WordPress Vulnerability & Patch Roundup August 2024

* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)WordPress Vulnerability -& Patch Roundup August 2024====================================================![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-60×60.png) [Sucuri Malware Research Team](https://blog.sucuri.net/author/malware-research)* August 30, 2024 ![Sucuri August 2024 Vulnerability Roundup](https://blog.sucuri.net/wp-content/uploads/2024/08/August-2024-featured-image.jpeg) Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our [web application firewall](https://sucuri.net/website-firewall/) to protect your site against known vulnerabilities.*** ** * ** ***WordPress 6.6.1 Maintenance Release———————————–WordPress 6.6.1 has been released, featuring [7 Core bug fixes](https://core.trac.wordpress.org/query?status=closed&id=!61692&milestone=6.6.1&group=status&col=id&col=summary&col=owner&col=type&col=priority&col=component&col=version&col=keywords&order=priority) and [9 Block Editor bug fixes](https://core.trac.wordpress.org/ticket/61692#comment:4). Read the [Release Candidate announcement](https://make.wordpress.org/core/2024/07/18/wordpress-6-6-1-rc1-is-now-available/) for a detailed overview of the changes.We strongly encourage WordPress users to always keep their CMS patched with the latest core updates to mitigate risk and protect the WordPress environment.*** ** * ** ***WooCommerce — Cross Site Scripting (XSS)—————————————–“`Security Risk: LowExploitation Level: Requires Administrator or higher level authentication.Vulnerability: XSSCVE: CVE-2024-39666Number of Installations: 7,000,000+Affected Software: WooCommerce <= 9.1.2Patched Versions: WooCommerce 9.1.3“`**Mitigation steps:** Update to [WooCommerce](https://wordpress.org/plugins/woocommerce/) plugin version 9.1.3 or greater.*** ** * ** ***LiteSpeed Cache — Privilege Escalation—————————————“`Security Risk: CriticalExploitation Level: No authentication required.Vulnerability: Privilege EscalationCVE: CVE-2024-28000Number of Installations: 5,000,000+Affected Software: LiteSpeed Cache <= 6.3.0.1Patched Versions: LiteSpeed Cache 6.4“`**Mitigation steps:** Update to [LiteSpeed Cache](https://wordpress.org/plugins/litespeed-cache/) plugin version 6.4 or greater.*** ** * ** ***Essential Addons for Elementor — Cross Site Scripting (XSS)————————————————————“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-7092Number of Installations: 2,000,000+Affected Software: Essential Addons for Elementor <= 5.9.27Patched Versions: Essential Addons for Elementor 6.0.0“`**Mitigation steps:** Update to [Essential Addons for Elementor](https://wordpress.org/plugins/essential-addons-for-elementor-lite/) plugin version 6.0.0 or greater.*** ** * ** ***Spectra — Cross Site Scripting (XSS)————————————-“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-7590Number of Installations: 900,000+Affected Software: Spectra <= 2.14.1Patched Versions: Spectra 2.15.1“`**Mitigation steps:** Update to [Spectra](https://wordpress.org/plugins/ultimate-addons-for-gutenberg/) plugin version 2.15.1 or greater.*** ** * ** ***Popup Maker — Cross Site Scripting (XSS)—————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-7054Number of Installations: 700,000+Affected Software: Popup Maker <= 1.19.0Patched Versions: Popup Maker 1.19.1“`**Mitigation steps:** Update to [Popup Maker](https://wordpress.org/plugins/popup-maker/) plugin version 1.19.1 or greater.*** ** * ** ***Premium Addons for Elementor — Broken Access Control—————————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-6824Number of Installations: 700,000+Affected Software: Premium Addons for Elementor <= 4.10.38Patched Versions: Premium Addons for Elementor 4.10.39“`**Mitigation steps:** Update to [Premium Addons for Elementor](https://wordpress.org/plugins/premium-addons-for-elementor/) plugin version 4.10.39 or greater.*** ** * ** ***Meta Box — Broken Access Control———————————“`Security Risk: HighExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43235Number of Installations: 600,000+Affected Software: Meta Box <= 5.9.10Patched Versions: Meta Box 5.9.11“`**Mitigation steps:** Update to [Meta Box](https://wordpress.org/plugins/meta-box/) plugin version 5.9.11 or greater.*** ** * ** ***SiteOrigin Widgets Bundle — Cross Site Scripting (XSS)——————————————————-“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-5901Number of Installations: 600,000+Affected Software: SiteOrigin Widgets Bundle <= 1.62.2Patched Versions: SiteOrigin Widgets Bundle 1.62.3“`**Mitigation steps:** Update to [SiteOrigin Widgets Bundle](https://wordpress.org/plugins/so-widgets-bundle/) plugin version 1.62.3 or greater.*** ** * ** ***Easy Table of Contents — Cross Site Scripting (XSS)—————————————————-“`Security Risk: MediumExploitation Level: Requires Editor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-7082Number of Installations: 500,000+Affected Software: Easy Table of Contents <= 2.0.67.1Patched Versions: Easy Table of Contents 2.0.68“`**Mitigation steps:** Update to [Easy Table of Contents](https://wordpress.org/plugins/easy-table-of-contents/) plugin version 2.0.68 or greater.*** ** * ** ***Formidable Forms — Cross Site Scripting (XSS)———————————————-“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: XSSCVE: CVE-2024-6725Number of Installations: 400,000+Affected Software: Formidable Forms <= 6.11.1Patched Versions: Formidable Forms 6.11.2“`**Mitigation steps:** Update to [Formidable Forms](https://wordpress.org/plugins/formidable/) plugin version 6.11.2 or greater.*** ** * ** ***Gutenberg Blocks with AI by Kadence WP — Cross Site Scripting (XSS)——————————————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-6884Number of Installations: 400,000+Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.2.38Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.2.39“`**Mitigation steps:** Update to [Gutenberg Blocks with AI by Kadence WP](https://wordpress.org/plugins/kadence-blocks/) plugin version 3.2.39 or greater.*** ** * ** ***Fonts Plugin — Broken Access Control————————————-“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43302Number of Installations: 200,000+Affected Software: Fonts Plugin <= 3.7.7Patched Versions: Fonts Plugin 3.7.8“`**Mitigation steps:** Update to [Fonts Plugin](https://wordpress.org/plugins/olympus-google-fonts/) plugin version 3.7.8 or greater.*** ** * ** ***White Label CMS — Reflected Cross Site Scripting (XSS)——————————————————-“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: XSSCVE: CVE-2024-43303Number of Installations: 200,000+Affected Software: White Label CMS <= 2.7.4Patched Versions: White Label CMS 2.7.5“`**Mitigation steps:** Update to [White Label CMS](https://wordpress.org/plugins/white-label-cms/) plugin version 2.7.5 or greater.*** ** * ** ***Download Manager — Cross Site Scripting (XSS)———————————————-“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-6208Number of Installations: 100,000+Affected Software: Download Manager <= 3.2.97Patched Versions: Download Manager 3.2.98“`**Mitigation steps:** Update to [Download Manager](https://wordpress.org/plugins/download-manager/) plugin version 3.2.98 or greater.*** ** * ** ***Essential Blocks — Cross Site Scripting (XSS)———————————————-“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-5595Number of Installations: 100,000+Affected Software: Essential Blocks < 4.7.0Patched Versions: Essential Blocks 4.7.0“`**Mitigation steps:** Update to [Essential Blocks](https://wordpress.org/plugins/essential-blocks/) plugin version 4.7.0 or greater.*** ** * ** ***Inline Related Posts — Cross Site Scripting (XSS)————————————————–“`Security Risk: LowExploitation Level: Requires Administrator or higher level authentication.Vulnerability: XSSCVE: CVE-2024-6487Number of Installations: 100,000+Affected Software: Inline Related Posts < 3.8.0Patched Versions: Inline Related Posts 3.8.0“`**Mitigation steps:** Update to [Inline Related Posts](https://wordpress.org/plugins/intelly-related-posts/) version 3.8.0 or greater.*** ** * ** ***My Sticky Bar — Cross Site Scripting (XSS)——————————————-“`Security Risk: LowExploitation Level: Requires Administrator or higher level authentication.Vulnerability: XSSCVE: CVE-2024-4090Number of Installations: 100,000+Affected Software: My Sticky Bar (formerly myStickymenu) <= 2.7.1Patched Versions: My Sticky Bar (formerly myStickymenu) 2.7.2“`**Mitigation steps:** Update to [My Sticky Bar](https://wordpress.org/plugins/mystickymenu/) plugin version 2.7.2 or greater.*** ** * ** ***DearFlip — Cross Site Scripting (XSS)————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-4367Number of Installations: 100,000+Affected Software: DearFlip <= 2.2.55Patched Versions: DearFlip 2.2.56“`**Mitigation steps:** Update to [DearFlip](https://wordpress.org/plugins/3d-flipbook-dflip-lite/) plugin version 2.2.56 or greater.*** ** * ** ***AMP for WP — Broken Access Control———————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43146Number of Installations: 100,000+Affected Software: AMP for WP <= 1.0.96.1Patched Versions: AMP for WP 1.0.97“`**Mitigation steps:** Update to [AMP for WP](https://wordpress.org/plugins/accelerated-mobile-pages/) plugin version 1.0.97 or greater.*** ** * ** ***Aruba HiSpeed Cache — Broken Access Control——————————————–“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43119Number of Installations: 100,000+Affected Software: Aruba HiSpeed Cache <= 2.0.12Patched Versions: Aruba HiSpeed Cache 2.0.13“`**Mitigation steps:** Update to [Aruba HiSpeed Cache](https://wordpress.org/plugins/aruba-hispeed-cache/) plugin version 2.0.13 or greater.*** ** * ** ***Element Pack Elementor Addons — Cross Site Scripting (XSS)———————————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-7247Number of Installations: 100,000+Affected Software: Element Pack Elementor Addons <= 5.7.2Patched Versions: Element Pack Elementor Addons 5.7.3“`**Mitigation steps:** Update to [Element Pack Elementor Addons](https://wordpress.org/plugins/bdthemes-element-pack-lite/) plugin version 5.7.3 or greater.*** ** * ** ***Slider -& Popup Builder by Depicter — Cross Site Scripting (XSS)—————————————————————–“`Security Risk: MediumExploitation Level: Requires Editor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-43161Number of Installations: 100,000+Affected Software: Slider & Popup Builder by Depicter <= 3.1.2Patched Versions: Slider & Popup Builder by Depicter 3.2.0“`**Mitigation steps:** Update to [Slider -& Popup Builder by Depicter](https://wordpress.org/plugins/depicter/) plugin version 3.2.0 or greater.*** ** * ** ***FooBox — Cross Site Scripting (XSS)————————————“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-5668Number of Installations: 100,000+Affected Software: FooBox <= 2.7.28Patched Versions: FooBox 2.7.32“`**Mitigation steps:** Update to [FooBox](https://wordpress.org/plugins/foobox-image-lightbox/) plugin version 2.7.32 or greater.*** ** * ** ***Hummingbird Performance — Broken Access Control————————————————“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43118Number of Installations: 100,000+Affected Software: Hummingbird Performance <= 3.9.1Patched Versions: Hummingbird Performance 3.9.2“`**Mitigation steps:** Update to [Hummingbird Performance](https://wordpress.org/plugins/hummingbird-performance/) plugin version 3.9.2 or greater.*** ** * ** ***Robin image optimizer — Broken Access Control———————————————-“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43122Number of Installations: 100,000+Affected Software: Robin image optimizer <= 1.6.9Patched Versions: Robin image optimizer 1.7.0“`**Mitigation steps:** Update to [Robin image optimizer](https://wordpress.org/plugins/robin-image-optimizer/) plugin version 1.7.0 or greater.*** ** * ** ***GiveWP — Broken Access Control——————————-“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2024-5940, CVE-2024-5939Number of Installations: 100,000+Affected Software: GiveWP <= 3.13.9Patched Versions: GiveWP 3.14.0“`**Mitigation steps:** Update to [GiveWP](https://wordpress.org/plugins/give/) plugin version 3.14.0 or greater.*** ** * ** ***The Ultimate Video Player For WordPress — Broken Access Control—————————————————————-“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43285Number of Installations: 100,000+Affected Software: The Ultimate Video Player For WordPress <= 3.0.2Patched Versions: The Ultimate Video Player For WordPress 3.0.3“`**Mitigation steps:** Update to [The Ultimate Video Player For WordPress](https://wordpress.org/plugins/presto-player/) plugin version 3.0.3 or greater.*** ** * ** ***SEO Plugin by Squirrly SEO — SQL Injection——————————————-“`Security Risk: HighExploitation Level: Requires Contributor or higher level authentication.Vulnerability: SQL InjectionCVE: CVE-2024-43286Number of Installations: 100,000+Affected Software: SEO Plugin by Squirrly SEO <= 12.3.19Patched Versions: SEO Plugin by Squirrly SEO 12.3.20“`**Mitigation steps:** Update to [SEO Plugin by Squirrly SEO](https://wordpress.org/plugins/squirrly-seo/) plugin version 12.3.20 or greater.*** ** * ** ***The Plus Addons for Elementor — Cross Site Scripting (XSS)———————————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-5763Number of Installations: 100,000+Affected Software: The Plus Addons for Elementor <= 5.6.2Patched Versions: The Plus Addons for Elementor 5.6.3“`**Mitigation steps:** Update to [The Plus Addons for Elementor](https://wordpress.org/plugins/the-plus-addons-for-elementor-page-builder/) plugin version 5.6.3 or greater.*** ** * ** ***Asset CleanUp: Page Speed Booster — Broken Access Control———————————————————-“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43314Number of Installations: 100,000+Affected Software: Asset CleanUp: Page Speed Booster <= 1.3.9.3Patched Versions: Asset CleanUp: Page Speed Booster 1.3.9.4“`**Mitigation steps:** Update to [Asset CleanUp: Page Speed Booster](https://wordpress.org/plugins/wp-asset-clean-up/) plugin version 1.3.9.4 or greater.*** ** * ** ***Email Encoder — Cross Site Scripting (XSS)——————————————-“`Security Risk: LowExploitation Level: Requires Administrator or higher level authentication.Vulnerability: XSSCVE: CVE-2024-4483Number of Installations: 90,000+Affected Software: Email Encoder <= 2.2.1Patched Versions: Email Encoder 2.2.2“`**Mitigation steps:** Update to [Email Encoder](https://wordpress.org/plugins/email-encoder-bundle/) plugin version 2.2.2 or greater.*** ** * ** ***Social Feed Gallery — Broken Access Control——————————————–“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2024-39640Number of Installations: 90,000+Affected Software: Social Feed Gallery <= 4.3.9Patched Versions: Social Feed Gallery 4.4.0“`**Mitigation steps:** Update to [Social Feed Gallery](https://wordpress.org/plugins/insta-gallery/) plugin version 4.4.0 or greater.*** ** * ** ***WP Mobile Menu — Broken Access Control—————————————“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2024-2508Number of Installations: 90,000+Affected Software: WP Mobile Menu <= 2.8.4.4Patched Versions: WP Mobile Menu 2.8.5“`**Mitigation steps:** Update to [WP Mobile Menu](https://wordpress.org/plugins/mobile-menu/) plugin version 2.8.5 or greater.*** ** * ** ***LearnPress — SQL Injection—————————“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: SQL InjectionCVE: CVE-2024-7548Number of Installations: 90,000+Affected Software: LearnPress <= 4.2.6.9.3Patched Versions: LearnPress 4.2.6.9.4“`**Mitigation steps:** Update to [LearnPress](https://wordpress.org/plugins/learnpress/) plugin version 4.2.6.9.4 or greater.*** ** * ** ***Tutor LMS — Cross Site Scripting (XSS)—————————————“`Security Risk: MediumExploitation Level: Requires Instructor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-43231Number of Installations: 90,000+Affected Software: Tutor LMS <= 2.7.3Patched Versions: Tutor LMS 2.7.4“`**Mitigation steps:** Update to [Tutor LMS](https://wordpress.org/plugins/tutor/) plugin version 2.7.4 or greater.*** ** * ** ***Tutor LMS — Broken Access Control———————————-“`Security Risk: MediumExploitation Level: Requires Tutor Instructor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43142Number of Installations: 90,000+Affected Software: Tutor LMS <= 2.7.3Patched Versions: Tutor LMS 2.7.4“`**Mitigation steps:** Update to [Tutor LMS](https://wordpress.org/plugins/tutor/) plugin version 2.7.4 or greater.*** ** * ** ***Ajax Search Lite — Cross Site Scripting (XSS)———————————————-“`Security Risk: LowExploitation Level: Requires Administrator or higher level authentication.Vulnerability: XSSCVE: CVE-2024-7084Number of Installations: 80,000+Affected Software: Ajax Search Lite <= 4.12Patched Versions: Ajax Search Lite 4.12.1“`**Mitigation steps:** Update to [Ajax Search Lite](https://wordpress.org/plugins/ajax-search-lite/) plugin version 4.12.1 or greater.*** ** * ** ***Folders — Cross Site Scripting (XSS)————————————-“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-7317Number of Installations: 80,000+Affected Software: Folders <= 3.0.3Patched Versions: Folders 3.0.4“`**Mitigation steps:** Update to [Folders](https://wordpress.org/plugins/folders/) plugin version 3.0.4 or greater.*** ** * ** ***3D FlipBook — Cross Site Scripting (XSS)—————————————–“`Security Risk: MediumExploitation Level: Requires Editor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-43152Number of Installations: 70,000+Affected Software: 3D FlipBook <= 1.15.6Patched Versions: 3D FlipBook 1.15.7“`**Mitigation steps:** Update to [3D FlipBook](https://wordpress.org/plugins/interactive-3d-flipbook-powered-physics-engine/) plugin version 1.15.7 or greater.*** ** * ** ***Clone — Broken Access Control——————————“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43298Number of Installations: 70,000+Affected Software: Clone <= 2.4.5Patched Versions: Clone 2.4.6“`**Mitigation steps:** Update to [Clone](https://wordpress.org/plugins/wp-clone-by-wp-academy/) plugin version 2.4.6 or greater.*** ** * ** ***FOX — Broken Access Control—————————-“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43297Number of Installations: 60,000+Affected Software: FOX <= 1.4.2Patched Versions: FOX 1.4.2.1“`**Mitigation steps:** Update to [FOX](https://wordpress.org/plugins/woocommerce-currency-switcher/) plugin version 1.4.2.1 or greater.*** ** * ** ***WP Table Builder — Cross Site Scripting (XSS)———————————————-“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-43125Number of Installations: 60,000+Affected Software: WP Table Builder <= 1.4.15Patched Versions: WP Table Builder 1.5.0“`**Mitigation steps:** Update to [WP Table Builder](https://wordpress.org/plugins/wp-table-builder/) plugin version 1.5.0 or greater.*** ** * ** ***Blog2Social — Cross Site Scripting (XSS)—————————————–“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: XSSCVE: CVE-2024-7302Number of Installations: 60,000+Affected Software: Blog2Social <= 7.5.4Patched Versions: Blog2Social 7.5.5“`**Mitigation steps:** Update to [Blog2Social](https://wordpress.org/plugins/blog2social/) plugin version 7.5.5 or greater.*** ** * ** ***Bold Page Builder — Cross Site Scripting (XSS)———————————————–“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: XSSCVE: CVE-2024-7100Number of Installations: 50,000+Affected Software: Bold Page Builder <= 5.0.2Patched Versions: Bold Page Builder 5.0.3“`**Mitigation steps:** Update to [Bold Page Builder](https://wordpress.org/plugins/bold-page-builder/) plugin version 5.0.3 or greater.*** ** * ** ***Easy Digital Downloads — SQL Injection—————————————“`Security Risk: CriticalExploitation Level: No authentication required.Vulnerability: SQLiCVE: CVE-2024-5057Number of Installations: 50,000+Affected Software: Easy Digital Downloads <= 3.2.12Patched Versions: Easy Digital Downloads 3.3.1“`**Mitigation steps:** Update to [Easy Digital Downloads](https://wordpress.org/plugins/easy-digital-downloads/) plugin version 3.3.1 or greater.*** ** * ** ***User Profile Builder — Broken Access Control———————————————“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2024-6366Number of Installations: 50,000+Affected Software: User Profile Builder <= 3.11.7Patched Versions: User Profile Builder 3.11.8“`**Mitigation steps:** Update to [User Profile Builder](https://wordpress.org/plugins/profile-builder/) plugin version 3.11.8 or greater.*** ** * ** ***Category Posts Widget — Cross Site Scripting (XSS)—————————————————“`Security Risk: LowExploitation Level: Requires Administrator or higher level authentication.Vulnerability: XSSCVE: CVE-2024-6158Number of Installations: 50,000+Affected Software: Category Posts Widget <= 4.9.16Patched Versions: Category Posts Widget 4.9.17“`**Mitigation steps:** Update to [Category Posts Widget](https://wordpress.org/plugins/category-posts/) plugin version 4.9.17 or greater.*** ** * ** ***Easy Digital Downloads — Cross Site Scripting (XSS)—————————————————-“`Security Risk: LowExploitation Level: Requires Administrator or higher level authentication.Vulnerability: XSSCVE: CVE-2024-6692Number of Installations: 50,000+Affected Software: Easy Digital Downloads <= 3.3.2Patched Versions: Easy Digital Downloads 3.3.3“`**Mitigation steps:** Update to [Easy Digital Downloads](https://wordpress.org/plugins/easy-digital-downloads/) plugin version 3.3.3 or greater.*** ** * ** ***Easy Digital Downloads — Broken Access Control———————————————–“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2024-43162Number of Installations: 50,000+Affected Software: Easy Digital Downloads <= 3.2.12Patched Versions: Easy Digital Downloads 3.3.1“`**Mitigation steps:** Update to [Easy Digital Downloads](https://wordpress.org/plugins/easy-digital-downloads/) plugin version 3.3.1 or greater.*** ** * ** ***Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a[web application firewall](https://sucuri.net/website-firewall/) to help virtually patch known vulnerabilities and protect their website. ![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-120×120.png) ##### [Sucuri Malware Research Team](https://blog.sucuri.net/author/malware-research)We are a group of website security professionals who are passionate about discovering emerging web-based malware and software vulnerabilities. Not only do we create tools and detection rules for our customers, we also bring awareness to the website security community. Our mission is to help make the internet a safer place.##### Related Tags* [SQL Injection](https://blog.sucuri.net/tag/sql-injection),* [WordPress Plugins and Themes](https://blog.sucuri.net/tag/wordpress-plugins-and-themes),* [XSS](https://blog.sucuri.net/tag/xss)##### Related Categories* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)![WordPress Redirect Hack via Test0.com/Default7.com](https://blog.sucuri.net/wp-content/uploads/2020/04/04212020_WordPress_Obfuscation_Dropper-390×183.png) * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2021/06/wordpress-redirect-hack-via-test0-com-default7-com.html) [WordPress Redirect Hack via Test0.com/Default7.com](https://blog.sucuri.net/2021/06/wordpress-redirect-hack-via-test0-com-default7-com.html)———————————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/c9ef50b85bd345ea4e0d8da558816f3d?s=20&d=mm&r=g)Denis Sinegubko* June 4, 2021 Malicious redirect is a type of hack where website visitors are automatically redirected to some third-party website: usually it's some malicious resource, scam site or… [Read the Post](https://blog.sucuri.net/2021/06/wordpress-redirect-hack-via-test0-com-default7-com.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og-servers-390×205.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2020/02/email-scraper-mass-mail-grabber-from-database.html) [Email Scraper: Mass Mail Grabber from Database](https://blog.sucuri.net/2020/02/email-scraper-mass-mail-grabber-from-database.html)————————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/b020abf59d6245e6b2a4635063322498?s=20&d=mm&r=g)Luke Leal* February 5, 2020 One of our Remediation team analysts, Liam Smith, discovered a malicious file on a client's compromised WordPress website that demonstrates how attackers can use rudimentary… [Read the Post](https://blog.sucuri.net/2020/02/email-scraper-mass-mail-grabber-from-database.html) ![Sucuri WordPress Vulnerability Round-Up](https://blog.sucuri.net/wp-content/uploads/2024/07/July-2024-390×183.jpg) * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2024/07/wordpress-vulnerability-patch-roundup-july-2024.html) [WordPress Vulnerability -& Patch Roundup July 2024](https://blog.sucuri.net/2024/07/wordpress-vulnerability-patch-roundup-july-2024.html)——————————————————————————————————————————————* ![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-20×20.png)Sucuri Malware Research Team* July 29, 2024 Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes… [Read the Post](https://blog.sucuri.net/2024/07/wordpress-vulnerability-patch-roundup-july-2024.html) ![How to scan a website for vulnerabilities](https://blog.sucuri.net/wp-content/uploads/2023/07/How-to-scan-a-website-for-vulnerabilities-390×210.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Web Pros](https://blog.sucuri.net/category/web-pros)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2023/07/how-to-scan-website-for-vulnerabilities.html) [How to Scan a Website for Vulnerabilities](https://blog.sucuri.net/2023/07/how-to-scan-website-for-vulnerabilities.html)————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/a3ef43c4765fe447a305b82f38ea7bd1?s=20&d=mm&r=g)Rianna MacLeod* July 25, 2023 Even the most diligent site owners should consider when they had their last website security check. As our own research indicates, infections resulting from known… [Read the Post](https://blog.sucuri.net/2023/07/how-to-scan-website-for-vulnerabilities.html) ![Poste Italiane Phishing](https://blog.sucuri.net/wp-content/uploads/2020/04/04292020_ItalianBankPhishing_blog-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2020/04/phishing-campaign-targets-poste-italiane-sms-otp-verification.html) [Phishing Campaign Targets Poste Italiane -& SMS OTP Verification](https://blog.sucuri.net/2020/04/phishing-campaign-targets-poste-italiane-sms-otp-verification.html)———————————————————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/b020abf59d6245e6b2a4635063322498?s=20&d=mm&r=g)Luke Leal* April 29, 2020 When creating phishing lures, attackers may cite recent major regulatory changes within the context of their social engineering scheme to confuse or further entice victims… [Read the Post](https://blog.sucuri.net/2020/04/phishing-campaign-targets-poste-italiane-sms-otp-verification.html) ![New Broken Access Control Guide](https://blog.sucuri.net/wp-content/uploads/2023/12/Featuring-Image-Guide-Broken-Access-Control-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2023/12/new-guide-broken-access-control.html) [New Guide: Broken Access Control](https://blog.sucuri.net/2023/12/new-guide-broken-access-control.html)——————————————————————————————————–* ![](https://secure.gravatar.com/avatar/a3ef43c4765fe447a305b82f38ea7bd1?s=20&d=mm&r=g)Rianna MacLeod* December 26, 2023 The complexity of modern websites exposes countless potential vulnerabilities to lurking attackers. One of the most underestimated threats? Broken Access Control (BAC). The risk lies… [Read the Post](https://blog.sucuri.net/2023/12/new-guide-broken-access-control.html) ![Unwanted Popups Caused By Plugins](https://blog.sucuri.net/wp-content/uploads/2018/02/02122018-unwanted-popups-caused-by-injectbody-injectsrc-plugins_en-blog-1-390×183.jpg) * [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2018/02/unwanted-popups-caused-injectbody-injectscr-plugins.html) [Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins](https://blog.sucuri.net/2018/02/unwanted-popups-caused-injectbody-injectscr-plugins.html)—————————————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/c9ef50b85bd345ea4e0d8da558816f3d?s=20&d=mm&r=g)Denis Sinegubko* February 12, 2018 On February 8th, 2018, we noticed a new wave of WordPress infections involving two malicious plugins: injectbody and injectscr. These plugins inject obfuscated scripts, creating… [Read the Post](https://blog.sucuri.net/2018/02/unwanted-popups-caused-injectbody-injectscr-plugins.html) ![](https://blog.sucuri.net/wp-content/uploads/2018/11/11212017-risks-for-ecommerce-site-owners-through-the-holidays_en-blog-390×183.jpg) * [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Magento Security](https://blog.sucuri.net/category/magento-security)* [Security Advisory](https://blog.sucuri.net/category/security-advisory)[](https://blog.sucuri.net/2017/11/risks-for-e-commerce-site-owners-through-the-holidays.html) [Risks For E-commerce Site Owners Through the Holidays](https://blog.sucuri.net/2017/11/risks-for-e-commerce-site-owners-through-the-holidays.html)—————————————————————————————————————————————————* ![](https://blog.sucuri.net/wp-content/uploads/2024/05/avatar_user_61_1716939211-20×20.jpg)Pilar Garcia* November 22, 2017 Shopping season is here, and with that, so is the opportunity for ecommerce site owners to grow their revenue and reputation. However, hackers are also… [Read the Post](https://blog.sucuri.net/2017/11/risks-for-e-commerce-site-owners-through-the-holidays.html) ![](https://blog.sucuri.net/wp-content/uploads/2016/10/labs-notes-roundup-sept-390×183.jpg) * [Security Education](https://blog.sucuri.net/category/security-education)* [Sucuri Updates](https://blog.sucuri.net/category/sucuri-updates)[](https://blog.sucuri.net/2016/10/labs-notes-monthly-recap-sep2016.html) [Labs Notes Monthly Recap — Sep/2016](https://blog.sucuri.net/2016/10/labs-notes-monthly-recap-sep2016.html)————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/009b293c020838deca2f6f6f1aab86b2?s=20&d=mm&r=g)Estevao Avillez* October 6, 2016 Sharing what we learn in the form of content and tools has been a staple here at Sucuri since our inception. Our greatest challenge is having… [Read the Post](https://blog.sucuri.net/2016/10/labs-notes-monthly-recap-sep2016.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og1-390×181.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2017/01/hooking-wordpress-class-to-hide-malicious-users.html) [Hooking WordPress Class to Hide Malicious Users](https://blog.sucuri.net/2017/01/hooking-wordpress-class-to-hide-malicious-users.html)—————————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/14e8a81f8c7c18715d660025d52ce68a?s=20&d=mm&r=g)John Castro* January 20, 2017 When a website is compromised, attackers perform post-exploitation tasks to maintain access to the site for as long as possible. One of these actions is… [Read the Post](https://blog.sucuri.net/2017/01/hooking-wordpress-class-to-hide-malicious-users.html)

Related Tags:
CVE-2024-6487

CVE-2024-5939

CVE-2024-6158

CVE-2024-7092

CVE-2024-7247

CVE-2024-43231

CVE-2024-5668

CVE-2024-7100

CVE-2024-43303

Associated Indicators:
default7.com

test0.com

2.0.67.1

1.0.96.1

1.3.9.4

1.3.9.3

1.4.2.1

2.8.4.4

Threat Intel Solutions

WordPress Vulnerability & Patch Roundup August 2024

Search

Popular Posts

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

MintsLoader: StealC and BOINC Delivery

Categories

Archives

Tags

Follow Us