WordPress Vulnerability & Patch Roundup June 2024
2024-6-29 04:53:47 Author: blog.sucuri.net(查看原文) 阅读量:8 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.


WordPress 6.5.5 Security & Maintenance Release

A new security update for WordPress has been released which features 3 bug fixes in WordPress 6.5.5, including two cross-site scripting (XSS) vulnerabilities and one path traversal issue.

We strongly encourage you to always keep your CMS patched with the latest core updates to mitigate risk and protect your WordPress website.


WooCommerce – Cross Site Scripting (XSS)

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
Number of Installations: 7,000,000+
Affected Software: WooCommerce <= 8.9.2
Patched Versions: WooCommerce 8.9.3

Mitigation steps: Update to WooCommerce plugin version 8.9.3 or greater.


Essential Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5189
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 5.9.23
Patched Versions: Essential Addons for Elementor 5.9.24

Mitigation steps: Update to Essential Addons for Elementor plugin version 5.9.24 or greater.


Elementor Header & Footer Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5757
Number of Installations: 2,000,000+
Affected Software: Elementor Header & Footer Builder <= 1.6.35
Patched Versions: Elementor Header & Footer Builder 1.6.36

Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.36 or greater.


WPS Hide Login – Bypass Vulnerability

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Bypass Vulnerability
CVE: CVE-2024-2473
Number of Installations: 1,000,000+
Affected Software: WPS Hide Login <= 1.9.15
Patched Versions: WPS Hide Login 1.9.16

Mitigation steps: Update to WPS Hide Login plugin version 1.9.16 or greater.


Smush Image Optimization – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2023-3352
Number of Installations: 1,000,000+
Affected Software: Smush Image Optimization <= 3.16.4
Patched Versions: Smush Image Optimization 3.16.5

Mitigation steps: Update to Smush Image Optimization plugin version 3.16.5 or greater.


Solid Security – Denial of Service Attack

Security Risk: MediumLow
Exploitation Level: No authentication required.
Vulnerability: Denial of Service Attack
CVE: CVE-2022-44593
Number of Installations: 900,000+
Affected Software: Solid Security <= 9.3.1
Patched Versions: Solid Security 9.3.2

Mitigation steps: Update to Solid Security plugin version 9.3.2 or greater.


Premium Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5553
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.10.33
Patched Versions: Premium Addons for Elementor 4.10.34

Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.34 or greater.


Ocean Extra – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5531
Number of Installations: 600,000+
Affected Software: Ocean Extra <= 2.2.8
Patched Versions: Ocean Extra 2.2.9

Mitigation steps: Update to Ocean Extra plugin version 2.2.9 or greater.


SiteOrigin Widgets Bundle – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5090
Number of Installations: 600,000+
Affected Software: SiteOrigin Widgets Bundle <= 1.61.0
Patched Versions: SiteOrigin Widgets Bundle 1.62.0

Mitigation steps: Update to SiteOrigin Widgets Bundle plugin version 1.62.0 or greater.


SiteGuard WP Plugin – Bypass Vulnerability

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Bypass Vulnerability
CVE: CVE-2024-37881
Number of Installations: 500,000+
Affected Software: SiteGuard WP Plugin <= 1.7.6
Patched Versions: SiteGuard WP Plugin 1.7.7

Mitigation steps: Update to SiteGuard WP Plugin version 1.7.7 or greater.


Gutenberg Blocks with AI by Kadence WP – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4863
Number of Installations: 400,000+
Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.2.38
Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.2.39

Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.2.39 or greater.


SEOPress – On-site SEO – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-1168
Number of Installations: 300,000+
Affected Software: SEOPress <= 7.9.0
Patched Versions: SEOPress 7.9.1

Mitigation steps: Update to SEOPress plugin version 7.9.1 or greater.


MetForm – Sensitive Data Exposure

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2024-4266
Number of Installations: 300,000+
Affected Software: MetForm <= 3.8.8
Patched Versions: MetForm 3.8.9

Mitigation steps: Update to MetForm plugin version 3.8.9 or greater.


WP Go Maps (formerly WP Google Maps) – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5994
Number of Installations: 300,000+
Affected Software: WP Go Maps <= 9.0.38
Patched Versions: WP Go Maps 9.0.39

Mitigation steps: Update to WP Go Maps plugin version 9.0.39 or greater.


WordPress Funnel Builder by CartFlows – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4632
Number of Installations: 200,000+
Affected Software: WooCommerce Checkout & Funnel Builder by CartFlows <= 2.0.7
Patched Versions: WooCommerce Checkout & Funnel Builder by CartFlows 2.0.8

Mitigation steps: Update to WordPress Funnel Builder by CartFlows plugin version 2.0.8 or greater.


Orbit Fox by ThemeIsle – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-2484
Number of Installations: 200,000+
Affected Software: Orbit Fox by ThemeIsle <= 2.10.34
Patched Versions: Orbit Fox by ThemeIsle 2.10.35

Mitigation steps: Update to Orbit Fox by ThemeIsle plugin version 2.10.35 or greater.


Floating Chat Widget Chaty – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4149
Number of Installations: 200,000+
Affected Software: Floating Chat Widget– Chaty <= 3.2.2
Patched Versions: Floating Chat Widget Chaty 3.2.3

Mitigation steps: Update to Floating Chat Widget Chaty plugin version 3.2.3 or greater.


Jeg Elementor Kit – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4479
Number of Installations: 200,000+
Affected Software: Jeg Elementor Kit <= 2.6.5
Patched Versions: Jeg Elementor Kit 2.6.6

Mitigation steps: Update to Jeg Elementor Kit plugin version 2.6.6 or greater.


Popup Builder – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2023-6696, CVE-2024-2544
Number of Installations: 200,000+
Affected Software: Popup Builder <= 4.3.1
Patched Versions: Popup Builder 4.3.2

Mitigation steps: Update to Popup Builder plugin version 4.3.2 or greater.


Download Manager – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-1766
Number of Installations: 100,000+
Affected Software: Download Manager <= 3.2.86
Patched Versions: Download Manager 3.2.87

Mitigation steps: Update to Download Manager plugin version 3.2.90 or greater.


FooGallery – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-2122
Number of Installations: 100,000+
Affected Software: FooGallery <= 2.4.15
Patched Versions: FooGallery 2.4.16

Mitigation steps: Update to FooGallery plugin version 2.4.16 or greater.


PowerPack Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5787
Number of Installations: 100,000+
Affected Software: PowerPack Addons for Elementor <= 2.7.20
Patched Versions: PowerPack Addons for Elementor 2.7.21

Mitigation steps: Update to PowerPack Addons for Elementor plugin version 2.7.21 or greater.


Sassy Social Plugin – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4924
Number of Installations: 100,000+
Affected Software: Sassy Social Share <= 3.3.62
Patched Versions: Sassy Social Share 3.3.63

Mitigation steps: Update to Sassy Social Share plugin version 3.3.63 or greater.


Search & Replace – SQL Injection

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-4145
Number of Installations: 100,000+
Affected Software: Search & Replace <= 3.2.1
Patched Versions: Search & Replace 3.2.2

Mitigation steps: Update to Search & Replace plugin version 3.2.2 or greater.


ShopLentor – All in One Solution (formerly WooLentor) – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5530
Number of Installations: 100,000+
Affected Software: ShopLentor <= 2.9.0
Patched Versions: ShopLentor 2.9.1

Mitigation steps: Update to ShopLentor plugin version 2.9.1 or greater.


Email Subscribers by Icegram Express – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-37252
Number of Installations: 90,000+
Affected Software: Email Subscribers by Icegram Express <= 5.7.25
Patched Versions: Email Subscribers by Icegram Express 5.7.26

Mitigation steps: Update to Email Subscribers by Icegram Express plugin version 5.7.26 or greater.


Events Manager – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-3492
Number of Installations: 90,000+
Affected Software: Events Manager – Calendar, Bookings, Tickets, and more! <= 6.4.7
Patched Versions: Events Manager – Calendar, Bookings, Tickets, and more! 6.4.8

Mitigation steps: Update to Events Manager – Calendar, Bookings, Tickets, and more! plugin version 6.4.8 or greater.


Defender Security – Malware Scanner, Login Security & Firewall – Broken Authentication

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2022-44581
Number of Installations: 90,000+
Affected Software: Defender Security <= 3.3.2
Patched Versions: Defender Security 3.3.3

Mitigation steps: Update to Defender Security plugin version 3.3.3 or greater.


Slider & Popup Builder by Depicter – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-4390
Number of Installations: 90,000+
Affected Software: Slider & Popup Builder by Depicter <= 3.0.9
Patched Versions: Slider & Popup Builder by Depicter 3.1.0

Mitigation steps: Update to Slider & Popup Builder by Depicter plugin version 3.1.0 or greater.


Email Subscribers by Icegram Express – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2024-37252
Number of Installations: 90,000+
Affected Software: Email Subscribers by Icegram Express <= 5.7.23
Patched Versions: Email Subscribers by Icegram Express 5.7.24

Mitigation steps: Update to Email Subscribers by Icegram Express plugin version 5.7.24 or greater.


Bookly – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5584
Number of Installations: 70,000+
Affected Software: WordPress Online Booking and Scheduling Plugin – Bookly <= 23.2
Patched Versions: WordPress Online Booking and Scheduling Plugin – Bookly 23.3

Mitigation steps: Update to WordPress Online Booking and Scheduling Plugin – Bookly plugin version 23.3 or greater.


Woody code snippets – Remote Code Execution (RCE)

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: CVE-2024-3105
Number of Installations: 70,000+
Affected Software: Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0
Patched Versions: Woody code snippets – Insert Header Footer Code, AdSense Ads 2.5.1

Mitigation steps: Update to Woody code snippets – Insert Header Footer Code, AdSense Ads plugin version 2.5.1 or greater.


Blog2Social: Social Media Auto Post & Scheduler – SQL Injection

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-3549
Number of Installations: 60,000+
Affected Software: Blog2Social: Social Media Auto Post & Scheduler <= 7.4.1
Patched Versions: Blog2Social: Social Media Auto Post & Scheduler 7.4.2

Mitigation steps: Update to Blog2Social: Social Media Auto Post & Scheduler plugin version 7.4.2 or greater.

Media Library Assistant – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-5605
Number of Installations: 70,000+
Affected Software: Media Library Assistant <= 3.16
Patched Versions: Media Library Assistant 3.17

Mitigation steps: Update to Media Library Assistant plugin version 3.17 or greater.


User Profile Picture – Broken Access Control

Security Risk: Low
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-5639
Number of Installations: 60,000+
Affected Software: User Profile Picture <= 2.6.1
Patched Versions: User Profile Picture 2.6.2

Mitigation steps: Update to User Profile Picture plugin version 2.6.2 or greater.


WP 2FA – Two-factor authentication for WordPress – Sensitive Data Exposure

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2022-44587
Number of Installations: 60,000+
Affected Software: WP 2FA <= 2.6.3
Patched Versions: WP 2FA 2.6.4

Mitigation steps: Update to WP 2FA plugin version 2.6.4 or greater.


ConvertKit – Broken Access Control

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-3961
Number of Installations: 50,000+
Affected Software: ConvertKit <= 2.4.9
Patched Versions: ConvertKit 2.4.9.1

Mitigation steps: Update to ConvertKit plugin version 2.4.9.1 or greater.


Sina Extension for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5036
Number of Installations: 50,000+
Affected Software: Sina Extension for Elementor <= 3.5.4
Patched Versions: Sina Extension for Elementor 3.5.5

Mitigation steps: Update to Sina Extension for Elementor plugin version 3.5.5 or greater.


Ultimate Blocks – WordPress Blocks Plugin – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-6692
Number of Installations: 50,000+
Affected Software: Ultimate Blocks <= 3.1.0
Patched Versions: Ultimate Blocks 3.1.1

Mitigation steps: Update to Ultimate Blocks plugin version 3.1.1 or greater.


WP Maintenance – Bypass Vulnerability

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Bypass Vulnerability
CVE: CVE-2024-0789
Number of Installations: 50,000+
Affected Software: WP Maintenance <= 6.1.9.2
Patched Versions: WP Maintenance 6.1.9.3

Mitigation steps: Update to WP Maintenance plugin version 6.1.9.3 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.


文章来源: https://blog.sucuri.net/2024/06/wordpress-vulnerability-patch-roundup-june-2024.html
如有侵权请联系:admin#unsafe.sh