WordPress Vulnerability & Patch Roundup March 2024
2024-3-26 01:29:29 Author: blog.sucuri.net(查看原文) 阅读量:10 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.


Contact Form 7 – Reflected Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Reflected Cross-Site Scripting
CVE: CVE-2024-2242
Number of Installations: 5,000,000+
Affected Software: Contact Form 7 <= 5.9
Patched Versions: Contact Form 7 5.9.2

Mitigation steps: Update to Contact Form 7 plugin version 5.9.2 or greater.


Essential Addons for Elementor – Stored Cross-Site Scripting

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1537
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 5.9.9
Patched Versions: Essential Addons for Elementor 5.9.10

Mitigation steps: Update to Essential Addons for Elementor plugin version 5.9.10 or greater.


ElementsKit Elementor addons – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1239
Number of Installations: 1,000,000+
Affected Software: ElementsKit Elementor addons <= 3.0.4
Patched Versions: ElementsKit Elementor addons 3.0.5

Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.0.5 or greater.


Elementor Header & Footer Builder – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1237
Number of Installations: 1,000,000+
Affected Software: Elementor Header & Footer Builder <= 1.6.24
Patched Versions: Elementor Header & Footer Builder 1.6.25

Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.25 or greater.


ElementsKit Elementor addons – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2042
Number of Installations: 1,000,000+
Affected Software: ElementsKit Elementor addons <= 3.0.5
Patched Versions: ElementsKit Elementor addons 3.0.6

Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.0.6 or greater.


Premium Addons for Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-0326
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.10.17
Patched Versions: Premium Addons for Elementor 4.10.18

Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.18 or greater.


WP Statistics – Stored Cross-Site Scripting

Security Risk: High
Exploitation Level: No authentication required.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2194
Number of Installations: 600,000+
Affected Software: WP Statistics <= 14.5
Patched Versions: WP Statistics 14.5.1

Mitigation steps: Update to WP Statistics plugin version 14.5.1 or greater.


Happy Addons for Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1366
Number of Installations: 400,000+
Affected Software: Happy Addons for Elementor <= 3.10.3
Patched Versions: Happy Addons for Elementor 3.10.4

Mitigation steps: Update to Happy Addons for Elementor plugin version 3.10.4 or greater.


Fluent Forms – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-6957
Number of Installations: 400,000+
Affected Software: Fluent Forms <= 5.1.9
Patched Versions: Fluent Forms 5.1.10

Mitigation steps: Update to Fluent Forms plugin version 5.1.10 or greater.


WP Go Maps – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-4839
Number of Installations: 400,000+
Affected Software: WP Go Maps <= 9.0.32
Patched Versions: WP Go Maps 9.0.33

Mitigation steps: Update to WP Go Maps plugin version 9.0.33 or greater.


Royal Elementor Addons and Templates – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1500
Number of Installations: 300,000+
Affected Software: Royal Elementor Addons and Templates <= 1.3.91
Patched Versions: Royal Elementor Addons and Templates 1.3.92

Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.3.92 or greater.


Otter Blocks – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2226
Number of Installations: 300,000+
Affected Software: Otter Blocks <= 2.6.4
Patched Versions: Otter Blocks 2.6.5

Mitigation steps: Update to Otter Blocks plugin version 2.6.5 or greater.


Page Builder: Pagelayer – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2127
Number of Installations: 200,000+
Affected Software: Page Builder: Pagelayer <= 1.8.3
Patched Versions: Page Builder: Pagelayer 1.8.4

Mitigation steps: Update to Page Builder: Pagelayer plugin version 1.8.4 or greater.


ProfilePress – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1535
Number of Installations: 200,000+
Affected Software: ProfilePress <= 4.15.2
Patched Versions: ProfilePress 4.15.3

Mitigation steps: Update to ProfilePress plugin version 4.15.3 or greater.


Blocksy Companion – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2392
Number of Installations: 200,000+
Affected Software: Blocksy Companion <= 2.0.31
Patched Versions: Blocksy 2.0.32

Mitigation steps: Update to Blocksy Companion version 2.0.32 or greater.


Qi Addons For Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-0826
Number of Installations: 100,000+
Affected Software: Qi Addons For Elementor <= 1.6.7
Patched Versions: Qi Addons For Elementor 1.6.8

Mitigation steps: Update to Qi Addons For Elementor version 1.6.8 or greater.


Advanced Access Manager – Reflected Cross-Site Scripting

Security Risk: Medium
Exploitation Level: No authentication required.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-29127
Number of Installations: 100,000+
Affected Software: Advanced Access Manager <= 6.9.20
Patched Versions: Advanced Access Manager 6.9.21

Mitigation steps: Update to Advanced Access Manager version 6.9.21 or greater.


GiveWP –  Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1424
Number of Installations: 100,000+
Affected Software: GiveWP <= 3.5.1
Patched Versions: GiveWP 3.6.0

Mitigation steps: Update to GiveWP version 3.6.0 or greater.


Essential Blocks – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2255
Number of Installations: 100,000+
Affected Software: Essential Blocks <= 4.5.2
Patched Versions: Essential Blocks 4.5.4

Mitigation steps: Update to Essential Blocks version 4.5.4 or greater.


WP Chat App – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1761
Number of Installations: 100,000+
Affected Software: WP Chat App <= 3.6.1
Patched Versions: WP Chat App 3.6.2

Mitigation steps: Update to WP Chat App plugin version 3.6.2 or greater.


Prime Slider – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1506
Number of Installations: 100,000+
Affected Software: Prime Slider <= 3.13.1
Patched Versions: Prime Slider 3.13.2

Mitigation steps: Update to Prime Slider plugin version 3.13.2 or greater.


Sassy Social Share – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1989
Number of Installations: 100,000+
Affected Software: Sassy Social Share <= 3.3.58
Patched Versions: Sassy Social Share 3.3.59

Mitigation steps: Update to Sassy Social Share plugin version 3.3.59 or greater.


The Plus Addons for Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1419
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 5.4.0
Patched Versions: The Plus Addons for Elementor 5.4.1

Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.4.1 or greater.


Prime Slider – Addons For Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1507
Number of Installations: 100,000+
Affected Software: Prime Slider <= 3.13.3
Patched Versions: Prime Slider 3.13.4

Mitigation steps: Update to Prime Slider plugin version 3.13.4 or greater.


ShopLentor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1960
Number of Installations: 100,000+
Affected Software: ShopLentor <= 2.8.1
Patched Versions: ShopLentor 2.8.2

Mitigation steps: Update to ShopLentor plugin version 2.8.2 or greater.


HUSKY – Products Filter for WooCommerce – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1796
Number of Installations: 100,000+
Affected Software: HUSKY <= 1.3.5.1
Patched Versions: HUSKY 1.3.5.2

Mitigation steps: Update to HUSKY plugin version 1.3.5.2 or greater.


Prime Slider – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1508
Number of Installations: 100,000+
Affected Software: Prime Slider <= 3.13.2
Patched Versions: Prime Slider 3.13.3

Mitigation steps: Update to Prime Slider plugin version 3.13.3 or greater.


HT Mega – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1397
Number of Installations: 100,000+
Affected Software: HT Mega <= 2.4.6
Patched Versions: HT Mega 2.4.7

Mitigation steps: Update to HT Mega plugin version 2.4.7 or greater.


Beaver Builder – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1080
Number of Installations: 100,000+
Affected Software: Beaver Builder <= 2.7.4.4
Patched Versions: Beaver Builder 2.7.4.5

Mitigation steps: Update to Beaver Builder plugin version 2.7.4.5 or greater.


Permalink Manager Lite and Pro – Reflected Cross-Site Scripting

Security Risk: Medium
Exploitation Level: No authentication required.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2738
Number of Installations: 80,000+
Affected Software: Permalink Manager Lite and Pro <= 2.4.3.1
Patched Versions: Permalink Manager Lite and Pro 2.4.3.2

Mitigation steps: Update to Permalink Manager version 2.4.3.2 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.


文章来源: https://blog.sucuri.net/2024/03/wordpress-vulnerability-patch-roundup-march-2024.html
如有侵权请联系:admin#unsafe.sh