Vulnerability & Patch Roundup – November 2024

* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)Vulnerability -& Patch Roundup — November 2024================================================![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-60×60.png) [Sucuri Malware Research Team](https://blog.sucuri.net/author/malware-research)* December 20, 2024 ![Sucuri November 2024 Vulnerability Roundup](https://blog.sucuri.net/wp-content/uploads/2024/12/November-2024.jpg) Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our [web application firewall](https://sucuri.net/website-firewall/) to protect your site against known vulnerabilities.*** ** * ** ***WordPress Core Updates———————-Named ‘Rollins’ after jazz legend Sonny Rollins, [WordPress 6.7](https://wordpress.org/news/2024/11/rollins/) introduces the Twenty Twenty-Five theme, offering flexible design options for all blogs. New font management tools enhance typography control, and the Zoom Out feature allows for a macro view to better visualize your site.*** ** * ** ***Loginizer — Broken Authentication———————————-“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Broken AuthenticationCVE: CVE-2024-10097Number of Installations: 1,000,000+Affected Software: Loginizer <= 1.9.2Patched Versions: Loginizer 1.9.3“`**Mitigation steps:** Update to Loginizer plugin version 1.9.3 or greater.*** ** * ** ***Otter Blocks — Gutenberg Blocks, Page Builder for Gutenberg Editor -& FSE — Cross Site Scripting (XSS)——————————————————————————————————–“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10367Number of Installations: 300,000+Affected Software: Otter Blocks <= 3.0.4Patched Versions: Otter Blocks 3.0.5“`**Mitigation steps:** Update to Otter Blocks plugin version 3.0.5 or greater.*** ** * ** ***Photo Gallery by 10Web — Mobile-Friendly Image Gallery — Cross Site Scripting (XSS)————————————————————————————-“`Security Risk: MediumExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9878Number of Installations: 200,000+Affected Software: Photo Gallery by 10Web <= 1.8.30Patched Versions: Photo Gallery by 10Web 1.8.31“`**Mitigation steps:** Update to Photo Gallery by 10Web plugin version 1.8.31 or greater.*** ** * ** ***Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid -& Carousel, Remote Arrows) — Cross Site Scripting (XSS)————————————————————————————————————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9657Number of Installations: 100,000+Affected Software: Element Pack Elementor Addons <= 5.10.2Patched Versions: Element Pack Elementor Addons 5.10.3“`**Mitigation steps:** Update to Element Pack Elementor Addons plugin version 5.10.3 or greater.*** ** * ** ***Media Library Assistant — Remote Code Execution (RCE)——————————————————“`Security Risk: CriticalExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Remote Code Execution (RCE)CVE: CVE-2024-51661Number of Installations: 70,000+Affected Software: Media Library Assistant <= 3.19Patched Versions: Media Library Assistant 3.20“`**Mitigation steps:** Update to Media Library Assistant plugin version 3.20 or greater.*** ** * ** ***Elementor Header -& Footer Builder — Cross Site Scripting (XSS)—————————————————————-“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10325Number of Installations: 2,000,000+Affected Software: Elementor Header & Footer Builder <= 1.6.45Patched Versions: Elementor Header & Footer Builder 1.6.46“`**Mitigation steps:** Update to Elementor Header -& Footer Builder plugin version 1.6.46 or greater.*** ** * ** ***Safe SVG — Cross Site Scripting (XSS)————————————–“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8378Number of Installations: 1,000,000+Affected Software: Safe SVG <= 2.2.5Patched Versions: Safe SVG 2.2.6“`**Mitigation steps:** Update to Safe SVG plugin version 2.2.6 or greater.*** ** * ** ***Happy Addons for Elementor — Cross Site Scripting (XSS)——————————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10538Number of Installations: 400,000+Affected Software: Happy Addons for Elementor <= 3.12.5Patched Versions: Happy Addons for Elementor 3.12.6“`**Mitigation steps:** Update to Happy Addons for Elementor plugin version 3.12.6 or greater.*** ** * ** ***Admin and Site Enhancements (ASE) — Cross Site Scripting (XSS)—————————————————————“`Security Risk: MediumExploitation Level: CustomVulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10790Number of Installations: 100,000+Affected Software: Admin and Site Enhancements (ASE) <= 7.5.1Patched Versions: Admin and Site Enhancements (ASE) 7.5.2“`**Mitigation steps:** Update to Admin and Site Enhancements (ASE) plugin version 7.5.2 or greater.*** ** * ** ***Prime Slider — Addons For Elementor — Cross Site Scripting (XSS)——————————————————————“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8442Number of Installations: 100,000+Affected Software: Prime Slider <= 3.15.18Patched Versions: Prime Slider 3.15.19“`**Mitigation steps:** Update to Prime Slider plugin version 3.15.19 or greater.*** ** * ** ***Contact Form 7 — Dynamic Text Extension — Sensitive Data Exposure——————————————————————-“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-10084Number of Installations: 100,000+Affected Software: Contact Form 7 – Dynamic Text Extension <= 4.5.0Patched Versions: Contact Form 7 – Dynamic Text Extension 4.5.1“`**Mitigation steps:** Update to Contact Form 7 — Dynamic Text Extension plugin version 4.5.1 or greater.*** ** * ** ***Pods — Custom Content Types and Fields — Cross Site Scripting (XSS)———————————————————————“`Security Risk: MediumExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9883Number of Installations: 100,000+Affected Software: Pods <= 3.2.7Patched Versions: Pods 3.2.7.1“`**Mitigation steps:** Update to Pods plugin version 3.2.7.1 or greater.*** ** * ** ***WP ULike — All-in-One Engagement Toolkit — Cross Site Scripting (XSS)———————————————————————–“`Security Risk: MediumExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-7879Number of Installations: 80,000+Affected Software: WP ULike <= 4.7.4Patched Versions: WP ULike 4.7.5“`**Mitigation steps:** Update to WP ULike plugin version 4.7.5 or greater.*** ** * ** ***WP Booking Calendar — Cross Site Scripting (XSS)————————————————-“`Security Risk: MediumExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10027Number of Installations: 50,000+Affected Software: WP Booking Calendar <= 10.6.2Patched Versions: WP Booking Calendar 10.6.3“`**Mitigation steps:** Update to WP Booking Calendar plugin version 10.6.3 or greater.*** ** * ** ***Form Maker by 10Web — Mobile-Friendly Drag -& Drop Contact Form Builder — Cross Site Scripting (XSS)——————————————————————————————————“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10265Number of Installations: 50,000+Affected Software: Form Maker by 10Web <= 1.15.30Patched Versions: Form Maker by 10Web 1.15.31“`**Mitigation steps:** Update to Form Maker by 10Web plugin version 1.15.31 or greater.*** ** * ** ***Really Simple Security — Simple and Performant Security (formerly Really Simple SSL) — Broken Authentication————————————————————————————————————–“`Security Risk: CriticalExploitation Level: No authentication required.Vulnerability: Broken AuthenticationCVE: CVE-2024-10924Number of Installations: 4,000,000+Affected Software: Really Simple Security <= 9.1.1Patched Versions: Really Simple Security 9.1.2“`**Mitigation steps:** Update to Really Simple Security plugin version 9.1.2 or greater.*** ** * ** ***Essential Addons for Elementor — Best Elementor Addon, Templates, Widgets, Kits -& WooCommerce Builders — Sensitive Data Exposure———————————————————————————————————————————–“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-8979Number of Installations: 2,000,000+Affected Software: Essential Addons for Elementor <= 6.0.9Patched Versions: Essential Addons for Elementor 6.0.10“`**Mitigation steps:** Update to Essential Addons for Elementor plugin version 6.0.10 or greater.*** ** * ** ***Google for WooCommerce — Sensitive Data Exposure————————————————-“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-10486Number of Installations: 900,000+Affected Software: Google for WooCommerce <= 2.8.6Patched Versions: Google for WooCommerce 2.8.7“`**Mitigation steps:** Update to Google for WooCommerce plugin version 2.8.7 or greater.*** ** * ** ***Migration, Backup, Staging — WPvivid Backup -& Migration — PHP Object Injection———————————————————————————“`Security Risk: CriticalExploitation Level: No authentication required.Vulnerability: PHP Object InjectionCVE: CVE-2024-10962Number of Installations: 600,000+Affected Software: WPvivid Backup & Migration <= 0.9.107Patched Versions: WPvivid Backup & Migration 0.9.108“`**Mitigation steps:** Update to WPvivid Backup -& Migration plugin version 0.9.108 or greater.*** ** * ** ***Post SMTP — WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications — SQL Injection————————————————————————————————————“`Security Risk: HighExploitation Level: Requires Administrator or higher level authentication.Vulnerability: SQL InjectionCVE: CVE-2024-52436Number of Installations: 400,000+Affected Software: Post SMTP <= 2.9.9Patched Versions: Post SMTP 2.9.10“`**Mitigation steps:** Update to Post SMTP plugin version 2.9.10 or greater.*** ** * ** ***Hide My WP Ghost — Security -& Firewall — Cross Site Scripting (XSS)———————————————————————-“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10825Number of Installations: 200,000+Affected Software: Hide My WP Ghost <= 5.3.01Patched Versions: Hide My WP Ghost 5.3.02“`**Mitigation steps:** Update to Hide My WP Ghost plugin version 5.3.02 or greater.*** ** * ** ***WP Activity Log — Cross Site Scripting (XSS)———————————————“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10793Number of Installations: 200,000+Affected Software: WP Activity Log <= 5.2.1Patched Versions: WP Activity Log 5.2.2“`**Mitigation steps:** Update to WP Activity Log plugin version 5.2.2 or greater.*** ** * ** ***Simple Local Avatars — Broken Access Control———————————————“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-10786Number of Installations: 100,000+Affected Software: Simple Local Avatars <= 2.7.9Patched Versions: Simple Local Avatars 2.8.0“`**Mitigation steps:** Update to Simple Local Avatars plugin version 2.8.0 or greater.*** ** * ** ***Advanced Order Export For WooCommerce — PHP Object Injection————————————————————-“`Security Risk: CriticalExploitation Level: No authentication required.Vulnerability: PHP Object InjectionCVE: CVE-2024-10828Number of Installations: 100,000+Affected Software: Advanced Order Export For WooCommerce <= 3.5.5Patched Versions: Advanced Order Export For WooCommerce 3.5.6“`**Mitigation steps:** Update to Advanced Order Export For WooCommerce plugin version 3.5.6 or greater.*** ** * ** ***WP Chat App — Broken Access Control————————————“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-10533Number of Installations: 100,000+Affected Software: WP Chat App <= 3.6.8Patched Versions: WP Chat App 3.6.9“`**Mitigation steps:** Update to WP Chat App plugin version 3.6.9 or greater.*** ** * ** ***Customer Reviews for WooCommerce — Broken Access Control———————————————————“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-10614Number of Installations: 70,000+Affected Software: Customer Reviews for WooCommerce <= 5.61.9Patched Versions: Customer Reviews for WooCommerce 5.62.0“`**Mitigation steps:** Update to Customer Reviews for WooCommerce plugin version 5.62.0 or greater.*** ** * ** ***WPForms — Easy Form Builder for WordPress — Contact Forms, Payment Forms, Surveys, -& More — Cross Site Scripting (XSS)————————————————————————————————————————–“`Security Risk: MediumExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-7056Number of Installations: 6,000,000+Affected Software: WPForms <= 1.9.1.5Patched Versions: WPForms 1.9.1.6“`**Mitigation steps:** Update to WPForms plugin version 1.9.1.6 or greater.*** ** * ** ***Rank Math SEO — AI SEO Tools to Dominate SEO Rankings — Remote Code Execution (RCE)————————————————————————————-“`Security Risk: HighExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Remote Code Execution (RCE)CVE: CVE-2024-11620Number of Installations: 3,000,000+Affected Software: Rank Math SEO <= 1.0.231Patched Versions: Rank Math SEO 1.0.232“`**Mitigation steps:** Update to Rank Math SEO plugin version 1.0.232 or greater.*** ** * ** ***MailPoet — Newsletters, Email Marketing, and Automation — Cross Site Scripting (XSS)————————————————————————————–“`Security Risk: MediumExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10103Number of Installations: 600,000+Affected Software: MailPoet <= 5.3.1Patched Versions: MailPoet 5.3.2“`**Mitigation steps:** Update to MailPoet plugin version 5.3.2 or greater.*** ** * ** ***Photo Gallery, Sliders, Proofing and Themes — NextGEN Gallery — Cross Site Scripting (XSS)——————————————————————————————–“`Security Risk: MediumExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-6393Number of Installations: 500,000+Affected Software: NextGEN Gallery <= 3.59.4Patched Versions: NextGEN Gallery 3.59.5“`**Mitigation steps:** Update to NextGEN Gallery plugin version 3.59.5 or greater.*** ** * ** ***Formidable Forms — Contact Form Plugin, Survey, Quiz, Payment, Calculator Form -& Custom Form Builder — Cross Site Scripting (XSS)————————————————————————————————————————————“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-11188Number of Installations: 400,000+Affected Software: Formidable Forms <= 6.16.1Patched Versions: Formidable Forms 6.16.2“`**Mitigation steps:** Update to Formidable Forms plugin version 6.16.2 or greater.*** ** * ** ***Gutenberg Blocks with AI by Kadence WP — Page Builder Features — Cross Site Scripting (XSS)———————————————————————————————“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10785Number of Installations: 400,000+Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.3.3Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.3.4“`**Mitigation steps:** Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.3.4 or greater.*** ** * ** ***Royal Elementor Addons and Templates — Cross Site Scripting (XSS)——————————————————————“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9682Number of Installations: 400,000+Affected Software: Royal Elementor Addons <= 1.7.1001Patched Versions: Royal Elementor Addons 1.7.1002“`**Mitigation steps:** Update to Royal Elementor Addons plugin version 1.7.1002 or greater.*** ** * ** ***Activity Log — Monitor -& Record User Changes — Cross Site Scripting (XSS)—————————————————————————-“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10788Number of Installations: 300,000+Affected Software: Activity Log <= 2.11.1Patched Versions: Activity Log 2.11.2“`**Mitigation steps:** Update to Activity Log plugin version 2.11.2 or greater.*** ** * ** ***FluentSMTP — WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider — PHP Object Injection——————————————————————————————————————————-“`Security Risk: CriticalExploitation Level: No authentication required.Vulnerability: PHP Object InjectionCVE: CVE-2024-9511Number of Installations: 300,000+Affected Software: FluentSMTP <= 2.2.82Patched Versions: FluentSMTP 2.2.83“`**Mitigation steps:** Update to FluentSMTP plugin version 2.2.83 or greater.*** ** * ** ***Spam protection, Anti-Spam, FireWall by CleanTalk — Broken Authentication————————————————————————–“`Security Risk: CriticalExploitation Level: No authentication required.Vulnerability: Broken AuthenticationCVE: CVE-2024-10542Number of Installations: 200,000+Affected Software: CleanTalk <= 6.43Patched Versions: CleanTalk 6.44“`**Mitigation steps:** Update to CleanTalk plugin version 6.44 or greater.*** ** * ** ***Jeg Elementor Kit — Cross Site Scripting (XSS)———————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10308Number of Installations: 200,000+Affected Software: Jeg Elementor Kit <= 2.6.9Patched Versions: Jeg Elementor Kit 2.6.10“`**Mitigation steps:** Update to Jeg Elementor Kit plugin version 2.6.10 or greater.*** ** * ** ***Ultimate Member — User Profile, Registration, Login, Member Directory, Content Restriction -& Membership Plugin — Broken Access Control—————————————————————————————————————————————–“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-10528Number of Installations: 200,000+Affected Software: Ultimate Member <= 2.8.9Patched Versions: Ultimate Member 2.9.0“`**Mitigation steps:** Update to Ultimate Member plugin version 2.9.0 or greater.*** ** * ** ***SEO Plugin by Squirrly SEO — Cross Site Scripting (XSS)——————————————————–“`Security Risk: MediumExploitation Level: Requires Editor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10515Number of Installations: 100,000+Affected Software: Squirrly SEO <= 12.3.20Patched Versions: Squirrly SEO 12.3.21“`**Mitigation steps:** Update to Squirrly SEO plugin version 12.3.21 or greater.*** ** * ** ***The Plus Addons for Elementor — Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce — Sensitive Data Exposure—————————————————————————————————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-10365Number of Installations: 100,000+Affected Software: The Plus Addons for Elementor <= 6.0.3Patched Versions: The Plus Addons for Elementor 6.0.4“`**Mitigation steps:** Update to The Plus Addons for Elementor plugin version 6.0.4 or greater.*** ** * ** ***HUSKY — Products Filter Professional for WooCommerce — Cross Site Scripting (XSS)———————————————————————————–“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-11400Number of Installations: 100,000+Affected Software: HUSKY <= 1.3.6.3Patched Versions: HUSKY 1.3.6.4“`**Mitigation steps:** Update to HUSKY plugin version 1.3.6.4 or greater.*** ** * ** ***Hustle — Email Marketing, Lead Generation, Optins, Popups — Broken Access Control———————————————————————————–“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-10579Number of Installations: 100,000+Affected Software: Hustle <= 7.8.5Patched Versions: Hustle 7.8.6“`**Mitigation steps:** Update to Hustle plugin version 7.8.6 or greater.*** ** * ** ***Parsi Date — Cross Site Scripting (XSS)—————————————-“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-11032Number of Installations: 100,000+Affected Software: Parsi Date <= 5.1.1Patched Versions: Parsi Date 5.1.2“`**Mitigation steps:** Update to Parsi Date plugin version 5.1.2 or greater.*** ** * ** ***Tutor LMS — eLearning and online course solution — SQL Injection——————————————————————“`Security Risk: CriticalExploitation Level: No authentication required.Vulnerability: SQL InjectionCVE: CVE-2024-10400Number of Installations: 90,000+Affected Software: Tutor LMS <= 2.7.6Patched Versions: Tutor LMS 2.7.7“`**Mitigation steps:** Update to Tutor LMS plugin version 2.7.7 or greater.*** ** * ** ***Clone — PHP Object Injection—————————–“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: PHP Object InjectionCVE: CVE-2024-10913Number of Installations: 70,000+Affected Software: Clone <= 2.4.6Patched Versions: Clone 2.4.7“`**Mitigation steps:** Update to Clone plugin version 2.4.7 or greater.*** ** * ** ***Increase Maximum Upload File Size -| Increase Execution Time — Sensitive Data Exposure—————————————————————————————“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-11265Number of Installations: 70,000+Affected Software: Increase Maximum Upload File Size <= 1.1.3Patched Versions: Increase Maximum Upload File Size 1.1.4“`**Mitigation steps:** Update to Increase Maximum Upload File Size plugin version 1.1.4 or greater.*** ** * ** ***Getwid — Gutenberg Blocks — Cross Site Scripting (XSS)——————————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10872Number of Installations: 60,000+Affected Software: Getwid <= 2.0.12Patched Versions: Getwid 2.0.13“`**Mitigation steps:** Update to Getwid plugin version 2.0.13 or greater.*** ** * ** ***FOX — Currency Switcher Professional for WooCommerce — Arbitrary Code Execution———————————————————————————“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Arbitrary Code ExecutionCVE: CVE-2024-10640Number of Installations: 60,000+Affected Software: FOX <= 1.4.2.2Patched Versions: FOX 1.4.2.3“`**Mitigation steps:** Update to FOX plugin version 1.4.2.3 or greater.*** ** * ** ***Booster for WooCommerce — Cross Site Scripting (XSS)—————————————————–“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9239Number of Installations: 50,000+Affected Software: Booster for WooCommerce <= 7.2.3Patched Versions: Booster for WooCommerce 7.2.4“`**Mitigation steps:** Update to Booster for WooCommerce plugin version 7.2.4 or greater.*** ** * ** ***Elementor Website Builder — More than Just a Page Builder — Cross Site Scripting (XSS)—————————————————————————————-“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-8236Number of Installations: 10,000,000+Affected Software: Elementor Website Builder <= 3.25.7Patched Versions: Elementor Website Builder 3.25.8“`**Mitigation steps:** Update to Elementor Website Builder plugin version 3.25.8 or greater.*** ** * ** ***Royal Elementor Addons and Templates — Broken Access Control————————————————————-“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-10798Number of Installations: 500,000+Affected Software: Royal Elementor Addons <= 1.7.1003Patched Versions: Royal Elementor Addons 1.7.1004“`**Mitigation steps:** Update to Royal Elementor Addons plugin version 1.7.1004 or greater.*** ** * ** ***Otter Blocks — Gutenberg Blocks, Page Builder for Gutenberg Editor -& FSE — Path Traversal——————————————————————————————–“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Path TraversalCVE: CVE-2024-11219Number of Installations: 300,000+Affected Software: Otter Blocks <= 3.0.6Patched Versions: Otter Blocks 3.0.7“`**Mitigation steps:** Update to Otter Blocks plugin version 3.0.7 or greater.*** ** * ** ***Spam protection, Anti-Spam, FireWall by CleanTalk — Broken Authentication————————————————————————–“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Broken AuthenticationCVE: CVE-2024-10781Number of Installations: 200,000+Affected Software: CleanTalk <= 6.44Patched Versions: CleanTalk 6.45“`**Mitigation steps:** Update to CleanTalk plugin version 6.45 or greater.*** ** * ** ***Jeg Elementor Kit — Sensitive Data Exposure——————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-8899Number of Installations: 200,000+Affected Software: Jeg Elementor Kit <= 2.6.9Patched Versions: Jeg Elementor Kit 2.6.10“`**Mitigation steps:** Update to Jeg Elementor Kit plugin version 2.6.10 or greater.*** ** * ** ***Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile -& Restrict Content — ProfilePress — Sensitive Data Exposure————————————————————————————————————————————————–“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Sensitive Data ExposureCVE: CVE-2024-11083Number of Installations: 200,000+Affected Software: ProfilePress <= 4.15.18Patched Versions: ProfilePress 4.15.19“`**Mitigation steps:** Update to ProfilePress plugin version 4.15.19 or greater.*** ** * ** ***EmbedPress — Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps -& Upload PDF Documents — Cross Site Scripting (XSS)————————————————————————————————————————————————————————“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-11203Number of Installations: 100,000+Affected Software: EmbedPress <= 4.1.3Patched Versions: EmbedPress 4.1.4“`**Mitigation steps:** Update to EmbedPress plugin version 4.1.4 or greater.*** ** * ** ***Everest Forms — Build Contact Forms, Surveys, Polls, Quizzes, Newsletter -& Application Forms, and Many More with Ease! — Cross Site Scripting (XSS)——————————————————————————————————————————————————“`Security Risk: MediumExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-10471Number of Installations: 100,000+Affected Software: Everest Forms <= 3.0.4.1Patched Versions: Everest Forms 3.0.4.2“`**Mitigation steps:** Update to Everest Forms plugin version 3.0.4.2 or greater.*** ** * ** ***Social Sharing Plugin — Sassy Social Share — Cross Site Scripting (XSS)————————————————————————-“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-11252Number of Installations: 100,000+Affected Software: Sassy Social Share <= 3.3.69Patched Versions: Sassy Social Share 3.3.70“`**Mitigation steps:** Update to Sassy Social Share plugin version 3.3.70 or greater.*** ** * ** ***Widget Options — The #1 WordPress Widget -& Block Control Plugin — Remote Code Execution (RCE)————————————————————————————————“`Security Risk: CriticalExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Remote Code Execution (RCE)CVE: CVE-2024-8672Number of Installations: 100,000+Affected Software: Widget Options <= 4.0.7Patched Versions: Widget Options 4.0.8“`**Mitigation steps:** Update to Widget Options plugin version 4.0.8 or greater.*** ** * ** ***Hustle — Email Marketing, Lead Generation, Optins, Popups — Broken Access Control———————————————————————————–“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2024-10580Number of Installations: 100,000+Affected Software: Hustle <= 7.8.5Patched Versions: Hustle 7.8.6“`**Mitigation steps:** Update to Hustle plugin version 7.8.6 or greater.*** ** * ** ***Total Upkeep — WordPress Backup Plugin plus Restore -& Migrate by BoldGrid — Remote Code Execution (RCE)———————————————————————————————————-“`Security Risk: CriticalExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Remote Code Execution (RCE)CVE: CVE-2024-9461Number of Installations: 70,000+Affected Software: Total Upkeep <= 1.16.6Patched Versions: Total Upkeep 1.16.7“`**Mitigation steps:** Update to Total Upkeep plugin version 1.16.7 or greater.*** ** * ** ***File Manager Pro — Filester — Path Traversal———————————————-“`Security Risk: HighExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Path TraversalCVE: CVE-2024-9669Number of Installations: 70,000+Affected Software: Filester <= 1.8.5Patched Versions: Filester 1.8.6“`**Mitigation steps:** Update to Filester plugin version 1.8.6 or greater.*** ** * ** ***File Manager Pro — Filester — Arbitrary File Upload—————————————————–“`Security Risk: HighExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Arbitrary File UploadCVE: CVE-2024-8066Number of Installations: 70,000+Affected Software: Filester <= 1.8.4Patched Versions: Filester 1.8.5“`**Mitigation steps:** Update to Filester plugin version 1.8.5 or greater.*** ** * ** ***Storely — Cross Site Scripting (XSS)————————————-“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-51794Number of Downloads: 435,857Affected Software: StorelyPatched Versions: No Fix“`**Mitigation steps:** Consider disabling the theme or finding an alternative solution, as no fix is currently available.*** ** * ** ***Top Store — Arbitrary Code Execution————————————-“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Arbitrary Code ExecutionCVE: CVE-2024-10673Number of Downloads: 198,806Affected Software: Top Store <= 1.5.4Patched Versions: Top Store 1.5.5“`**Mitigation steps:** Update to Top Store theme version 1.5.5 or greater.*** ** * ** ***Bard — Cross Site Scripting (XSS)———————————-“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9830Number of Downloads: 934,286Affected Software: Bard <= 2.216Patched Versions: Bard 2.217“`**Mitigation steps:** Update to Bard theme version 2.217 or greater.*** ** * ** ***Ashe — Cross Site Scripting (XSS)———————————-“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2024-9777Number of Downloads: 2,043,009Affected Software: Ashe <= 2.243Patched Versions: Ashe 2.244“`**Mitigation steps:** Update to Ashe theme version 2.244 or greater.*** ** * ** ***Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a [web application firewall](https://sucuri.net/website-firewall/) to help virtually patch known vulnerabilities and protect their website.![Chat now](https://blog.sucuri.net/wp-content/uploads/2022/02/Sucuri_1390x466_Chat-With-Us_CTA-Image_v8-Multi-site.png) ![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-120×120.png) ##### [Sucuri Malware Research Team](https://blog.sucuri.net/author/malware-research)We are a group of website security professionals who are passionate about discovering emerging web-based malware and software vulnerabilities. Not only do we create tools and detection rules for our customers, we also bring awareness to the website security community. Our mission is to help make the internet a safer place.##### Related Tags* [SQL Injection](https://blog.sucuri.net/tag/sql-injection),* [WordPress Plugins and Themes](https://blog.sucuri.net/tag/wordpress-plugins-and-themes),* [XSS](https://blog.sucuri.net/tag/xss)##### Related Categories* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)![The Impacts of a Data Breach](https://blog.sucuri.net/wp-content/uploads/2018/05/05142018-the-impacts-of-a-data-breach_en-blog-390×183.png) * [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2018/05/the-impacts-of-a-data-breach.html) [The Impacts of a Data Breach](https://blog.sucuri.net/2018/05/the-impacts-of-a-data-breach.html)————————————————————————————————-* ![](https://secure.gravatar.com/avatar/259ef47ead002b966fe6d58bce04d0d0?s=20&d=mm&r=g)Juliana Lewis* May 15, 2018 Have you ever wondered what happens if your e-commerce site is breached? Usually, when you think about data breaches, you think about big enterprise websites…. [Read the Post](https://blog.sucuri.net/2018/05/the-impacts-of-a-data-breach.html) ![](https://blog.sucuri.net/wp-content/uploads/2022/01/BlogPost_FeatureImage_1490x700_The-Importance-of-Responsible-Disclosure-390×183.jpg) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2022/01/the-importance-of-responsible-disclosure.html) [The Importance of Responsible Disclosure](https://blog.sucuri.net/2022/01/the-importance-of-responsible-disclosure.html)————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/fcf2c7b3195ff9058d29af3b8a49fc43?s=20&d=mm&r=g)Ben Martin* January 28, 2022 In my years as a security analyst I have worked with many clients who were in very dire straits. A website compromise is never a… [Read the Post](https://blog.sucuri.net/2022/01/the-importance-of-responsible-disclosure.html) ![HTTPS Protocol: What is the Default Port for SSL & Common TCP Ports](https://blog.sucuri.net/wp-content/uploads/2023/11/Blog-Post-HTTPS-Protocol-Common-Default-SSL-TLS-Port-Numbers-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2023/11/https-protocol-what-is-the-default-port-for-ssl-common-tcp-ports.html) [HTTPS Protocol: What is the Default Port for SSL -& Common TCP Ports](https://blog.sucuri.net/2023/11/https-protocol-what-is-the-default-port-for-ssl-common-tcp-ports.html)—————————————————————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/3af748c0c76bf9c98f9b6372ccdfd43c?s=20&d=mm&r=g)Marc Kranat* November 28, 2023 SSL port numbers serve as communication endpoints for transmitting or receiving data. One of the primary functions of these ports is to establish a secure… [Read the Post](https://blog.sucuri.net/2023/11/https-protocol-what-is-the-default-port-for-ssl-common-tcp-ports.html) ![Manually Identifying an X-Cart Credit Card Skimmer](https://blog.sucuri.net/wp-content/uploads/2022/05/BlogPost_FeatureImage_1490x700_Identifying-an-X-Cart-Credit-Card-Skimmer1-390×183.jpg) * [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Security Education](https://blog.sucuri.net/category/security-education)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2022/05/manually-identifying-an-x-cart-credit-card-skimmer.html) [Manually Identifying an X-Cart Credit Card Skimmer](https://blog.sucuri.net/2022/05/manually-identifying-an-x-cart-credit-card-skimmer.html)———————————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/ec21ce6c87e45f02686a2800f8672aed?s=20&d=mm&r=g)Liam Smith* May 5, 2022 During a recent investigation, a new client came to us reporting that their antivirus had detected a suspicious domain loading on their website's checkout page…. [Read the Post](https://blog.sucuri.net/2022/05/manually-identifying-an-x-cart-credit-card-skimmer.html) ![Steam Phishing](https://blog.sucuri.net/wp-content/uploads/2020/05/05202020_SteamPhishing_blog-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2020/05/steam-phishing-csgo-skin-gambling-lure.html) [Steam Phishing Campaign Uses CS:GO Skin Gambling Lure](https://blog.sucuri.net/2020/05/steam-phishing-csgo-skin-gambling-lure.html)————————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/b020abf59d6245e6b2a4635063322498?s=20&d=mm&r=g)Luke Leal* May 20, 2020 Attackers regularly target online gaming accounts as they can quickly sell any transferable items along with account logins to a third party. This scenario has… [Read the Post](https://blog.sucuri.net/2020/05/steam-phishing-csgo-skin-gambling-lure.html) ![July 2022 WordPress Vulnerability Roundup](https://blog.sucuri.net/wp-content/uploads/2022/07/BlogPost_FeatureImage_1490x700_Vulnerability-July-Round-Up-2022-390×183.jpg) * [Vulnerability Disclosure](https://blog.sucuri.net/category/vulnerability-disclosure)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2022/07/wordpress-vulnerabilities-patch-roundup-july-2022.html) [WordPress Vulnerabilities -& Patch Roundup — July 2022](https://blog.sucuri.net/2022/07/wordpress-vulnerabilities-patch-roundup-july-2022.html)————————————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/dceef4126f82373fb765ef9d57ed939d?s=20&d=mm&r=g)Antony Garand* July 29, 2022 Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes… [Read the Post](https://blog.sucuri.net/2022/07/wordpress-vulnerabilities-patch-roundup-july-2022.html) ![](https://blog.sucuri.net/wp-content/uploads/2020/02/02142020_SSL_Testing_Methods_blog_image-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Web Pros](https://blog.sucuri.net/category/web-pros)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2020/02/ssl-testing-methods.html) [SSL Testing Methods](https://blog.sucuri.net/2020/02/ssl-testing-methods.html)——————————————————————————-* ![](https://secure.gravatar.com/avatar/3af748c0c76bf9c98f9b6372ccdfd43c?s=20&d=mm&r=g)Marc Kranat* February 17, 2020 Not all SSL configurations on websites are equal, and a growing number push for HTTPS everywhere. There is an increasing demand to check and quantify… [Read the Post](https://blog.sucuri.net/2020/02/ssl-testing-methods.html) ![Mixed Content Chrome](https://blog.sucuri.net/wp-content/uploads/2019/11/20191113_Chrome79_blog-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2019/11/mixed-content-warnings-in-google-chrome.html) [Mixed Content Warnings in Google Chrome](https://blog.sucuri.net/2019/11/mixed-content-warnings-in-google-chrome.html)———————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/d1ffeaa68f16a8aaf54bde2381c29797?s=20&d=mm&r=g)Peter Kankowski* November 14, 2019 Migrating your website to HTTPS may seem like a simple task. Get the TLS/SSL certificate, install it on your web server, and you're done. The… [Read the Post](https://blog.sucuri.net/2019/11/mixed-content-warnings-in-google-chrome.html) ![Personal Security Best Practices](https://blog.sucuri.net/wp-content/uploads/2018/10/10022018-top-10-owasp_blog-1-390×183.png) * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2018/12/owasp-top-10-security-risks-part-iii.html) [OWASP Top 10 Security Risks — Part III](https://blog.sucuri.net/2018/12/owasp-top-10-security-risks-part-iii.html)——————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/02a5df4db823f09b2571a26104cf22a8?s=20&d=mm&r=g)Gerson Ruiz* December 11, 2018 To bring awareness to what threatens the integrity of websites, we are continuing a series of posts on the OWASP top 10 security risks. The… [Read the Post](https://blog.sucuri.net/2018/12/owasp-top-10-security-risks-part-iii.html) ![](https://blog.sucuri.net/wp-content/uploads/2017/01/122016_lab-notes-monthly-recap_december-EN_blog-390×183.jpg) * [Security Education](https://blog.sucuri.net/category/security-education)* [Sucuri Updates](https://blog.sucuri.net/category/sucuri-updates)[](https://blog.sucuri.net/2017/01/labs-notes-monthly-recap-dec2016.html) [Labs Notes Monthly Recap — Dec/2016](https://blog.sucuri.net/2017/01/labs-notes-monthly-recap-dec2016.html)————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/009b293c020838deca2f6f6f1aab86b2?s=20&d=mm&r=g)Estevao Avillez* January 12, 2017 Last month there were a number of interesting website hacks being analyzed by our Malware Research Team (MRT) and Incident Response Teams (IRT). The Sucuri… [Read the Post](https://blog.sucuri.net/2017/01/labs-notes-monthly-recap-dec2016.html)

Related Tags:
CVE-2024-10365

CVE-2024-9657

CVE-2024-8899

CVE-2024-10798

CVE-2024-10367

CVE-2024-11400

CVE-2024-10325

CVE-2024-10471

CVE-2024-9883

Associated Indicators:
1.9.1.5

1.9.1.6

1.3.6.4

3.0.4.2

3.2.7.1

1.3.6.3

1.4.2.3

Threat Intel Solutions

Vulnerability & Patch Roundup – November 2024

Search

Popular Posts

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

MintsLoader: StealC and BOINC Delivery

Categories

Archives

Tags

Follow Us