WordPress Vulnerability & Patch Roundup April 2024
2024-4-30 02:35:16 Author: blog.sucuri.net(查看原文) 阅读量:10 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.


Essential Addons for Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-3333
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 5.9.14
Patched Versions: Essential Addons for Elementor 5.9.15

Mitigation steps: Update to Essential Addons for Elementor plugin version 5.9.15 or greater.


ElementsKit Elementor addons – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2803
Number of Installations: 1,000,000+
Affected Software: ElementsKit Elementor addons <= 3.0.7
Patched Versions: ElementsKit Elementor addons 3.1.0

Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.1.0 or greater.


File Manager – Directory Traversal

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Directory Traversal
CVE: CVE-2024-2654
Number of Installations: 1,000,000+
Affected Software: File Manager <= 7.2.5
Patched Versions: File Manager 7.2.6

Mitigation steps: Update to File Manager plugin version 7.2.6 or greater.


Smart Slider 3 – Missing Authorization for File Upload

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Missing Authorization for File Upload
CVE: CVE-2024-3027
Number of Installations: 900,000+
Affected Software: Smart Slider 3 <= 3.5.1.22
Patched Versions: Smart Slider 3 3.5.1.23

Mitigation steps: Update to Smart Slider 3 plugin version 3.5.1.23 or greater.


Premium Addons for Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-0376
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.10.16
Patched Versions: Premium Addons for Elementor 4.10.17

Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.17 or greater.


Premium Addons for Elementor – DOM-Based Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: DOM-Based Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2666
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.10.24
Patched Versions: Premium Addons for Elementor 4.10.25

Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.25 or greater.


Ocean Extra – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-3167
Number of Installations: 700,000+
Affected Software: Ocean Extra <= 2.2.6
Patched Versions: Ocean Extra 2.2.7

Mitigation steps: Update to Ocean Extra plugin version 2.2.7 or greater.


Premium Addons for Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2665
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.10.27
Patched Versions: Premium Addons for Elementor 4.10.28

Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.28 or greater.


Spectra – WordPress Gutenberg Blocks – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2023-6486
Number of Installations: 700,000+
Affected Software: Spectra – WordPress Gutenberg Blocks <= 2.10.3
Patched Versions: Spectra – WordPress Gutenberg Blocks 2.10.4

Mitigation steps: Update to Spectra – WordPress Gutenberg Blocks plugin version 2.10.4 or greater.


Slider, Gallery, and Carousel by MetaSlider – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-3285
Number of Installations: 600,000+
Affected Software: Slider, Gallery, and Carousel by MetaSlider <= 3.70.0
Patched Versions: Slider, Gallery, and Carousel by MetaSlider 3.70.1

Mitigation steps: Update to Slider, Gallery, and Carousel by MetaSlider plugin version 3.70.1 or greater.


Forminator – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-3053
Number of Installations: 500,000+
Affected Software: Forminator <= 1.29.2
Patched Versions: Forminator 1.29.3

Mitigation steps: Update to Forminator plugin version 1.29.3 or greater.


Happy Addons for Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2788
Number of Installations: 400,000+
Affected Software: Happy Addons for Elementor <= 3.10.4
Patched Versions: Happy Addons for Elementor 3.10.5

Mitigation steps: Update to Happy Addons for Elementor plugin version 3.10.5 or greater.


Gutenberg Blocks by Kadence Blocks – DOM-Based Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: DOM-Based Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2919
Number of Installations: 400,000+
Affected Software: Gutenberg Blocks by Kadence Blocks <= 3.2.31
Patched Versions: Gutenberg Blocks by Kadence Blocks 3.2.32

Mitigation steps: Update to Gutenberg Blocks by Kadence Blocks plugin version 3.2.32 or greater.


Gutenberg – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Unauthenticated + Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
Number of Installations: 300,000+
Affected Software: Gutenberg 12.9.0 - 18.0.0
Patched Versions: Gutenberg 18.01

Mitigation steps: Update to Gutenberg plugin version 18.01 or greater.


Otter Blocks – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-3343
Number of Installations: 300,000+
Affected Software: Otter Blocks <= 2.6.8
Patched Versions: Otter Blocks 2.6.9

Mitigation steps: Update to Otter Blocks plugin version 2.6.9 or greater.


Paid Membership Plugin – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2867
Number of Installations: 200,000+
Affected Software: ProfilePress <= 4.15.5
Patched Versions: ProfilePress 4.15.6

Mitigation steps: Update to ProfilePress plugin version 4.15.5 or greater.


Ultimate Member – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2765
Number of Installations: 200,000+
Affected Software: Ultimate Member <= 2.8.4
Patched Versions: Ultimate Member 2.8.5

Mitigation steps: Update to Ultimate Member plugin version 2.8.5 or greater.


Photo Gallery by 10Web – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Admin or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2296
Number of Installations: 200,000+
Affected Software: Photo Gallery by 10Web <= 1.8.21
Patched Versions: Photo Gallery by 10Web 1.8.22

Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.22 or greater.


FileBird – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2345
Number of Installations: 200,000+
Affected Software: FileBird <= 5.6.3
Patched Versions: FileBird 5.6.4

Mitigation steps: Update to FileBird plugin version 5.6.4 or greater.


ShopLentor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2868
Number of Installations: 100,000+
Affected Software: ShopLentor <= 2.8.3
Patched Versions: ShopLentor 2.8.4

Mitigation steps: Update to ShopLentor plugin version 2.8.4 or greater.


Element Pack Elementor Addons – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-1428
Number of Installations: 100,000+
Affected Software: Element Pack Elementor Addons <= 5.5.3
Patched Versions: Element Pack Elementor Addons 5.5.4

Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.5.4 or greater.


GiveWP – Donation Plugin and Fundraising Platform – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-1957
Number of Installations: 100,000+
Affected Software: GiveWP <= 3.6.1
Patched Versions: GiveWP 3.7.0

Mitigation steps: Update to GiveWP plugin version 3.7.0 or greater.


Essential Blocks for Gutenberg – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-31306
Number of Installations: 100,000+
Affected Software: Essential Blocks for Gutenberg <= 4.5.3
Patched Versions: Essential Blocks for Gutenberg 4.5.4

Mitigation steps: Update to Essential Blocks for Gutenberg plugin version 4.5.4 or greater.


Element Pack Elementor Addons – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-0837
Number of Installations: 100,000+
Affected Software: Element Pack Elementor Addons <= 5.3.2
Patched Versions: Element Pack Elementor Addons 5.3.3

Mitigation steps: Update to Element Pack Elementor Addons plugin version 5.3.3 or greater.


FooGallery – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2471
Number of Installations: 100,000+
Affected Software: FooGallery <= 2.4.14
Patched Versions: FooGallery 2.4.15

Mitigation steps: Update to FooGallery plugin version 2.4.15 or greater.


HT Mega – Absolute Addons For Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-3308
Number of Installations: 100,000+
Affected Software: HT Mega – Absolute Addons For Elementor <= 2.4.9
Patched Versions: HT Mega – Absolute Addons For Elementor 2.5.0

Mitigation steps: Update to HT Mega – Absolute Addons For Elementor plugin version 2.5.0 or greater.


Icegram Express – Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2656
Number of Installations: 100,000+
Affected Software: Icegram Express <= 5.7.14
Patched Versions: Icegram Express 5.7.16

Mitigation steps: Update to Icegram Express plugin version 5.7.16 or greater.


Enhanced Media Library – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2840
Number of Installations: 90,000+
Affected Software: Enhanced Media Library <= 2.8.9
Patched Versions: Enhanced Media Library 2.8.10

Mitigation steps: Update to Enhanced Media Library plugin version 2.8.10 or greater.


EmbedPress – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-3244
Number of Installations: 90,000+
Affected Software: EmbedPress <= 3.9.14
Patched Versions: EmbedPress 3.9.15

Mitigation steps: Update to EmbedPress plugin version 3.9.15 or greater.


LearnPress – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires LP Instructor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-1463
Number of Installations: 90,000+
Affected Software: LearnPress <= 4.2.6.3
Patched Versions: LearnPress 4.2.6.4

Mitigation steps: Update to LearnPress plugin version 4.2.6.4 or greater.


Email Subscribes by Icegram Express – SQL Injection

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2024-2876
Number of Installations: 90,000+
Affected Software: Icegram Express <= 5.7.14
Patched Versions: Icegram Express 5.7.15

Mitigation steps: Update to Email Subscribers by Icegram Express plugin version 5.7.15 or greater.


Sydney Toolbox – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-3208
Number of Installations: 80,000+
Affected Software: Sydney Toolbox <= 1.28
Patched Versions: Sydney Toolbox 1.29

Mitigation steps: Update to Sydney Toolbox plugin version 1.29 or greater.


User Registration – Privilege Escalation

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-2417
Number of Installations: 70,000+
Affected Software: User Registration <= 3.1.5
Patched Versions: User Registration 3.2.0

Mitigation steps: Update to User Registration plugin version 3.2.0 or greater.


WordPress Tag and Category Manager – AI Autotagger – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2830
Number of Installations: 60,000+
Affected Software: WordPress Tag and Category Manager <= 3.13.0
Patched Versions: WordPress Tag and Category Manager 3.20.0

Mitigation steps: Update to WordPress Tag and Category Manager plugin version 3.20.0 or greater.


WPC Smart Quick View for WooCommerce – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2023-6494
Number of Installations: 60,000+
Affected Software: WPC Smart Quick View for WooCommerce <= 4.0.2
Patched Versions: WPC Smart Quick View for WooCommerce 4.0.3

Mitigation steps: Update to WPC Smart Quick View for WooCommerce plugin version 4.0.3 or greater.


Elementor Addons by Livemesh – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2539
Number of Installations: 60,000+
Affected Software: Elementor Addons by Livemesh <= 8.3.6
Patched Versions: Elementor Addons by Livemesh 8.3.7

Mitigation steps: Update to Elementor Addons by Livemesh plugin version 8.3.7 or greater.


Carousel, Slider, Gallery by WP Carousel – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2949
Number of Installations: 60,000+
Affected Software: WP Carousel <= 2.6.3
Patched Versions: WP Carousel 2.6.4

Mitigation steps: Update to WP Carousel plugin version 2.6.4 or greater.


Exclusive Addons for Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-2503
Number of Installations: 60,000+
Affected Software: Exclusive Addons for Elementor <= 2.6.9.2
Patched Versions: Exclusive Addons for Elementor 2.6.9.3

Mitigation steps: Update to Exclusive Addons for Elementor plugin version 2.6.9.3 or greater.


Bold Page Builder – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-3266
Number of Installations: 50,000+
Affected Software: Bold Page Builder <= 4.8.8
Patched Versions: Bold Page Builder 4.8.9

Mitigation steps: Update to Bold Page Builder plugin version 4.8.9 or greater.


FancyBox for WordPress – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Admin or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-0662
Number of Installations: 50,000+
Affected Software: FancyBox for WordPress 3.0.2 - 3.3.3
Patched Versions: FancyBox for WordPress 3.3.4

Mitigation steps: Update to FancyBox for WordPress plugin version 3.3.4 or greater.


RSS Aggregator by Feedzy – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2023-6877
Number of Installations: 50,000+
Affected Software: RSS Aggregator by Feedzy <= 4.3.3
Patched Versions: RSS Aggregator by Feedzy 4.3.4

Mitigation steps: Update to RSS Aggregator by Feedzy plugin version 4.3.4 or greater.


Piotnet Addons For Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-29934
Number of Installations: 40,000+
Affected Software: Piotnet Addons For Elementor <= 2.4.25
Patched Versions: Piotnet Addons For Elementor 2.4.26

Mitigation steps: Update to Piotnet Addons For Elementor plugin version 2.4.26 or greater.


Carousel Slider – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Stored Cross-Site Scripting (XSS)
CVE: CVE-2024-3703
Number of Installations: 40,000+
Affected Software: Carousel Slider <= 2.2.9
Patched Versions: Carousel Slider 2.2.10

Mitigation steps: Update to Carousel Slider plugin version 2.2.10 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.


文章来源: https://blog.sucuri.net/2024/04/wordpress-vulnerability-patch-roundup-april-2024.html
如有侵权请联系:admin#unsafe.sh