WordPress Vulnerability & Patch Roundup May 2024

WordPress Vulnerability & Patch Roundup — May 2024

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.


WordPress 6.5.3 – Maintenance Release

A new update for WordPress has been released which features a number of bug fixes in WordPress 6.5.3. This latest short-cycle maintenance release includes 12 bug fixes on Core and 9 bug fixes for the Block editor.

We strongly encourage you to always keep your CMS patched with the latest core updates to mitigate risk and protect your WordPress website.


Elementor Website Builder –  Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4619
Number of Installations: 5,000,000+
Affected Software: Elementor Website Builder – More than Just a Page Builder <= 3.21.5
Patched Versions: Elementor Website Builder – More than Just a Page Builder 3.21.6

Mitigation steps: Update to Elementor Website Builder plugin version 3.21.6 or greater.


Yoast SEO – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4984
Number of Installations: 5,000,000+
Affected Software: Yoast SEO <= 22.6
Patched Versions: Yoast SEO 22.7

Mitigation steps: Update to Yoast SEO plugin version 22.7 or greater.


Jetpack – WP Security, Backup, Speed, & Growth – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4392
Number of Installations: 4,000,000+
Affected Software: Jetpack <= 13.3
Patched Versions: Jetpack 13.4

Mitigation steps: Update to Jetpack plugin version 13.4 or greater.


Essential Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4624
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 5.9.20
Patched Versions: Essential Addons for Elementor 5.9.21

Mitigation steps: Update to Essential Addons for Elementor plugin version 5.9.21 or greater.


Rank Math SEO – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4617
Number of Installations: 2,000,000+
Affected Software: Rank Math SEO with AI Best SEO Tools <= 1.0.218
Patched Versions: Rank Math SEO with AI Best SEO Tools 1.0.219

Mitigation steps: Update to Rank Math SEO plugin version 1.0.219-beta or greater.


ElementsKit Elementor and Templates Library – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3650
Number of Installations: 1,000,000+
Affected Software: ElementsKit <= 3.1.2
Patched Versions: ElementsKit 3.1.3

Mitigation steps: Update to ElementsKit plugin version 3.1.3 or greater.


Starter Templates


Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4630
Number of Installations: 1,000,000+
Affected Software: Starter Templates <= 4.2.1
Patched Versions: Starter Templates 4.2.2

Mitigation steps: Update to Starter Templates plugin version 4.2.2 or greater.


One Click Demo Import – PHP Object Injection

Security Risk: Low
Exploitation Level: Requires Administrator level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2024-34433
Number of Installations: 1,000,000+
Affected Software: One Click Demo Import <= 3.2.0
Patched Versions: One Click Demo Import 3.2.1

Mitigation steps: Update to One Click Demo Import plugin version 3.2.1 or greater.


Elementor Header & Footer Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4634
Number of Installations: 1,000,000+
Affected Software: Elementor Header & Footer Builder <= 1.6.28
Patched Versions: Elementor Header & Footer Builder 1.6.29

Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.29 or greater.


Page Builder by SiteOrigin – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4361
Number of Installations: 700,000+
Affected Software: Page Builder by SiteOrigin <= 2.29.15
Patched Versions: Page Builder by SiteOrigin 2.29.16

Mitigation steps: Update to Page Builder by SiteOrigin plugin version 2.29.16 or greater.


Premium Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4203
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.10.30
Patched Versions: Premium Addons for Elementor 4.10.31

Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.31 or greater.


The Events Calendar – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4180
Number of Installations: 700,000+
Affected Software: The Events Calendar <= 6.4.0
Patched Versions: The Events Calendar 6.4.0.1

Mitigation steps: Update to The Events Calendar plugin version 6.4.0.1 or greater.


Shortcodes Ultimate – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3550
Number of Installations: 600,000+
Affected Software: WP Shortcodes Plugin <= 7.1.5
Patched Versions: WP Shortcodes Plugin 7.1.6

Mitigation steps: Update to WP Shortcodes Plugin version 7.1.6 or greater.


NextGEN Gallery – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-2744
Number of Installations: 500,000+
Affected Software: NextGEN Gallery <= 3.59.0
Patched Versions: NextGEN Gallery 3.59.1

Mitigation steps: Update to NextGEN Gallery plugin version 3.59.1 or greater.


Contact Form Plugin by Fluent Forms – Privilege Escalation

Security Risk: High

Exploitation No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4709
Number of Installations: 400,000+
Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.16
Patched Versions: Contact Form Plugin by Fluent Forms 5.1.17

Mitigation steps: Update to Contact Form Plugin by Fluent Forms plugin version 5.1.17 or greater.


Happy Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4865
Number of Installations: 400,000+
Affected Software: Happy Addons for Elementor <= 3.10.8
Patched Versions: Happy Addons for Elementor 3.10.9

Mitigation steps: Update to Happy Addons for Elementor plugin version 3.10.9 or greater.


Gutenberg Blocks with AI by Kadence WP – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3189
Number of Installations: 400,000+
Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.2.37
Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.2.38

Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.2.38 or greater.


Password Protected – Broken Access Control

Security Risk: Low
Exploitation Level: Requires Subscriber level authentication or higher.
Vulnerability: Broken Access Control
CVE: CVE-2024-0437
Number of Installations: 400,000+
Affected Software: Password Protected <= 2.6.6
Patched Versions: Password Protected 2.6.7

Mitigation steps: Update to Password Protected plugin version 2.6.7 or greater.


Royal Elementor Addons and Templates – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3887
Number of Installations: 300,000+
Affected Software: Royal Elementor Addons and Templates <= 1.3.974
Patched Versions: Royal Elementor Addons and Templates 1.3.975

Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.3.975 or greater.


Blocksy Companion – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4487
Number of Installations: 200,000+
Affected Software: Blocksy Companion <= 2.0.45
Patched Versions: Blocksy Companion 2.0.46

Mitigation steps: Update to Blocksy Companion plugin version 2.0.46 or greater.


Unlimited Elements For Elementor – SQL Injection

Security Risk: High
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: SQL Injection
CVE: CVE-2024-3055
Number of Installations: 200,000+
Affected Software: Unlimited Elements For Elementor <= 1.5.104
Patched Versions: Unlimited Elements For Elementor 1.5.105

Mitigation steps: Update to Unlimited Elements For Elementor plugin version 1.5.105 or greater.


White Label CMS – Broken Access Control

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-4280
Number of Installations: 200,000+
Affected Software: White Label CMS <= 2.7.3
Patched Versions: White Label CMS 2.7.4

Mitigation steps: Update to White Label CMS plugin version 2.7.4 or greater.


Menu Icons by ThemeIsle – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Author level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4635
Number of Installations: 200,000+
Affected Software: Menu Icons by ThemeIsle <= 0.13.13
Patched Versions: Menu Icons by ThemeIsle 0.13.14

Mitigation steps: Update to Menu Icons by ThemeIsle plugin version 0.13.14 or greater.


Image Optimization by Optimole – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Author level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4636
Number of Installations: 200,000+
Affected Software: Image Optimization by Optimole <= 3.12.9
Patched Versions: Image Optimization by Optimole 3.13.0

Mitigation steps: Update to Image Optimization by Optimole plugin version 3.13.0 or greater.


Supreme Modules Lite – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4334
Number of Installations: 200,000+
Affected Software: Supreme Modules Lite <= 2.5.3
Patched Versions: Supreme Modules Lite 2.5.4

Mitigation steps: Update to Supreme Modules Lite plugin version 2.5.4 or greater.


Essential Blocks for Gutenberg –  Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4891
Number of Installations: 100,000+
Affected Software: Essential Blocks <= 4.5.12
Patched Versions: Essential Blocks 4.5.13

Mitigation steps: Update to Essential Blocks for Gutenberg plugin version 4.5.13 or greater.


BuddyPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3974
Number of Installations: 100,000+
Affected Software: BuddyPress <= 12.4.0
Patched Versions: BuddyPress 12.4.1

Mitigation steps: Update to BuddyPress plugin version 12.4.1 or greater.

Advanced Ads – Ad Manager & AdSense – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3952
Number of Installations: 100,000+
Affected Software: Advanced Ads <= 1.52.1
Patched Versions: Advanced Ads 1.52.2

Mitigation steps: Update to Advanced Ads plugin version 1.52.2 or greater.


GiveWP – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3714
Number of Installations: 100,000+
Affected Software: GiveWP <= 3.10.9
Patched Versions: GiveWP 3.11.0

Mitigation steps: Update to GiveWP plugin version 3.11.0 or greater.


Prime Slider Addons For Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4339
Number of Installations: 100,000+
Affected Software: Prime Slider <= 3.14.3
Patched Versions: Prime Slider 3.14.4

Mitigation steps: Update to Prime Slider plugin version 3.14.4 or greater.


HT Mega – Absolute Addons For Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4876
Number of Installations: 100,000+
Affected Software: HT Mega <= 2.5.2
Patched Versions: HT Mega 2.5.3

Mitigation steps: Update to HT Mega plugin version 2.5.3 or greater.


ShopLentor All in One Solution (formerly WooLentor) – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3345
Number of Installations: 100,000+
Affected Software: ShopLentor <= 2.8.8
Patched Versions: ShopLentor 2.8.9

Mitigation steps: Update to ShopLentor plugin version 2.8.9 or greater.


Beaver Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4430
Number of Installations: 100,000+
Affected Software: Beaver Builder <= 2.8.1.2
Patched Versions: Beaver Builder 2.8.1.3

Mitigation steps: Update to Beaver Builder plugin version 2.8.1.3 or greater.


Content Views – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4446
Number of Installations: 100,000+
Affected Software: Content Views <= 3.7.1
Patched Versions: Content Views 3.7.2

Mitigation steps: Update to Content Views plugin version 3.7.2 or greater.


Pods – Custom Content Types and Fields – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3956
Number of Installations: 100,000+
Affected Software: Pods <= 3.2.1
Patched Versions: Pods 3.2.1.1

Mitigation steps: Update to Pods plugin version 3.2.1.1 or greater.


Content Views – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4446
Number of Installations: 100,000+
Affected Software: Content Views <= 3.7.1
Patched Versions: Content Views 3.7.2

Mitigation steps: Update to Content Views plugin version 3.7.2 or greater.


The Plus Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-34373
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 5.4.9
Patched Versions: The Plus Addons for Elementor 5.5.0

Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.5.0 or greater.


ShopLentor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor level authentication or higher.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-6327
Number of Installations: 100,000+
Affected Software: ShopLentor <= 2.8.8
Patched Versions: ShopLentor 2.8.9

Mitigation steps: Update to ShopLentor plugin version 2.8.9 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.

You May Also Like