WordPress Vulnerability & Patch Roundup October 2024

* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)WordPress Vulnerability -& Patch Roundup October 2024=====================================================![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-60×60.png) [Sucuri Malware Research Team](https://blog.sucuri.net/author/malware-research)* November 1, 2024 ![Sucuri October 2024 Vulnerability Roundup](https://blog.sucuri.net/wp-content/uploads/2024/11/October-2024.jpg) Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our [web application firewall](https://sucuri.net/website-firewall/) to protect your site against known vulnerabilities.*** ** * ** ***WordPress Core Updates———————-Testing is now open for [WordPress 6.7 Beta 3](https://wordpress.org/news/2024/10/wordpress-6-7-beta-3/)! This is a developmental build, so avoid installing it on production or mission-critical websites. Testing should be performed on a separate test environment.*** ** * ** ***Rank Math SEO — AI SEO Tools to Dominate SEO Rankings — Broken Access Control——————————————————————————-“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2024-9161Number of Installations: 3,000,000+Affected Software: Rank Math SEO <= 1.0.228Patched Versions: Rank Math SEO 1.0.229“`**Mitigation steps:** Update to Rank Math SEO plugin version 1.0.229 or greater.*** ** * ** ***Rank Math SEO — AI SEO Tools to Dominate SEO Rankings — PHP Object Injection——————————————————————————“`Security Risk: MediumExploitation Level: Administrator or higher level authentication.Vulnerability: PHP Object InjectionCVE: CVE-2024-9314Number of Installations: 3,000,000+Affected Software: Rank Math SEO <= 1.0.228Patched Versions: Rank Math SEO 1.0.229“`**Mitigation steps:** Update to Rank Math SEO plugin version 1.0.229 or greater.*** ** * ** ***Advanced Custom Fields (ACF) — Arbitrary Code Execution——————————————————–“`Security Risk: MediumExploitation Level: Administrator or higher level authentication.Vulnerability: Arbitrary Code ExecutionCVE: CVE-2024-9529Number of Installations: 2,000,000+Affected Software: Advanced Custom Fields (ACF) <= 6.3.6Patched Versions: Advanced Custom Fields (ACF) 6.3.6.1“`**Mitigation steps:** Update to Advanced Custom Fields (ACF) plugin version 6.3.6.1 or greater.*** ** * ** ***Advanced Custom Fields (ACF) — Broken Access Control—————————————————–“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2021-20866, CVE-2021-20865, CVE-2021-20867Number of Installations: 2,000,000+Affected Software: Advanced Custom Fields (ACF) <= 5.10Patched Versions: Advanced Custom Fields (ACF) 5.11“`**Mitigation steps:** Update to Advanced Custom Fields (ACF) plugin version 5.11 or greater.*** ** * ** ***Broken Link Checker — Cross Site Scripting (XSS)————————————————-“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8981Number of Installations: 600,000+Affected Software: Broken Link Checker <= 2.4.0Patched Versions: Broken Link Checker 2.4.1“`**Mitigation steps:** Update to Broken Link Checker plugin version 2.4.1 or greater.*** ** * ** ***Contact Form Plugin by Fluent Forms — Cross Site Scripting (XSS)—————————————————————–“`Security Risk: MediumExploitation Level: Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9528Number of Installations: 500,000+Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20“`**Mitigation steps:** Update to Contact Form Plugin by Fluent Forms version 5.1.20 or greater.*** ** * ** ***Royal Elementor Addons and Templates — Cross Site Scripting (XSS)——————————————————————“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8482Number of Installations: 400,000+Affected Software: Royal Elementor Addons and Templates <= 1.3.986Patched Versions: Royal Elementor Addons and Templates 1.3.987“`**Mitigation steps:** Update to Royal Elementor Addons and Templates version 1.3.987 or greater.*** ** * ** ***Checkout Field Editor for WooCommerce — Cross Site Scripting (XSS)——————————————————————-“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8499Number of Installations: 400,000+Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3Patched Versions: Checkout Field Editor for WooCommerce 2.0.4“`**Mitigation steps:** Update to Checkout Field Editor for WooCommerce version 2.0.4 or greater.*** ** * ** ***SEOPress — On-site SEO — Cross Site Scripting (XSS)—————————————————–“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9225Number of Installations: 300,000+Affected Software: SEOPress – On-site SEO <= 8.1Patched Versions: SEOPress – On-site SEO 8.2“`**Mitigation steps:** Update to SEOPress — On-site SEO version 8.2 or greater.*** ** * ** ***Ultimate Member — Cross Site Scripting (XSS)———————————————“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8519Number of Installations: 200,000+Affected Software: Ultimate Member <= 2.8.6Patched Versions: Ultimate Member 2.8.7“`**Mitigation steps:** Update to Ultimate Member version 2.8.7 or greater.*** ** * ** ***Smart Custom 404 Error Page — Cross Site Scripting (XSS)———————————————————“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9204Number of Installations: 100,000+Affected Software: Smart Custom 404 Error Page <= 11.4.7Patched Versions: Smart Custom 404 Error Page 11.4.8“`**Mitigation steps:** Update to Smart Custom 404 Error Page version 11.4.8 or greater.*** ** * ** ***Shortcodes and extra features for Phlox theme — Cross Site Scripting (XSS)—————————————————————————“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8486Number of Installations: 100,000+Affected Software: Shortcodes and extra features for Phlox theme <= 2.16.3Patched Versions: Shortcodes and extra features for Phlox theme 2.16.4“`**Mitigation steps:** Update to Shortcodes and extra features for Phlox theme version 2.16.4 or greater.*** ** * ** ***WooCommerce Multilingual -& Multicurrency with WPML — Cross Site Scripting (XSS)———————————————————————————“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8629Number of Installations: 100,000+Affected Software: WooCommerce Multilingual & Multicurrency with WPML <= 5.3.7Patched Versions: WooCommerce Multilingual & Multicurrency with WPML 5.3.8“`**Mitigation steps:** Update to WooCommerce Multilingual -& Multicurrency with WPML version 5.3.8 or greater.*** ** * ** ***Email Subscribers by Icegram Express — Broken Access Control————————————————————-“`Security Risk: MediumExploitation Level: Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-8254Number of Installations: 80,000+Affected Software: Email Subscribers by Icegram Express <= 5.7.34Patched Versions: Email Subscribers by Icegram Express 5.7.35“`**Mitigation steps:** Update to Email Subscribers by Icegram Express version 5.7.35 or greater.*** ** * ** ***WordPress Infinite Scroll — Cross Site Scripting (XSS)——————————————————-“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8505Number of Installations: 50,000+Affected Software: WordPress Infinite Scroll <= 7.1.2Patched Versions: WordPress Infinite Scroll 7.1.3“`**Mitigation steps:** Update to WordPress Infinite Scroll version 7.1.3 or greater.*** ** * ** ***WP Booking Calendar — Cross Site Scripting (XSS)————————————————-“`Security Risk: MediumExploitation Level: Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9306Number of Installations: 50,000+Affected Software: WP Booking Calendar <= 10.6.0Patched Versions: WP Booking Calendar 10.6.1“`**Mitigation steps:** Update to WP Booking Calendar version 10.6.1 or greater.*** ** * ** ***Photo Gallery, Images, Slider in Rbs Image Gallery — Broken Access Control—————————————————————————“`Security Risk: MediumExploitation Level: Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-8431Number of Installations: 50,000+Affected Software: Photo Gallery, Images, Slider in Rbs Image Gallery <= 3.2.21Patched Versions: Photo Gallery, Images, Slider in Rbs Image Gallery 3.2.22“`**Mitigation steps:** Update to Photo Gallery, Images, Slider in Rbs Image Gallery version 3.2.22 or greater.*** ** * ** ***TI WooCommerce Wishlist — SQL Injection—————————————-“`Security Risk: CriticalExploitation Level: No authentication required.Vulnerability: SQL InjectionCVE: CVE-2024-9156Number of Installations: 100,000+Affected Software: TI WooCommerce WishlistPatched Versions: No Fix“`**Mitigation steps:** Currently, there is no fix available. Consider disabling the plugin until a patch is released.*** ** * ** ***Elementor Website Builder — Sensitive Data Exposure—————————————————-“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-6757Number of Installations: 10,000,000+Affected Software: Elementor Website Builder <= 3.24.5Patched Versions: Elementor Website Builder 3.24.6“`**Mitigation steps:** Update to Elementor Website Builder plugin version 3.24.6 or greater.*** ** * ** ***WooCommerce — Content Injection——————————–“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Content InjectionCVE: CVE-2024-9944Number of Installations: 7,000,000+Affected Software: WooCommerce <= 9.0.9Patched Versions: WooCommerce 9.1.0“`**Mitigation steps:** Update to WooCommerce plugin version 9.1.0 or greater.*** ** * ** ***Jetpack — Broken Access Control——————————–“`Security Risk: MediumExploitation Level: Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-9926Number of Installations: 4,000,000+Affected Software: Jetpack <= 13.9.0Patched Versions: Jetpack 13.9.1“`**Mitigation steps:** Update to Jetpack plugin version 13.9.1 or greater.*** ** * ** ***Secure Custom Fields — Arbitrary Code Execution————————————————“`Security Risk: MediumExploitation Level: Administrator or higher level authentication.Vulnerability: Arbitrary Code ExecutionCVE: CVE-2024-9529Number of Installations: 2,000,000+Affected Software: Secure Custom Fields <= 6.3.6Patched Versions: Secure Custom Fields 6.3.6.1“`**Mitigation steps:** Update to Secure Custom Fields plugin version 6.3.6.1 or greater.*** ** * ** ***TablePress — Cross Site Scripting (XSS)—————————————-“`Security Risk: MediumExploitation Level: Author or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9595Number of Installations: 700,000+Affected Software: TablePress <= 2.4.2Patched Versions: TablePress 2.4.3“`**Mitigation steps:** Update to TablePress plugin version 2.4.3 or greater.*** ** * ** ***Happy Addons for Elementor — Broken Access Control—————————————————“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-48045Number of Installations: 400,000+Affected Software: Happy Addons for Elementor <= 3.12.3Patched Versions: Happy Addons for Elementor 3.12.4“`**Mitigation steps:** Update to Happy Addons for Elementor plugin version 3.12.4 or greater.*** ** * ** ***Royal Elementor Addons and Templates — Cross Site Scripting (XSS)——————————————————————“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8482Number of Installations: 400,000+Affected Software: Royal Elementor Addons and Templates <= 1.3.986Patched Versions: Royal Elementor Addons and Templates 1.3.987“`**Mitigation steps:** Update to Royal Elementor Addons and Templates plugin version 1.3.987 or greater.*** ** * ** ***Ad Inserter — Cross Site Scripting (XSS)—————————————–“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-49248Number of Installations: 300,000+Affected Software: Ad Inserter <= 2.7.37Patched Versions: Ad Inserter 2.7.38“`**Mitigation steps:** Update to Ad Inserter plugin version 2.7.38 or greater.*** ** * ** ***ShortPixel Image Optimizer — Broken Access Control—————————————————“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-48044Number of Installations: 300,000+Affected Software: ShortPixel Image Optimizer <= 5.6.3Patched Versions: ShortPixel Image Optimizer 5.6.4“`**Mitigation steps:** Update to ShortPixel Image Optimizer plugin version 5.6.4 or greater.*** ** * ** ***ShortPixel Image Optimizer — SQL Injection——————————————-“`Security Risk: HighExploitation Level: Editor or higher level authentication.Vulnerability: SQL InjectionCVE: CVE-2024-48043Number of Installations: 300,000+Affected Software: ShortPixel Image Optimizer <= 5.6.3Patched Versions: ShortPixel Image Optimizer 5.6.4“`**Mitigation steps:** Update to ShortPixel Image Optimizer plugin version 5.6.4 or greater.*** ** * ** ***Photo Gallery by 10Web — Cross Site Scripting (XSS)—————————————————-“`Security Risk: LowExploitation Level: Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-5968Number of Installations: 200,000+Affected Software: Photo Gallery by 10Web <= 1.8.27Patched Versions: Photo Gallery by 10Web 1.8.28“`**Mitigation steps:** Update to Photo Gallery by 10Web plugin version 1.8.28 or greater.*** ** * ** ***Elementor Addon Elements — Sensitive Data Exposure—————————————————“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-8902Number of Installations: 100,000+Affected Software: Elementor Addon Elements <= 1.13.8Patched Versions: Elementor Addon Elements 1.13.9“`**Mitigation steps:** Update to Elementor Addon Elements plugin version 1.13.9 or greater.*** ** * ** ***Custom Twitter Feeds — Cross Site Scripting (XSS)————————————————–“`Security Risk: MediumExploitation Level: Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8983Number of Installations: 100,000+Affected Software: Custom Twitter Feeds <= 2.2.2Patched Versions: Custom Twitter Feeds 2.2.3“`**Mitigation steps:** Update to Custom Twitter Feeds plugin version 2.2.3 or greater.*** ** * ** ***Relevanssi — Cross Site Scripting (XSS)—————————————-“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9021Number of Installations: 100,000+Affected Software: Relevanssi <= 4.23.0Patched Versions: Relevanssi 4.23.1“`**Mitigation steps:** Update to Relevanssi plugin version 4.23.1 or greater.*** ** * ** ***Stackable — Broken Access Control———————————-“`Security Risk: LowExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2024-8760Number of Installations: 100,000+Affected Software: Stackable <= 3.13.6Patched Versions: Stackable 3.13.7“`**Mitigation steps:** Update to Stackable plugin version 3.13.7 or greater.*** ** * ** ***The Plus Addons for Elementor — Sensitive Data Exposure——————————————————–“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-8913Number of Installations: 100,000+Affected Software: The Plus Addons for Elementor <= 5.6.11Patched Versions: The Plus Addons for Elementor 5.6.12“`**Mitigation steps:** Update to The Plus Addons for Elementor plugin version 5.6.12 or greater.*** ** * ** ***WooCommerce Multilingual -& Multicurrency with WPML — Cross Site Scripting (XSS)———————————————————————————“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8629Number of Installations: 100,000+Affected Software: WooCommerce Multilingual & Multicurrency with WPML <= 5.3.7Patched Versions: WooCommerce Multilingual & Multicurrency with WPML 5.3.8“`**Mitigation steps:** Update to WooCommerce Multilingual -& Multicurrency with WPML plugin version 5.3.8 or greater.*** ** * ** ***ShopLentor — Sensitive Data Exposure————————————-“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-9538Number of Installations: 100,000+Affected Software: ShopLentor <= 2.9.8Patched Versions: ShopLentor 2.9.9“`**Mitigation steps:** Update to ShopLentor plugin version 2.9.9 or greater.*** ** * ** ***SlimStat Analytics — Cross Site Scripting (XSS)————————————————“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9548Number of Installations: 90,000+Affected Software: SlimStat Analytics <= 5.2.6Patched Versions: SlimStat Analytics 5.2.7“`**Mitigation steps:** Update to SlimStat Analytics plugin version 5.2.7 or greater.*** ** * ** ***Photo Gallery, Images, Slider in Rbs Image Gallery — Broken Access Control—————————————————————————“`Security Risk: MediumExploitation Level: Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-8431Number of Installations: 50,000+Affected Software: Photo Gallery, Images, Slider in Rbs Image Gallery <= 3.2.21Patched Versions: Photo Gallery, Images, Slider in Rbs Image Gallery 3.2.22“`**Mitigation steps:** Update to Photo Gallery, Images, Slider in Rbs Image Gallery plugin version 3.2.22 or greater.*** ** * ** ***All-in-One WP Migration and Backup — Sensitive Data Exposure————————————————————-“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-8852Number of Installations: 5,000,000+Affected Software: All-in-One WP Migration and Backup <= 7.86Patched Versions: All-in-One WP Migration and Backup 7.87“`**Mitigation steps:** Update to All-in-One WP Migration and Backup plugin version 7.87 or greater.*** ** * ** ***Simple Custom Post Order — Broken Access Control————————————————-“`Security Risk: MediumExploitation Level: Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-49321Number of Installations: 300,000+Affected Software: Simple Custom Post Order <= 2.5.7Patched Versions: Simple Custom Post Order 2.5.8“`**Mitigation steps:** Update to Simple Custom Post Order plugin version 2.5.8 or greater.*** ** * ** ***GiveWP — Donation Plugin and Fundraising Platform — PHP Object Injection————————————————————————–“`Security Risk: CriticalExploitation Level: No authentication required.Vulnerability: PHP Object InjectionCVE: CVE-2024-9634Number of Installations: 100,000+Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 3.16.3Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 3.16.4“`**Mitigation steps:** Update to GiveWP — Donation Plugin and Fundraising Platform version 3.16.4 or greater.*** ** * ** ***Translate WordPress — Google Language Translator — Cross Site Scripting (XSS)——————————————————————————-“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2021-4452Number of Installations: 100,000+Affected Software: Translate WordPress – Google Language Translator <= 6.0.9Patched Versions: Translate WordPress – Google Language Translator 6.0.10“`**Mitigation steps:** Update to Translate WordPress — Google Language Translator version 6.0.10 or greater.*** ** * ** ***Discount Rules for WooCommerce — Cross Site Scripting (XSS)————————————————————“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8541Number of Installations: 100,000+Affected Software: Discount Rules for WooCommerce <= 2.6.5Patched Versions: Discount Rules for WooCommerce 2.6.6“`**Mitigation steps:** Update to Discount Rules for WooCommerce version 2.6.6 or greater.*** ** * ** ***SlimStat Analytics — Cross Site Scripting (XSS)————————————————“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9548Number of Installations: 90,000+Affected Software: SlimStat Analytics <= 5.2.6Patched Versions: SlimStat Analytics 5.2.7“`**Mitigation steps:** Update to SlimStat Analytics version 5.2.7 or greater.*** ** * ** ***WP-Members Membership Plugin — Cross Site Scripting (XSS)———————————————————-“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9231Number of Installations: 60,000+Affected Software: WP-Members Membership Plugin <= 3.4.9.5Patched Versions: WP-Members Membership Plugin 3.4.9.6“`**Mitigation steps:** Update to WP-Members Membership Plugin version 3.4.9.6 or greater.*** ** * ** ***Calculated Fields Form — Content Injection——————————————-“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Content InjectionCVE: CVE-2024-9940Number of Installations: 50,000+Affected Software: Calculated Fields Form <= 5.2.45Patched Versions: Calculated Fields Form 5.2.46“`**Mitigation steps:** Update to Calculated Fields Form version 5.2.46 or greater.*** ** * ** ***Sina Extension for Elementor — Sensitive Data Exposure——————————————————-“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-9540Number of Installations: 50,000+Affected Software: Sina Extension for Elementor <= 3.5.7Patched Versions: Sina Extension for Elementor 3.5.8“`**Mitigation steps:** Update to Sina Extension for Elementor version 3.5.8 or greater.*** ** * ** ***All-in-One WP Migration and Backup — Sensitive Data Exposure————————————————————-“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-8852Number of Installations: 5,000,000+Affected Software: All-in-One WP Migration and Backup <= 7.86Patched Versions: All-in-One WP Migration and Backup 7.87“`**Mitigation steps:** Update to All-in-One WP Migration and Backup version 7.87 or greater.*** ** * ** ***Elementor Header -& Footer Builder — Sensitive Data Exposure————————————————————-“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-10050Number of Installations: 2,000,000+Affected Software: Elementor Header & Footer Builder <= 1.6.43Patched Versions: Elementor Header & Footer Builder 1.6.44“`**Mitigation steps:** Update to Elementor Header -& Footer Builder version 1.6.44 or greater.*** ** * ** ***ElementsKit Elementor addons — Cross Site Scripting (XSS)———————————————————-“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10091Number of Installations: 1,000,000+Affected Software: ElementsKit Elementor addons <= 3.2.9Patched Versions: ElementsKit Elementor addons 3.3.0“`**Mitigation steps:** Update to ElementsKit Elementor addons version 3.3.0 or greater.*** ** * ** ***Forminator Forms — Broken Access Control—————————————–“`Security Risk: HighExploitation Level: Administrator or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-10402Number of Installations: 500,000+Affected Software: Forminator Forms <= 1.35.9Patched Versions: Forminator Forms 1.36.0“`**Mitigation steps:** Update to Forminator Forms version 1.36.0 or greater.*** ** * ** ***WP Shortcodes Plugin — Shortcodes Ultimate — Cross Site Scripting (XSS)————————————————————————–“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8500Number of Installations: 500,000+Affected Software: WP Shortcodes Plugin – Shortcodes Ultimate <= 7.2.9Patched Versions: WP Shortcodes Plugin – Shortcodes Ultimate 7.3.0“`**Mitigation steps:** Update to WP Shortcodes Plugin — Shortcodes Ultimate version 7.3.0 or greater.*** ** * ** ***Breeze — WordPress Cache Plugin — Broken Access Control———————————————————“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2024-50422Number of Installations: 300,000+Affected Software: Breeze – WordPress Cache Plugin <= 2.1.14Patched Versions: Breeze – WordPress Cache Plugin 2.1.15“`**Mitigation steps:** Update to Breeze — WordPress Cache Plugin version 2.1.15 or greater.*** ** * ** ***Templately — Elementor -& Gutenberg Template Library — Broken Access Control——————————————————————————“`Security Risk: MediumExploitation Level: Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-50424Number of Installations: 300,000+Affected Software: Templately – Elementor & Gutenberg Template Library <= 3.1.5Patched Versions: Templately – Elementor & Gutenberg Template Library 3.1.6“`**Mitigation steps:** Update to Templately — Elementor -& Gutenberg Template Library version 3.1.6 or greater.*** ** * ** ***PDF Invoices -& Packing Slips for WooCommerce — Broken Access Control———————————————————————-“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2024-50421Number of Installations: 300,000+Affected Software: PDF Invoices & Packing Slips for WooCommerce <= 3.8.6Patched Versions: PDF Invoices & Packing Slips for WooCommerce 3.8.7“`**Mitigation steps:** Update to PDF Invoices -& Packing Slips for WooCommerce version 3.8.7 or greater.*** ** * ** ***Qi Addons For Elementor — Sensitive Data Exposure————————————————–“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-9530Number of Installations: 200,000+Affected Software: Qi Addons For Elementor <= 1.8.0Patched Versions: Qi Addons For Elementor 1.8.1“`**Mitigation steps:** Update to Qi Addons For Elementor plugin version 1.8.1 or greater.*** ** * ** ***Dear Flipbook — PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer — Cross Site Scripting (XSS)———————————————————————————————–“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8717Number of Installations: 100,000+Affected Software: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.3.41Patched Versions: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer 2.3.42“`**Mitigation steps:** Update to Dear Flipbook plugin version 2.3.42 or greater.*** ** * ** ***BuddyPress — Directory Traversal———————————“`Security Risk: HighExploitation Level: Subscriber or higher level authentication.Vulnerability: Directory TraversalCVE: CVE-2024-10011Number of Installations: 100,000+Affected Software: BuddyPress <= 14.2.0Patched Versions: BuddyPress 14.2.1“`**Mitigation steps:** Update to BuddyPress plugin version 14.2.1 or greater.*** ** * ** ***Download Monitor — Broken Access Control—————————————–“`Security Risk: MediumExploitation Level: Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-10092Number of Installations: 90,000+Affected Software: Download Monitor <= 5.0.12Patched Versions: Download Monitor 5.0.13“`**Mitigation steps:** Update to Download Monitor plugin version 5.0.13 or greater.*** ** * ** ***Import and export users and customers — Cross Site Scripting (XSS)——————————————————————-“`Security Risk: LowExploitation Level: Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-50413Number of Installations: 80,000+Affected Software: Import and export users and customers <= 1.27.5Patched Versions: Import and export users and customers 1.27.6“`**Mitigation steps:** Update to Import and export users and customers plugin version 1.27.6 or greater.*** ** * ** ***Comments — wpDiscuz — Broken Authentication———————————————“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Broken AuthenticationCVE: CVE-2024-9488Number of Installations: 80,000+Affected Software: Comments – wpDiscuz <= 7.6.24Patched Versions: Comments – wpDiscuz 7.6.25“`**Mitigation steps:** Update to Comments — wpDiscuz plugin version 7.6.25 or greater.*** ** * ** ***Call / Contact Button — Cross Site Scripting (XSS)—————————————————“`Security Risk: LowExploitation Level: Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-50414Number of Installations: 60,000+Affected Software: Call / Contact Button <= 4.7.9.1Patched Versions: Call / Contact Button 4.7.10“`**Mitigation steps:** Update to Call / Contact Button plugin version 4.7.10 or greater.*** ** * ** ***Exclusive Addons for Elementor — Sensitive Data Exposure———————————————————“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-10312Number of Installations: 60,000+Affected Software: Exclusive Addons for Elementor <= 2.7.4Patched Versions: Exclusive Addons for Elementor 2.7.5“`**Mitigation steps:** Update to Exclusive Addons for Elementor plugin version 2.7.5 or greater.*** ** * ** ***WP-Members Membership Plugin — Cross Site Scripting (XSS)———————————————————-“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10374Number of Installations: 60,000+Affected Software: WP-Members Membership Plugin <= 3.4.9.5Patched Versions: WP-Members Membership Plugin 3.4.9.6“`**Mitigation steps:** Update to WP-Members Membership Plugin version 3.4.9.6 or greater.*** ** * ** ***Bold Page Builder — Broken Access Control——————————————“`Security Risk: MediumExploitation Level: Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-50417Number of Installations: 50,000+Affected Software: Bold Page Builder <= 5.1.3Patched Versions: Bold Page Builder 5.1.4“`**Mitigation steps:** Update to Bold Page Builder plugin version 5.1.4 or greater.*** ** * ** ***WP Recipe Maker — Cross Site Scripting (XSS)———————————————“`Security Risk: MediumExploitation Level: Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9650Number of Installations: 50,000+Affected Software: WP Recipe Maker <= 9.6.9Patched Versions: WP Recipe Maker 9.7.0“`**Mitigation steps:** Update to WP Recipe Maker plugin version 9.7.0 or greater.*** ** * ** ***RSS Aggregator — RSS Import, News Feeds, Feed to Post, and Autoblogging — Broken Access Control————————————————————————————————-“`Security Risk: MediumExploitation Level: Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-9583Number of Installations: 50,000+Affected Software: RSS Aggregator <= 4.23.12Patched Versions: RSS Aggregator 4.23.13“`**Mitigation steps:** Update to RSS Aggregator plugin version 4.23.13 or greater.*** ** * ** ***Secure Custom Fields — Cross Site Scripting (XSS)————————————————–“`Security Risk: MediumExploitation Level: Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: N/ANumber of Installations: 2,000,000+Affected Software: Secure Custom Fields <= 6.3.6.2Patched Versions: Secure Custom Fields 6.3.6.3“`**Mitigation steps:** Update to Secure Custom Fields plugin version 6.3.6.3 or greater.*** ** * ** ***Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a [web application firewall](https://sucuri.net/website-firewall/) to help virtually patch known vulnerabilities and protect their website.![Chat with Sucuri](https://blog.sucuri.net/wp-content/uploads/2022/02/Sucuri_1390x466_Chat-With-Us_CTA-Image_v2-SMB_Victor.png) ![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-120×120.png) ##### [Sucuri Malware Research Team](https://blog.sucuri.net/author/malware-research)We are a group of website security professionals who are passionate about discovering emerging web-based malware and software vulnerabilities. Not only do we create tools and detection rules for our customers, we also bring awareness to the website security community. Our mission is to help make the internet a safer place.##### Related Tags* [SQL Injection](https://blog.sucuri.net/tag/sql-injection),* [WordPress Plugins and Themes](https://blog.sucuri.net/tag/wordpress-plugins-and-themes),* [XSS](https://blog.sucuri.net/tag/xss)##### Related Categories* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)![](https://blog.sucuri.net/wp-content/uploads/2019/12/12022019_FakeGoogleSubdomain_blog-390×183.jpg) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2019/12/another-fake-google-domain-fonts-googlesapi-com.html) [Another Fake Google Domain: fonts.googlesapi.com](https://blog.sucuri.net/2019/12/another-fake-google-domain-fonts-googlesapi-com.html)—————————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/b020abf59d6245e6b2a4635063322498?s=20&d=mm&r=g)Luke Leal* December 2, 2019 Our Remediation team lead Ben Martin recently found a fake Google domain that is pretty convincing to the naked eye. The malicious domain was abusing… [Read the Post](https://blog.sucuri.net/2019/12/another-fake-google-domain-fonts-googlesapi-com.html) ![Phishing Campaign](https://blog.sucuri.net/wp-content/uploads/2019/11/20191114_RecognizePhishingCampaign_blog-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2019/11/how-to-recognize-a-phishing-campaign.html) [How to Recognize a Phishing Campaign](https://blog.sucuri.net/2019/11/how-to-recognize-a-phishing-campaign.html)—————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/dceef4126f82373fb765ef9d57ed939d?s=20&d=mm&r=g)Antony Garand* November 20, 2019 Phishing attacks and campaigns have always been a hot topic in online security. With many posts tagged as 'phishing' on our blog — the first… [Read the Post](https://blog.sucuri.net/2019/11/how-to-recognize-a-phishing-campaign.html) ![](https://blog.sucuri.net/wp-content/uploads/2016/12/ask-sucuri-how-to-stop-brute-force-attacks_blog-390×183.jpg) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2016/12/ask-sucuri-how-to-stop-brute-force-attacks.html) [Ask Sucuri: How to Stop Brute Force Attacks?](https://blog.sucuri.net/2016/12/ask-sucuri-how-to-stop-brute-force-attacks.html)——————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=20&d=mm&r=g)Daniel Cid* December 14, 2016 Ask Sucuri: My site is under a brute force attack. What can I do? How can we solve this password guessing problem known as brute… [Read the Post](https://blog.sucuri.net/2016/12/ask-sucuri-how-to-stop-brute-force-attacks.html) ![How to know if you are under ddos attack](https://blog.sucuri.net/wp-content/uploads/2019/06/07092019-how-to-know-if-you-are-under-ddos-attack_blog-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Sucuri](https://blog.sucuri.net/category/sucuri)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2019/07/how-to-know-if-you-are-under-ddos-attack.html) [How to Know If You Are Under DDoS Attack](https://blog.sucuri.net/2019/07/how-to-know-if-you-are-under-ddos-attack.html)————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/e457f50dc4631ec55cdb5ef7740b5edb?s=20&d=mm&r=g)Stephen Johnston* July 1, 2019 Nowadays, DDoS is a pretty recognizable term. Though many webmasters don't know exactly what a DDoS attack is—its method is very subtle to identify—they're pretty… [Read the Post](https://blog.sucuri.net/2019/07/how-to-know-if-you-are-under-ddos-attack.html) ![New Xjquery Wave of WordPress SocGholish Injections](https://blog.sucuri.net/wp-content/uploads/2023/05/23-BlogPost_Feature-Image_1490x700_Xjquery-wave-of-WordPress-SocGholish-Injections-390×183.jpg) * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2023/05/xjquery-wave-of-wordpress-socgholish-injections.html) [Xjquery Wave of WordPress SocGholish Injections](https://blog.sucuri.net/2023/05/xjquery-wave-of-wordpress-socgholish-injections.html)—————————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/c9ef50b85bd345ea4e0d8da558816f3d?s=20&d=mm&r=g)Denis Sinegubko* May 9, 2023 In November, 2022, my colleague Ben Martin described how hackers were using zipped files and encrypted WordPress options stored in the database to inject SocGholish… [Read the Post](https://blog.sucuri.net/2023/05/xjquery-wave-of-wordpress-socgholish-injections.html) ![](https://blog.sucuri.net/wp-content/uploads/2019/11/10282019-pharma-spam-redirects-to-su-and-eu-domains_blog-390×183.jpg) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2020/12/seo-spam-links-in-nulled-plugins.html) [SEO Spam Links in Nulled Plugins](https://blog.sucuri.net/2020/12/seo-spam-links-in-nulled-plugins.html)———————————————————————————————————* ![](https://secure.gravatar.com/avatar/da83ed2cd0dae57d8d34bca18d5f4ec9?s=20&d=mm&r=g)Mohit Jawanjal* December 29, 2020 It's not unusual to see website owners running things on a budget. Choosing a safe and reliable hosting company, buying a nice domain name, boosting… [Read the Post](https://blog.sucuri.net/2020/12/seo-spam-links-in-nulled-plugins.html) ![Anatomy of a credit card stealer](https://blog.sucuri.net/wp-content/uploads/2019/12/12192019_AnatomyofWebsiteMalwareCCSkimmer_blog-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2019/12/the-anatomy-of-website-malware-part-2-credit-card-stealers.html) [The Anatomy of Website Malware Part 2: Credit Card Stealers](https://blog.sucuri.net/2019/12/the-anatomy-of-website-malware-part-2-credit-card-stealers.html)————————————————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/aae9e45052caab7d92b7a32b89a4ab22?s=20&d=mm&r=g)Peter Gramantik* December 30, 2019 One of the biggest malicious trends in the last few months and years are credit card stealers — also commonly referred to as credit card… [Read the Post](https://blog.sucuri.net/2019/12/the-anatomy-of-website-malware-part-2-credit-card-stealers.html) ![What is the Gibberish Hack?](https://blog.sucuri.net/wp-content/uploads/2020/04/20-what-is-this-weird-folder-in-our-websites_blog_image-390×183.jpg) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2020/06/gibberish-hack.html) [What is the Gibberish Hack?](https://blog.sucuri.net/2020/06/gibberish-hack.html)———————————————————————————-* ![](https://secure.gravatar.com/avatar/fd906c7d236622c503efbd29a29e6b6c?s=20&d=mm&r=g)Justin Channell* June 12, 2020 Discovering some random folder with numbers and letters you don't remember on your website would make any website owner put on their detective cap. At… [Read the Post](https://blog.sucuri.net/2020/06/gibberish-hack.html) ![](https://blog.sucuri.net/wp-content/uploads/2024/05/mal-metrica-390×183.png) * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2024/05/mal-metrica-redirects-users-to-scam-sites.html) [Mal.Metrica Redirects Users to Scam Sites](https://blog.sucuri.net/2024/05/mal-metrica-redirects-users-to-scam-sites.html)—————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/fcf2c7b3195ff9058d29af3b8a49fc43?s=20&d=mm&r=g)Ben Martin* May 2, 2024 One of our analysts recently identified a new Mal.Metrica redirect scam on compromised websites, but one that requires a little bit of effort on the… [Read the Post](https://blog.sucuri.net/2024/05/mal-metrica-redirects-users-to-scam-sites.html) ![What is Ransomware?](https://blog.sucuri.net/wp-content/uploads/2020/01/01092020_WhatIsRansomware_blog-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2020/02/what-is-ransomware.html) [What is Ransomware?](https://blog.sucuri.net/2020/02/what-is-ransomware.html)——————————————————————————* ![](https://secure.gravatar.com/avatar/fd906c7d236622c503efbd29a29e6b6c?s=20&d=mm&r=g)Justin Channell* February 12, 2020 Ransomware has been one of the scariest topics in cybersecurity for years — and for good reason. Living up to its name, ransomware is a… [Read the Post](https://blog.sucuri.net/2020/02/what-is-ransomware.html)

Related Tags:
CVE-2024-50421

CVE-2024-9314

CVE-2024-8902

CVE-2024-9204

CVE-2024-8482

CVE-2024-49321

CVE-2024-8913

CVE-2024-50422

CVE-2024-50424

Associated Indicators:
3.4.9.6

3.4.9.5

4.7.9.1

6.3.6.3

6.3.6.1

Threat Intel Solutions

WordPress Vulnerability & Patch Roundup October 2024

Search

Popular Posts

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

MintsLoader: StealC and BOINC Delivery

Categories

Archives

Tags

Follow Us