If Menu plugin version 0.19.2 or greater.
Visual Portfolio, Photo Gallery & Post Grid – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5020 Number of Installations: 60,000+ Affected Software: Visual Portfolio, Photo Gallery & Post Grid <= 3.3.9 Patched Versions: Visual Portfolio, Photo Gallery & Post Grid 3.3.10
Mitigation steps: Update to Visual Portfolio plugin version 3.3.10 or greater.
Carousel, Slider, Gallery by WP Carousel – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5020 Number of Installations: 60,000+ Affected Software: Carousel, Slider, Gallery by WP Carousel <= 2.6.8 Patched Versions: Carousel, Slider, Gallery by WP Carousel 2.6.9
Mitigation steps: Update to WP Carousel plugin version 2.6.9 or greater.
Bold Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-53801 Number of Installations: 50,000+ Affected Software: Bold Page Builder <= 5.2.1 Patched Versions: Bold Page Builder 5.2.2
Mitigation steps: Update to Bold Page Builder plugin version 5.2.2 or greater.
Form Maker by 10Web – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5020 Number of Installations: 50,000+ Affected Software: Form Maker by 10Web <= 1.15.27 Patched Versions: Form Maker by 10Web 1.15.28
Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.28 or greater.
WPForms – Broken Access Control
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-11205 Number of Installations: 6,000,000+ Affected Software: WPForms <= 1.9.2.1 Patched Versions: WPForms 1.9.2.2
Mitigation steps: Update to WPForms plugin version 1.9.2.2 or greater.
MainWP Child – Privilege Escalation
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2024-10783 Number of Installations: 700,000+ Affected Software: MainWP Child <= 5.2.9 Patched Versions: MainWP Child 5.3
Mitigation steps: Update to MainWP Child plugin version 5.3 or greater.
Ninja Forms – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11052 Number of Installations: 700,000+ Affected Software: Ninja Forms <= 3.8.19 Patched Versions: Ninja Forms 3.8.20
Mitigation steps: Update to Ninja Forms plugin version 3.8.20 or greater.
Fluent Forms – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10646 Number of Installations: 500,000+ Affected Software: Fluent Forms <= 5.2.6 Patched Versions: Fluent Forms 5.2.7
Mitigation steps: Update to Fluent Forms plugin version 5.2.7 or greater.
Fluent Forms – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9651 Number of Installations: 500,000+ Affected Software: Fluent Forms <= 5.2.0 Patched Versions: Fluent Forms 5.2.1
Mitigation steps: Update to Fluent Forms plugin version 5.2.1 or greater.
SiteOrigin Widgets Bundle – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-54268 Number of Installations: 500,000+ Affected Software: SiteOrigin Widgets Bundle <= 1.64.0 Patched Versions: SiteOrigin Widgets Bundle 1.64.1
Mitigation steps: Update to SiteOrigin Widgets Bundle plugin version 1.64.1 or greater.
Gutenberg Blocks with AI by Kadence WP – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10637 Number of Installations: 400,000+ Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.2.53 Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.2.54
Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.2.54 or greater.
Members – Membership & User Role Editor Plugin – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-11008 Number of Installations: 300,000+ Affected Software: Members – Membership & User Role Editor Plugin <= 3.2.10 Patched Versions: Members – Membership & User Role Editor Plugin 3.2.11
Mitigation steps: Update to Members plugin version 3.2.11 or greater.
Popup Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9428 Number of Installations: 200,000+ Affected Software: Popup Builder <= 4.3.4 Patched Versions: Popup Builder 4.3.5
Mitigation steps: Update to Popup Builder plugin version 4.3.5 or greater.
Unlimited Elements For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10784 Number of Installations: 200,000+ Affected Software: Unlimited Elements For Elementor <= 1.5.126 Patched Versions: Unlimited Elements For Elementor 1.5.127
Mitigation steps: Update to Unlimited Elements For Elementor plugin version 1.5.127 or greater.
ProfilePress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10517 Number of Installations: 200,000+ Affected Software: ProfilePress <= 4.15.14 Patched Versions: ProfilePress 4.15.15
Mitigation steps: Update to ProfilePress plugin version 4.15.15 or greater.
Beaver Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11832 Number of Installations: 100,000+ Affected Software: Beaver Builder <= 2.8.5.2 Patched Versions: Beaver Builder 2.8.5.3
Mitigation steps: Update to Beaver Builder plugin version 2.8.5.3 or greater.
Image Widget – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10939 Number of Installations: 100,000+ Affected Software: Image Widget <= 4.4.10 Patched Versions: Image Widget 4.4.11
Mitigation steps: Update to Image Widget plugin version 4.4.11 or greater.
LuckyWP Table of Contents – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9641 Number of Installations: 100,000+ Affected Software: LuckyWP Table of Contents <= 2.1.6 Patched Versions: LuckyWP Table of Contents 2.1.7
Mitigation steps: Update to LuckyWP Table of Contents plugin version 2.1.7 or greater.
Web Stories – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-54317 Number of Installations: 100,000+ Affected Software: Web Stories <= 1.37.9 Patched Versions: Web Stories 1.38.0
Mitigation steps: Update to Web Stories plugin version 1.38.0 or greater.
LearnPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10010 Number of Installations: 90,000+ Affected Software: LearnPress <= 4.2.7.1 Patched Versions: LearnPress 4.2.7.2
Mitigation steps: Update to LearnPress plugin version 4.2.7.2 or greater.
LearnPress – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-11868 Number of Installations: 90,000+ Affected Software: LearnPress <= 4.2.7.3 Patched Versions: LearnPress 4.2.7.4
Mitigation steps: Update to LearnPress plugin version 4.2.7.4 or greater.
AI Engine – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-10499 Number of Installations: 80,000+ Affected Software: AI Engine <= 2.6.4 Patched Versions: AI Engine 2.6.5
Mitigation steps: Update to AI Engine plugin version 2.6.5 or greater.
Ajax Search Lite – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10568 Number of Installations: 80,000+ Affected Software: Ajax Search Lite <= 4.12.3 Patched Versions: Ajax Search Lite 4.12.4
Mitigation steps: Update to Ajax Search Lite plugin version 4.12.4 or greater.
Bold Page Builder – Path Traversal
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Path Traversal CVE: CVE-2024-54382 Number of Installations: 50,000+ Affected Software: Bold Page Builder <= 5.1.5 Patched Versions: Bold Page Builder 5.1.6
Mitigation steps: Update to Bold Page Builder plugin version 5.1.6 or greater.
Ultimate Blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10678 Number of Installations: 50,000+ Affected Software: Ultimate Blocks <= 3.2.3 Patched Versions: Ultimate Blocks 3.2.4
Mitigation steps: Update to Ultimate Blocks plugin version 3.2.4 or greater.
LiteSpeed Cache – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-51915 Number of Installations: 6,000,000+ Affected Software: LiteSpeed Cache <= 6.5.2 Patched Versions: LiteSpeed Cache 6.5.3
Mitigation steps: Update to LiteSpeed Cache plugin version 6.5.3 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-56063 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.0.7 Patched Versions: Essential Addons for Elementor 6.0.8
Mitigation steps: Update to Essential Addons for Elementor plugin version 6.0.8 or greater.
Premium Addons for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-56225 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.56 Patched Versions: Premium Addons for Elementor 4.10.57
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.57 or greater.
The Events Calendar – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-5333 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.8.2 Patched Versions: The Events Calendar 6.8.2.1
Mitigation steps: Update to The Events Calendar plugin version 6.8.2.1 or greater.
Royal Elementor Addons and Templates – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-56226 Number of Installations: 500,000+ Affected Software: Royal Elementor Addons and Templates <= 1.7.1001 Patched Versions: Royal Elementor Addons and Templates 1.7.1002
Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.7.1002 or greater.
Royal Elementor Addons and Templates – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-56227 Number of Installations: 500,000+ Affected Software: Royal Elementor Addons and Templates <= 1.7.1001 Patched Versions: Royal Elementor Addons and Templates 1.7.1002
Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.7.1002 or greater.
Royal Elementor Addons and Templates – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-56062 Number of Installations: 500,000+ Affected Software: Royal Elementor Addons and Templates <= 1.7.0 Patched Versions: Royal Elementor Addons and Templates 1.7.1
Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.7.1 or greater.
AMP for WP – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11254 Number of Installations: 100,000+ Affected Software: AMP for WP <= 1.1.1 Patched Versions: AMP for WP 1.1.2
Mitigation steps: Update to AMP for WP plugin version 1.1.2 or greater.
Download Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10706 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.02 Patched Versions: Download Manager 3.3.03
Mitigation steps: Update to Download Manager plugin version 3.3.03 or greater.
Download Manager – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-56217 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.03 Patched Versions: Download Manager 3.3.04
Mitigation steps: Update to Download Manager plugin version 3.3.04 or greater.
Download Manager – Arbitrary Code Execution
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary Code Execution CVE: CVE-2024-11740 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.03 Patched Versions: Download Manager 3.3.04
Mitigation steps: Update to Download Manager plugin version 3.3.04 or greater.
Download Manager – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-11768 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.03 Patched Versions: Download Manager 3.3.04
Mitigation steps: Update to Download Manager plugin version 3.3.04 or greater.
Widget Options – The #1 WordPress Widget & Block Control Plugin – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-56219 Number of Installations: 100,000+ Affected Software: Widget Options <= 4.0.7 Patched Versions: Widget Options 4.0.8
Mitigation steps: Update to Widget Options plugin version 4.0.8 or greater.
kk Star Ratings – Rate Post & Collect User Feedbacks – Arbitrary Code Execution
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary Code Execution CVE: CVE-2024-11977 Number of Installations: 90,000+ Affected Software: kk Star Ratings <= 5.4.10 Patched Versions: kk Star Ratings 5.4.10.1
Mitigation steps: Update to kk Star Ratings plugin version 5.4.10.1 or greater.
WordPress Button Plugin MaxButtons – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10555 Number of Installations: 90,000+ Affected Software: WordPress Button Plugin MaxButtons <= 9.8.0 Patched Versions: WordPress Button Plugin MaxButtons 9.8.1
Mitigation steps: Update to MaxButtons plugin version 9.8.1 or greater.
File Manager Pro – Filester – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-12331 Number of Installations: 80,000+ Affected Software: File Manager Pro – Filester <= 1.8.6 Patched Versions: File Manager Pro – Filester 1.8.7
Mitigation steps: Update to File Manager Pro – Filester plugin version 1.8.7 or greater.
Calculated Fields Form – Denial of Service Attack
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Denial of Service Attack CVE: CVE-2024-12601 Number of Installations: 50,000+ Affected Software: Calculated Fields Form <= 5.2.63 Patched Versions: Calculated Fields Form 5.2.64
Mitigation steps: Update to Calculated Fields Form plugin version 5.2.64 or greater.
Easy Digital Downloads – Broken Access Control
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-9654 Number of Installations: 50,000+ Affected Software: Easy Digital Downloads <= 3.3.4 Patched Versions: Easy Digital Downloads 3.3.5
Mitigation steps: Update to Easy Digital Downloads plugin version 3.3.5 or greater.
Elementor Website Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10453 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder <= 3.25.9 Patched Versions: Elementor Website Builder 3.25.10
Mitigation steps: Update to Elementor Website Builder plugin version 3.25.10 or greater.
WPForms – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11223 Number of Installations: 6,000,000+ Affected Software: WPForms <= 1.9.2.2 Patched Versions: WPForms 1.9.2.3
Mitigation steps: Update to WPForms plugin version 1.9.2.3 or greater.
Jetpack – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10858 Number of Installations: 4,000,000+ Affected Software: Jetpack <= 14.1 Patched Versions: Jetpack 14.1-a.1
Mitigation steps: Update to Jetpack plugin version 14.1-a.1 or greater.
Ultimate Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11230 Number of Installations: 2,000,000+ Affected Software: Ultimate Addons for Elementor <= 1.6.46 Patched Versions: Ultimate Addons for Elementor 1.6.47
Mitigation steps: Update to Ultimate Addons for Elementor plugin version 1.6.47 or greater.
Ninja Forms – Arbitrary Code Execution
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary Code Execution CVE: CVE-2024-12238 Number of Installations: 700,000+ Affected Software: Ninja Forms <= 3.8.22 Patched Versions: Ninja Forms 3.8.23
Mitigation steps: Update to Ninja Forms plugin version 3.8.23 or greater.
Broken Link Checker – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2024-10903 Number of Installations: 600,000+ Affected Software: Broken Link Checker <= 2.4.1 Patched Versions: Broken Link Checker 2.4.2
Mitigation steps: Update to Broken Link Checker plugin version 2.4.2 or greater.
Advanced Google reCAPTCHA – Other Vulnerability Type
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Other Vulnerability Type CVE: CVE-2024-12034 Number of Installations: 100,000+ Affected Software: Advanced Google reCAPTCHA <= 1.25 Patched Versions: Advanced Google reCAPTCHA 1.26
Mitigation steps: Update to Advanced Google reCAPTCHA plugin version 1.26 or greater.
Element Pack Elementor Addons – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-11852 Number of Installations: 100,000+ Affected Software: Element Pack Elementor Addons <= 5.10.12 Patched Versions: Element Pack Elementor Addons 5.10.13
Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.10.13 or greater.
GiveWP – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11921 Number of Installations: 100,000+ Affected Software: GiveWP <= 3.18.9 Patched Versions: GiveWP 3.19.0
Mitigation steps: Update to GiveWP plugin version 3.19.0 or greater.
Tracking Code Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8721 Number of Installations: 100,000+ Affected Software: Tracking Code Manager <= 2.3.9 Patched Versions: Tracking Code Manager 2.4.0
Mitigation steps: Update to Tracking Code Manager plugin version 2.4.0 or greater.
Easy Digital Downloads – Arbitrary File Download
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2024-12875 Number of Installations: 50,000+ Affected Software: Easy Digital Downloads <= 3.3.2 Patched Versions: Easy Digital Downloads 3.3.3
Mitigation steps: Update to Easy Digital Downloads plugin version 3.3.3 or greater.
Blocksy – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11420 Number of Downloads: 3,976,858 Affected Software: Blocksy <= 2.0.77 Patched Versions: Blocksy 2.0.78
Mitigation steps: Update to Blocksy theme version 2.0.78 or greater.
Flixita – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10836 Number of Downloads: 110,003 Affected Software: Flixita <= 1.0.82 Patched Versions: Flixita 1.0.83
Mitigation steps: Update to Flixita theme version 1.0.83 or greater.
NewsMunch – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10848 Number of Downloads: 60,837 Affected Software: NewsMunch <= 1.0.35 Patched Versions: NewsMunch 1.0.36
Mitigation steps: Update to NewsMunch theme version 1.0.36 or greater.
VW Automobile Lite – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-56234 Number of Downloads: 188,505 Affected Software: VW Automobile Lite Patched Versions: No Fix
Mitigation steps: No fix available. Consider using an alternative theme or contact the developer for further assistance.
NewsMash – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-56208 Number of Downloads: 100,124 Affected Software: NewsMash <= 1.0.71 Patched Versions: NewsMash 1.0.72
Mitigation steps: Update to NewsMash theme version 1.0.72 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Cesar Anjos
Puja Srivastava
Tony Perez & Daniel Cid
Juliana Lewis
Chase Watts
Ashley Sand
Gerson Ruiz
Justin Channell
Bruno Zanelato