WordPress Vulnerability & Patch Roundup February 2024
2024-3-1 00:25:21 Author: blog.sucuri.net(查看原文) 阅读量:31 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.


Elementor Website Builder – Cross-Site Scripting (XSS)

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-0506
Number of Installations: 5,000,000+
Affected Software: Elementor Website Builder <= 3.18.3
Patched Versions: Elementor Website Builder 3.19.0

Mitigation steps: Update to Elementor Website Builder plugin version 3.19.0 or greater.


Elementor – Arbitrary File Deletion & PHAR Deserialization

Security Risk: High
Vulnerability: Path Traversal
Exploitation Level: Requires Contributor or higher level authentication.
CVE: CVE-2024-24934
Number of Installations: 5,000,000+
Affected Software: Elementor Website Builder – More than Just a Page Builder <= 3.19.0
Patched Versions: Elementor Website Builder – More than Just a Page Builder 3.19.1

Mitigation steps: Update to Elementor Website Builder plugin version 3.19.1 or greater.


LiteSpeed Cache – Cross-Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting (XSS) (XSS)
CVE: CVE-2023-40000
Number of Installations: 5,000,000+
Affected Software: LiteSpeed Cache <= 5.7
Patched Versions: LiteSpeed Cache 5.7.0.1

Mitigation steps: Update LiteSpeed Cache to version 5.7.0.1 or newer.


Essential Addons for Elementor – Cross-Site Scripting (XSS)

Security Risk: High
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: Requires Contributor or higher level authentication.
CVE: CVE-2024-1236
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 5.9.8
Patched Versions: Essential Addons for Elementor 5.9.9

Mitigation steps: Update to Essential Addons for Elementor plugin version 5.9.9 or greater.


All-In-One Security (AIOS) Security and Firewall – Cross-Site Scripting (XSS)

Security Risk: Low
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: No authentication required.
CVE: CVE-2024-1037
Number of Installations: 1,000,000+
Affected Software: All-In-One Security (AIOS) – Security and Firewall <= 5.2.5
Patched Versions: All-In-One Security (AIOS) – Security and Firewall 5.2.6

Mitigation steps: Update to All-In-One Security (AIOS) – Security and Firewall plugin version 5.2.6 or greater.


Meta Box – WordPress Custom Fields Framework – Cross-Site Scripting (XSS)

Security Risk: Medium
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: Requires Contributor or higher level authentication.
CVE: CVE-2023-6526
Number of Installations: 700,000+
Affected Software: Meta Box – WordPress Custom Fields Framework <= 5.9.2
Patched Versions: Meta Box – WordPress Custom Fields Framework 5.9.3

Mitigation steps: Update to Meta Box – WordPress Custom Fields Framework plugin version 5.9.3 or greater.


Premium Addons for Elementor – Cross-Site Scripting (XSS)

Security Risk: Medium
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: Requires Contributor or higher level authentication.
CVE: CVE-2024-1242
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.10.18
Patched Versions: Premium Addons for Elementor 4.10.19

Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.19 or greater.


Broken Link Checker – Cross-Site Scripting

Security Risk: Low
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: Requires Admin level authentication.
CVE: CVE-2024-25592
Number of Installations: 600,000+
Affected Software: Broken Link Checker <= 2.2.3
Patched Versions: Broken Link Checker 2.2.4

Mitigation steps: Update to Broken Link Checker plugin version 2.2.4 or greater.


Ocean Extra – Cross-Site Scripting (XSS)

Security Risk: Medium
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: Requires Contributor or higher level authentication.
CVE: CVE-2024-1277
Number of Installations: 700,000+
Affected Software: Ocean Extra <= 2.2.4
Patched Versions: Ocean Extra 2.2.5

Mitigation steps: Update to Ocean Extra plugin version 2.2.5 or greater.


WP Shortcodes Plugin — Shortcodes Ultimate – Cross-Site Scripting (XSS)

Security Risk: Medium
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: Requires Contributor or higher level authentication.
CVE: CVE-2024-1510
Number of Installations: 600,000+
Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.2
Patched Versions: WP Shortcodes Plugin — Shortcodes Ultimate 7.0.3

Mitigation steps: Update to WP Shortcodes Plugin — Shortcodes Ultimate version 7.0.3 or greater.


SiteOrigin Widgets Bundle – Cross-Site Scripting (XSS)

Security Risk: Medium
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: Requires Contributor or higher level authentication.
CVE: CVE-2024-1070
Number of Installations: 600,000+
Affected Software: SiteOrigin Widgets Bundle <= 1.58.3
Patched Versions: SiteOrigin Widgets Bundle 1.58.4

Mitigation steps: Update to SiteOrigin Widgets Bundle version 1.58.4 or greater.


Happy Addons for Elementor – Cross-Site Scripting (XSS)

Security Risk: Medium
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: Requires Contributor or higher level authentication.
CVE: CVE-2024-0438
Number of Installations: 400,000+
Affected Software: Happy Addons for Elementor <= 3.10.1
Patched Versions: Happy Addons for Elementor 3.10.2

Mitigation steps: Update to Happy Addons for Elementor version 3.10.2 or greater.


Password Protected Ultimate Plugin – Cross-Site Scripting (XSS)

Security Risk: Low
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: Requires Admin level authentication.
CVE: CVE-2024-0656
Number of Installations: 400,000+
Affected Software: Password Protected <= 2.6.6
Patched Versions: Password Protected 2.6.7

Mitigation steps: Update to Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease version 2.6.7 or greater.


Royal Elementor Addons and Templates – Cross-Site Scripting (XSS)

Security Risk: Medium
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: Requires Contributor or higher level authentication.
CVE: CVE-2024-0442
Number of Installations: 300,000+
Affected Software: Royal Elementor Addons and Templates <= 1.3.87
Patched Versions: Royal Elementor Addons and Templates 1.3.88

Mitigation steps: Update to Royal Elementor Addons and Templates version 1.3.88 or greater.


Backuply – Backup, Restore, Migrate and Clone – Denial of Service

Security Risk: High
Vulnerability: Denial of Service
Exploitation Level: No authentication required.
CVE: CVE-2024-0842
Number of Installations: 200,000+
Affected Software: Backuply – Backup, Restore, Migrate and Clone <= 1.2.6
Patched Versions: Backuply – Backup, Restore, Migrate and Clone 1.2.7

Mitigation steps: Update to Backuply – Backup, Restore, Migrate and Clone version 1.2.7 or greater.


InfiniteWP Client – Sensitive Information Exposure

Security Risk: Low
Vulnerability: Sensitive Information Exposure
Exploitation Level: No authentication required.
CVE: CVE-2023-6565
Number of Installations: 200,000+
Affected Software: InfiniteWP Client <= 1.12.3
Patched Versions: InfiniteWP Client 1.12.3.1

Mitigation steps: Update to InfiniteWP Client version 1.12.3.1 or greater.


ProfilePress – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1409
Number of Installations: 200,000+
Affected Software: Paid Membership Plugin ProfilePress <= 4.15.0
Patched Versions: Paid Membership Plugin ProfilePress 4.15.1

Mitigation steps: Update to ProfilePress plugin version 4.15.1 or greater.


User Feedback – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-0903
Number of Installations: 200,000+
Affected Software: User Feedback <= 1.0.13
Patched Versions: User Feedback 1.0.14

Mitigation steps: Update to User Feedback plugin version 1.0.14 or greater.


Page Builder: Pagelayer – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1590
Number of Installations: 200,000+
Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.2
Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 1.8.3

Mitigation steps: Update to Page Builder: Pagelayer plugin version 1.8.3 or greater.


PowerPack Addons for Elementor – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1411
Number of Installations: 100,000+
Affected Software: PowerPack Addons for Elementor <= 2.7.15
Patched Versions: PowerPack Addons for Elementor 2.7.16

Mitigation steps: Update to PowerPack Addons for Elementor plugin version 2.7.16 or greater.


Elementor Addon Elements – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1392
Number of Installations: 100,000+
Affected Software: Elementor Addon Elements <= 1.12.12
Patched Versions: Elementor Addon Elements 1.12.13

Mitigation steps: Update to Elementor Addon Elements plugin version 1.12.13 or greater


Elementor Addon Elements – Directory Traversal to Local File Inclusion

Security Risk: High
Exploitation Level: Contributor or higher level authentication.
Vulnerability: Directory Traversal
CVE: CVE-2024-1358
Number of Installations: 100,000+
Affected Software: Elementor Addon Elements <= 1.12.12
Patched Versions: Elementor Addon Elements 1.13

Mitigation steps: Update to Elementor Addon Elements version 1.13 or greater.


PDF Flipbook, 3D Flipbook – DearFlip – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-0895
Number of Installations: 100,000+
Affected Software: PDF Flipbook, 3D Flipbook – DearFlip <= 2.2.26
Patched Versions: PDF Flipbook, 3D Flipbook – DearFlip 2.2.27

Mitigation steps: Update to PDF Flipbook, 3D Flipbook – DearFlip plugin version 2.2.27 or newer.


Insert PHP Code Snippet – Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Admin level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-0658
Number of Installations: 100,000+
Affected Software: Insert PHP Code Snippet <= 1.3.4
Patched Versions: Insert PHP Code Snippet 1.3.5

Mitigation steps: Update to Insert PHP Code Snippet plugin version 1.3.5 or newer.


Best WordPress Gallery Plugin – FooGallery – Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-0604
Number of Installations: 100,000+
Affected Software: Best WordPress Gallery Plugin - FooGallery <= 2.4.7
Patched Versions: Best WordPress Gallery Plugin - FooGallery 2.4.9

Mitigation steps: Update to Best WordPress Gallery Plugin – FooGallery version 2.4.9 or newer.


YARPP – Yet Another Related Posts Plugin – Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-0602
Number of Installations: 100,000+
Affected Software: YARPP - Yet Another Related Posts Plugin <= 5.30.9
Patched Versions: YARPP - Yet Another Related Posts Plugin 5.30.10

Mitigation steps: Update to YARPP – Yet Another Related Posts Plugin version 5.30.10 or newer.


Sassy Social Share – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1448
Number of Installations: 100,000+
Affected Software: Social Sharing Plugin - Sassy Social Share <= 3.3.56
Patched Versions: Social Sharing Plugin - Sassy Social Share 3.3.57

Mitigation steps: Update to Social Sharing Plugin – Sassy Social Share version 3.3.57 or newer.


Beaver Builder – Cross-Site Scripting (XSS)

Security Risk: Medium
Vulnerability: Cross-Site Scripting (XSS)
Exploitation Level: Requires Contributor or higher level authentication.
CVE: CVE-2024-0897
Number of Installations: 100,000+
Affected Software: Beaver Builder – WordPress Page Builder <= 2.7.4.2
Patched Versions: Beaver Builder – WordPress Page Builder 2.7.4.3

Mitigation steps: Update to Beaver Builder – WordPress Page Builder version 2.7.4.3 or newer.


Schema & Structured Data for WP & AMP – Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Admin or custom level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1586
Number of Installations: 100,000+
Affected Software: Schema & Structured Data for WP & AMP <= 1.26
Patched Versions: Schema & Structured Data for WP & AMP 1.27

Mitigation steps: Update to Schema & Structured Data for WP & AMP version 1.27 or newer.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.


文章来源: https://blog.sucuri.net/2024/02/wordpress-vulnerability-patch-roundup-february-2024.html
如有侵权请联系:admin#unsafe.sh