Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
WordPress 6.6.1 Maintenance Release
WordPress 6.6.1 has been released, featuring 7 Core bug fixes and 9 Block Editor bug fixes. Read the Release Candidate announcement for a detailed overview of the changes.
We strongly encourage WordPress users to always keep their CMS patched with the latest core updates to mitigate risk and protect the WordPress environment.
WooCommerce – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: XSS CVE: CVE-2024-39666 Number of Installations: 7,000,000+ Affected Software: WooCommerce <= 9.1.2 Patched Versions: WooCommerce 9.1.3
Mitigation steps: Update to WooCommerce plugin version 9.1.3 or greater.
LiteSpeed Cache – Privilege Escalation
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2024-28000 Number of Installations: 5,000,000+ Affected Software: LiteSpeed Cache <= 6.3.0.1 Patched Versions: LiteSpeed Cache 6.4
Mitigation steps: Update to LiteSpeed Cache plugin version 6.4 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-7092 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 5.9.27 Patched Versions: Essential Addons for Elementor 6.0.0
Mitigation steps: Update to Essential Addons for Elementor plugin version 6.0.0 or greater.
Spectra – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-7590 Number of Installations: 900,000+ Affected Software: Spectra <= 2.14.1 Patched Versions: Spectra 2.15.1
Mitigation steps: Update to Spectra plugin version 2.15.1 or greater.
Popup Maker – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-7054 Number of Installations: 700,000+ Affected Software: Popup Maker <= 1.19.0 Patched Versions: Popup Maker 1.19.1
Mitigation steps: Update to Popup Maker plugin version 1.19.1 or greater.
Premium Addons for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-6824 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.38 Patched Versions: Premium Addons for Elementor 4.10.39
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.39 or greater.
Meta Box – Broken Access Control
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43235 Number of Installations: 600,000+ Affected Software: Meta Box <= 5.9.10 Patched Versions: Meta Box 5.9.11
Mitigation steps: Update to Meta Box plugin version 5.9.11 or greater.
SiteOrigin Widgets Bundle – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-5901 Number of Installations: 600,000+ Affected Software: SiteOrigin Widgets Bundle <= 1.62.2 Patched Versions: SiteOrigin Widgets Bundle 1.62.3
Mitigation steps: Update to SiteOrigin Widgets Bundle plugin version 1.62.3 or greater.
Easy Table of Contents – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-7082 Number of Installations: 500,000+ Affected Software: Easy Table of Contents <= 2.0.67.1 Patched Versions: Easy Table of Contents 2.0.68
Mitigation steps: Update to Easy Table of Contents plugin version 2.0.68 or greater.
Formidable Forms – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: XSS CVE: CVE-2024-6725 Number of Installations: 400,000+ Affected Software: Formidable Forms <= 6.11.1 Patched Versions: Formidable Forms 6.11.2
Mitigation steps: Update to Formidable Forms plugin version 6.11.2 or greater.
Gutenberg Blocks with AI by Kadence WP – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-6884 Number of Installations: 400,000+ Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.2.38 Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.2.39
Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.2.39 or greater.
Fonts Plugin – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43302 Number of Installations: 200,000+ Affected Software: Fonts Plugin <= 3.7.7 Patched Versions: Fonts Plugin 3.7.8
Mitigation steps: Update to Fonts Plugin plugin version 3.7.8 or greater.
White Label CMS – Reflected Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: XSS CVE: CVE-2024-43303 Number of Installations: 200,000+ Affected Software: White Label CMS <= 2.7.4 Patched Versions: White Label CMS 2.7.5
Mitigation steps: Update to White Label CMS plugin version 2.7.5 or greater.
Download Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-6208 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.2.97 Patched Versions: Download Manager 3.2.98
Mitigation steps: Update to Download Manager plugin version 3.2.98 or greater.
Essential Blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-5595 Number of Installations: 100,000+ Affected Software: Essential Blocks < 4.7.0 Patched Versions: Essential Blocks 4.7.0
Mitigation steps: Update to Essential Blocks plugin version 4.7.0 or greater.
Inline Related Posts – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: XSS CVE: CVE-2024-6487 Number of Installations: 100,000+ Affected Software: Inline Related Posts < 3.8.0 Patched Versions: Inline Related Posts 3.8.0
Mitigation steps: Update to Inline Related Posts version 3.8.0 or greater.
My Sticky Bar – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: XSS CVE: CVE-2024-4090 Number of Installations: 100,000+ Affected Software: My Sticky Bar (formerly myStickymenu) <= 2.7.1 Patched Versions: My Sticky Bar (formerly myStickymenu) 2.7.2
Mitigation steps: Update to My Sticky Bar plugin version 2.7.2 or greater.
DearFlip – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-4367 Number of Installations: 100,000+ Affected Software: DearFlip <= 2.2.55 Patched Versions: DearFlip 2.2.56
Mitigation steps: Update to DearFlip plugin version 2.2.56 or greater.
AMP for WP – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43146 Number of Installations: 100,000+ Affected Software: AMP for WP <= 1.0.96.1 Patched Versions: AMP for WP 1.0.97
Mitigation steps: Update to AMP for WP plugin version 1.0.97 or greater.
Aruba HiSpeed Cache – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43119 Number of Installations: 100,000+ Affected Software: Aruba HiSpeed Cache <= 2.0.12 Patched Versions: Aruba HiSpeed Cache 2.0.13
Mitigation steps: Update to Aruba HiSpeed Cache plugin version 2.0.13 or greater.
Element Pack Elementor Addons – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-7247 Number of Installations: 100,000+ Affected Software: Element Pack Elementor Addons <= 5.7.2 Patched Versions: Element Pack Elementor Addons 5.7.3
Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.7.3 or greater.
Slider & Popup Builder by Depicter – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-43161 Number of Installations: 100,000+ Affected Software: Slider & Popup Builder by Depicter <= 3.1.2 Patched Versions: Slider & Popup Builder by Depicter 3.2.0
Mitigation steps: Update to Slider & Popup Builder by Depicter plugin version 3.2.0 or greater.
FooBox – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-5668 Number of Installations: 100,000+ Affected Software: FooBox <= 2.7.28 Patched Versions: FooBox 2.7.32
Mitigation steps: Update to FooBox plugin version 2.7.32 or greater.
Hummingbird Performance – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43118 Number of Installations: 100,000+ Affected Software: Hummingbird Performance <= 3.9.1 Patched Versions: Hummingbird Performance 3.9.2
Mitigation steps: Update to Hummingbird Performance plugin version 3.9.2 or greater.
Robin image optimizer – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43122 Number of Installations: 100,000+ Affected Software: Robin image optimizer <= 1.6.9 Patched Versions: Robin image optimizer 1.7.0
Mitigation steps: Update to Robin image optimizer plugin version 1.7.0 or greater.
GiveWP – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-5940, CVE-2024-5939 Number of Installations: 100,000+ Affected Software: GiveWP <= 3.13.9 Patched Versions: GiveWP 3.14.0
Mitigation steps: Update to GiveWP plugin version 3.14.0 or greater.
The Ultimate Video Player For WordPress – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43285 Number of Installations: 100,000+ Affected Software: The Ultimate Video Player For WordPress <= 3.0.2 Patched Versions: The Ultimate Video Player For WordPress 3.0.3
Mitigation steps: Update to The Ultimate Video Player For WordPress plugin version 3.0.3 or greater.
SEO Plugin by Squirrly SEO – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-43286 Number of Installations: 100,000+ Affected Software: SEO Plugin by Squirrly SEO <= 12.3.19 Patched Versions: SEO Plugin by Squirrly SEO 12.3.20
Mitigation steps: Update to SEO Plugin by Squirrly SEO plugin version 12.3.20 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-5763 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 5.6.2 Patched Versions: The Plus Addons for Elementor 5.6.3
Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.6.3 or greater.
Asset CleanUp: Page Speed Booster – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43314 Number of Installations: 100,000+ Affected Software: Asset CleanUp: Page Speed Booster <= 1.3.9.3 Patched Versions: Asset CleanUp: Page Speed Booster 1.3.9.4
Mitigation steps: Update to Asset CleanUp: Page Speed Booster plugin version 1.3.9.4 or greater.
Email Encoder – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: XSS CVE: CVE-2024-4483 Number of Installations: 90,000+ Affected Software: Email Encoder <= 2.2.1 Patched Versions: Email Encoder 2.2.2
Mitigation steps: Update to Email Encoder plugin version 2.2.2 or greater.
Social Feed Gallery – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-39640 Number of Installations: 90,000+ Affected Software: Social Feed Gallery <= 4.3.9 Patched Versions: Social Feed Gallery 4.4.0
Mitigation steps: Update to Social Feed Gallery plugin version 4.4.0 or greater.
WP Mobile Menu – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-2508 Number of Installations: 90,000+ Affected Software: WP Mobile Menu <= 2.8.4.4 Patched Versions: WP Mobile Menu 2.8.5
Mitigation steps: Update to WP Mobile Menu plugin version 2.8.5 or greater.
LearnPress – SQL Injection
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-7548 Number of Installations: 90,000+ Affected Software: LearnPress <= 4.2.6.9.3 Patched Versions: LearnPress 4.2.6.9.4
Mitigation steps: Update to LearnPress plugin version 4.2.6.9.4 or greater.
Tutor LMS – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Instructor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-43231 Number of Installations: 90,000+ Affected Software: Tutor LMS <= 2.7.3 Patched Versions: Tutor LMS 2.7.4
Mitigation steps: Update to Tutor LMS plugin version 2.7.4 or greater.
Tutor LMS – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Tutor Instructor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43142 Number of Installations: 90,000+ Affected Software: Tutor LMS <= 2.7.3 Patched Versions: Tutor LMS 2.7.4
Mitigation steps: Update to Tutor LMS plugin version 2.7.4 or greater.
Ajax Search Lite – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: XSS CVE: CVE-2024-7084 Number of Installations: 80,000+ Affected Software: Ajax Search Lite <= 4.12 Patched Versions: Ajax Search Lite 4.12.1
Mitigation steps: Update to Ajax Search Lite plugin version 4.12.1 or greater.
Folders – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-7317 Number of Installations: 80,000+ Affected Software: Folders <= 3.0.3 Patched Versions: Folders 3.0.4
Mitigation steps: Update to Folders plugin version 3.0.4 or greater.
3D FlipBook – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-43152 Number of Installations: 70,000+ Affected Software: 3D FlipBook <= 1.15.6 Patched Versions: 3D FlipBook 1.15.7
Mitigation steps: Update to 3D FlipBook plugin version 1.15.7 or greater.
Clone – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43298 Number of Installations: 70,000+ Affected Software: Clone <= 2.4.5 Patched Versions: Clone 2.4.6
Mitigation steps: Update to Clone plugin version 2.4.6 or greater.
FOX – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43297 Number of Installations: 60,000+ Affected Software: FOX <= 1.4.2 Patched Versions: FOX 1.4.2.1
Mitigation steps: Update to FOX plugin version 1.4.2.1 or greater.
WP Table Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-43125 Number of Installations: 60,000+ Affected Software: WP Table Builder <= 1.4.15 Patched Versions: WP Table Builder 1.5.0
Mitigation steps: Update to WP Table Builder plugin version 1.5.0 or greater.
Blog2Social – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: XSS CVE: CVE-2024-7302 Number of Installations: 60,000+ Affected Software: Blog2Social <= 7.5.4 Patched Versions: Blog2Social 7.5.5
Mitigation steps: Update to Blog2Social plugin version 7.5.5 or greater.
Bold Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: XSS CVE: CVE-2024-7100 Number of Installations: 50,000+ Affected Software: Bold Page Builder <= 5.0.2 Patched Versions: Bold Page Builder 5.0.3
Mitigation steps: Update to Bold Page Builder plugin version 5.0.3 or greater.
Easy Digital Downloads – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQLi CVE: CVE-2024-5057 Number of Installations: 50,000+ Affected Software: Easy Digital Downloads <= 3.2.12 Patched Versions: Easy Digital Downloads 3.3.1
Mitigation steps: Update to Easy Digital Downloads plugin version 3.3.1 or greater.
User Profile Builder – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-6366 Number of Installations: 50,000+ Affected Software: User Profile Builder <= 3.11.7 Patched Versions: User Profile Builder 3.11.8
Mitigation steps: Update to User Profile Builder plugin version 3.11.8 or greater.
Category Posts Widget – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: XSS CVE: CVE-2024-6158 Number of Installations: 50,000+ Affected Software: Category Posts Widget <= 4.9.16 Patched Versions: Category Posts Widget 4.9.17
Mitigation steps: Update to Category Posts Widget plugin version 4.9.17 or greater.
Easy Digital Downloads – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: XSS CVE: CVE-2024-6692 Number of Installations: 50,000+ Affected Software: Easy Digital Downloads <= 3.3.2 Patched Versions: Easy Digital Downloads 3.3.3
Mitigation steps: Update to Easy Digital Downloads plugin version 3.3.3 or greater.
Easy Digital Downloads – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-43162 Number of Installations: 50,000+ Affected Software: Easy Digital Downloads <= 3.2.12 Patched Versions: Easy Digital Downloads 3.3.1
Mitigation steps: Update to Easy Digital Downloads plugin version 3.3.1 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Fioravante Souza
Rianna MacLeod
Denis Sinegubko
Cesar Anjos
Kaushal Bhavsar
Daniel Cid
Ben Martin
Gerson Ruiz