Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Essential Addons for Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-3333 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 5.9.14 Patched Versions: Essential Addons for Elementor 5.9.15
Mitigation steps: Update to Essential Addons for Elementor plugin version 5.9.15 or greater.
ElementsKit Elementor addons – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2803 Number of Installations: 1,000,000+ Affected Software: ElementsKit Elementor addons <= 3.0.7 Patched Versions: ElementsKit Elementor addons 3.1.0
Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.1.0 or greater.
File Manager – Directory Traversal
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Directory Traversal CVE: CVE-2024-2654 Number of Installations: 1,000,000+ Affected Software: File Manager <= 7.2.5 Patched Versions: File Manager 7.2.6
Mitigation steps: Update to File Manager plugin version 7.2.6 or greater.
Smart Slider 3 – Missing Authorization for File Upload
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Missing Authorization for File Upload CVE: CVE-2024-3027 Number of Installations: 900,000+ Affected Software: Smart Slider 3 <= 3.5.1.22 Patched Versions: Smart Slider 3 3.5.1.23
Mitigation steps: Update to Smart Slider 3 plugin version 3.5.1.23 or greater.
Premium Addons for Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-0376 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.16 Patched Versions: Premium Addons for Elementor 4.10.17
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.17 or greater.
Premium Addons for Elementor – DOM-Based Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: DOM-Based Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2666 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.24 Patched Versions: Premium Addons for Elementor 4.10.25
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.25 or greater.
Ocean Extra – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-3167 Number of Installations: 700,000+ Affected Software: Ocean Extra <= 2.2.6 Patched Versions: Ocean Extra 2.2.7
Mitigation steps: Update to Ocean Extra plugin version 2.2.7 or greater.
Premium Addons for Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2665 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.27 Patched Versions: Premium Addons for Elementor 4.10.28
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.28 or greater.
Spectra – WordPress Gutenberg Blocks – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2023-6486 Number of Installations: 700,000+ Affected Software: Spectra – WordPress Gutenberg Blocks <= 2.10.3 Patched Versions: Spectra – WordPress Gutenberg Blocks 2.10.4
Mitigation steps: Update to Spectra – WordPress Gutenberg Blocks plugin version 2.10.4 or greater.
Slider, Gallery, and Carousel by MetaSlider – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-3285 Number of Installations: 600,000+ Affected Software: Slider, Gallery, and Carousel by MetaSlider <= 3.70.0 Patched Versions: Slider, Gallery, and Carousel by MetaSlider 3.70.1
Mitigation steps: Update to Slider, Gallery, and Carousel by MetaSlider plugin version 3.70.1 or greater.
Forminator – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-3053 Number of Installations: 500,000+ Affected Software: Forminator <= 1.29.2 Patched Versions: Forminator 1.29.3
Mitigation steps: Update to Forminator plugin version 1.29.3 or greater.
Happy Addons for Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2788 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor <= 3.10.4 Patched Versions: Happy Addons for Elementor 3.10.5
Mitigation steps: Update to Happy Addons for Elementor plugin version 3.10.5 or greater.
Gutenberg Blocks by Kadence Blocks – DOM-Based Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: DOM-Based Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2919 Number of Installations: 400,000+ Affected Software: Gutenberg Blocks by Kadence Blocks <= 3.2.31 Patched Versions: Gutenberg Blocks by Kadence Blocks 3.2.32
Mitigation steps: Update to Gutenberg Blocks by Kadence Blocks plugin version 3.2.32 or greater.
Gutenberg – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Unauthenticated + Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) Number of Installations: 300,000+ Affected Software: Gutenberg 12.9.0 - 18.0.0 Patched Versions: Gutenberg 18.01
Mitigation steps: Update to Gutenberg plugin version 18.01 or greater.
Otter Blocks – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-3343 Number of Installations: 300,000+ Affected Software: Otter Blocks <= 2.6.8 Patched Versions: Otter Blocks 2.6.9
Mitigation steps: Update to Otter Blocks plugin version 2.6.9 or greater.
Paid Membership Plugin – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2867 Number of Installations: 200,000+ Affected Software: ProfilePress <= 4.15.5 Patched Versions: ProfilePress 4.15.6
Mitigation steps: Update to ProfilePress plugin version 4.15.5 or greater.
Ultimate Member – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2765 Number of Installations: 200,000+ Affected Software: Ultimate Member <= 2.8.4 Patched Versions: Ultimate Member 2.8.5
Mitigation steps: Update to Ultimate Member plugin version 2.8.5 or greater.
Photo Gallery by 10Web – Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires Admin or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2296 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web <= 1.8.21 Patched Versions: Photo Gallery by 10Web 1.8.22
Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.22 or greater.
FileBird – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2345 Number of Installations: 200,000+ Affected Software: FileBird <= 5.6.3 Patched Versions: FileBird 5.6.4
Mitigation steps: Update to FileBird plugin version 5.6.4 or greater.
ShopLentor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2868 Number of Installations: 100,000+ Affected Software: ShopLentor <= 2.8.3 Patched Versions: ShopLentor 2.8.4
Mitigation steps: Update to ShopLentor plugin version 2.8.4 or greater.
Element Pack Elementor Addons – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-1428 Number of Installations: 100,000+ Affected Software: Element Pack Elementor Addons <= 5.5.3 Patched Versions: Element Pack Elementor Addons 5.5.4
Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.5.4 or greater.
GiveWP – Donation Plugin and Fundraising Platform – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-1957 Number of Installations: 100,000+ Affected Software: GiveWP <= 3.6.1 Patched Versions: GiveWP 3.7.0
Mitigation steps: Update to GiveWP plugin version 3.7.0 or greater.
Essential Blocks for Gutenberg – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-31306 Number of Installations: 100,000+ Affected Software: Essential Blocks for Gutenberg <= 4.5.3 Patched Versions: Essential Blocks for Gutenberg 4.5.4
Mitigation steps: Update to Essential Blocks for Gutenberg plugin version 4.5.4 or greater.
Element Pack Elementor Addons – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-0837 Number of Installations: 100,000+ Affected Software: Element Pack Elementor Addons <= 5.3.2 Patched Versions: Element Pack Elementor Addons 5.3.3
Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.3.3 or greater.
FooGallery – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2471 Number of Installations: 100,000+ Affected Software: FooGallery <= 2.4.14 Patched Versions: FooGallery 2.4.15
Mitigation steps: Update to FooGallery plugin version 2.4.15 or greater.
HT Mega – Absolute Addons For Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-3308 Number of Installations: 100,000+ Affected Software: HT Mega – Absolute Addons For Elementor <= 2.4.9 Patched Versions: HT Mega – Absolute Addons For Elementor 2.5.0
Mitigation steps: Update to HT Mega – Absolute Addons For Elementor plugin version 2.5.0 or greater.
Icegram Express – Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-2656 Number of Installations: 100,000+ Affected Software: Icegram Express <= 5.7.14 Patched Versions: Icegram Express 5.7.16
Mitigation steps: Update to Icegram Express plugin version 5.7.16 or greater.
Enhanced Media Library – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-2840 Number of Installations: 90,000+ Affected Software: Enhanced Media Library <= 2.8.9 Patched Versions: Enhanced Media Library 2.8.10
Mitigation steps: Update to Enhanced Media Library plugin version 2.8.10 or greater.
EmbedPress – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2024-3244 Number of Installations: 90,000+ Affected Software: EmbedPress <= 3.9.14 Patched Versions: EmbedPress 3.9.15
Mitigation steps: Update to EmbedPress plugin version 3.9.15 or greater.
LearnPress – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires LP Instructor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-1463 Number of Installations: 90,000+ Affected Software: LearnPress <= 4.2.6.3 Patched Versions: LearnPress 4.2.6.4
Mitigation steps: Update to LearnPress plugin version 4.2.6.4 or greater.
Email Subscribes by Icegram Express – SQL Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2024-2876 Number of Installations: 90,000+ Affected Software: Icegram Express <= 5.7.14 Patched Versions: Icegram Express 5.7.15
Mitigation steps: Update to Email Subscribers by Icegram Express plugin version 5.7.15 or greater.
Sydney Toolbox – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-3208 Number of Installations: 80,000+ Affected Software: Sydney Toolbox <= 1.28 Patched Versions: Sydney Toolbox 1.29
Mitigation steps: Update to Sydney Toolbox plugin version 1.29 or greater.
User Registration – Privilege Escalation
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-2417 Number of Installations: 70,000+ Affected Software: User Registration <= 3.1.5 Patched Versions: User Registration 3.2.0
Mitigation steps: Update to User Registration plugin version 3.2.0 or greater.
WordPress Tag and Category Manager – AI Autotagger – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2830 Number of Installations: 60,000+ Affected Software: WordPress Tag and Category Manager <= 3.13.0 Patched Versions: WordPress Tag and Category Manager 3.20.0
Mitigation steps: Update to WordPress Tag and Category Manager plugin version 3.20.0 or greater.
WPC Smart Quick View for WooCommerce – Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2023-6494 Number of Installations: 60,000+ Affected Software: WPC Smart Quick View for WooCommerce <= 4.0.2 Patched Versions: WPC Smart Quick View for WooCommerce 4.0.3
Mitigation steps: Update to WPC Smart Quick View for WooCommerce plugin version 4.0.3 or greater.
Elementor Addons by Livemesh – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2539 Number of Installations: 60,000+ Affected Software: Elementor Addons by Livemesh <= 8.3.6 Patched Versions: Elementor Addons by Livemesh 8.3.7
Mitigation steps: Update to Elementor Addons by Livemesh plugin version 8.3.7 or greater.
Carousel, Slider, Gallery by WP Carousel – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2949 Number of Installations: 60,000+ Affected Software: WP Carousel <= 2.6.3 Patched Versions: WP Carousel 2.6.4
Mitigation steps: Update to WP Carousel plugin version 2.6.4 or greater.
Exclusive Addons for Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-2503 Number of Installations: 60,000+ Affected Software: Exclusive Addons for Elementor <= 2.6.9.2 Patched Versions: Exclusive Addons for Elementor 2.6.9.3
Mitigation steps: Update to Exclusive Addons for Elementor plugin version 2.6.9.3 or greater.
Bold Page Builder – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-3266 Number of Installations: 50,000+ Affected Software: Bold Page Builder <= 4.8.8 Patched Versions: Bold Page Builder 4.8.9
Mitigation steps: Update to Bold Page Builder plugin version 4.8.9 or greater.
FancyBox for WordPress – Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires Admin or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-0662 Number of Installations: 50,000+ Affected Software: FancyBox for WordPress 3.0.2 - 3.3.3 Patched Versions: FancyBox for WordPress 3.3.4
Mitigation steps: Update to FancyBox for WordPress plugin version 3.3.4 or greater.
RSS Aggregator by Feedzy – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2023-6877 Number of Installations: 50,000+ Affected Software: RSS Aggregator by Feedzy <= 4.3.3 Patched Versions: RSS Aggregator by Feedzy 4.3.4
Mitigation steps: Update to RSS Aggregator by Feedzy plugin version 4.3.4 or greater.
Piotnet Addons For Elementor – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-29934 Number of Installations: 40,000+ Affected Software: Piotnet Addons For Elementor <= 2.4.25 Patched Versions: Piotnet Addons For Elementor 2.4.26
Mitigation steps: Update to Piotnet Addons For Elementor plugin version 2.4.26 or greater.
Carousel Slider – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Stored Cross-Site Scripting (XSS) CVE: CVE-2024-3703 Number of Installations: 40,000+ Affected Software: Carousel Slider <= 2.2.9 Patched Versions: Carousel Slider 2.2.10
Mitigation steps: Update to Carousel Slider plugin version 2.2.10 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.