Learn about the latest WordPress Vulnerabilities and Patches to protect your website

WordPress was established in 2003 when Mike Little and Matt Mullenweg created a fork of Cafelog. The need for an elegant, well-architected personal publishing system was clear even then. Today, WordPress has become one of the most popular Content Management Systems (CMS) built on PHP and MySQL, and licensed under the GPLv2. WordPress is also the CMS of choice for over 43% of all sites across the web. 

The WordPress Open-Source project has evolved progressively, supported by skilled, enthusiastic developers, designers, scientists, bloggers, and more. WordPress provides the opportunity for anyone to create and share, from handcrafted personal anecdotes to world-changing movements.

WordPress Security - unfortunately, WordPress is also one of the most targeted CMS ecosystems for hackers and other malicious groups. Some high-profile websites like Forbes, The Guardian, and others have even been among the victims in the past years.

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website/shop compromises.

To help educate WordPress users and website owners about potential threats to their WordPress websites, shop, and blogs, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem in this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing Web and Cloud clients are already protected. If you don’t have it installed yet, you can use Sucuri's web application firewall to protect your site against known vulnerabilities.

Contact Form 7 – Reflected Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Reflected Cross-Site Scripting
CVE: CVE-2024-2242
Number of Installations: 5,000,000+
Affected Software: Contact Form 7 <= 5.9
Patched Versions: Contact Form 7 5.9.2

Mitigation steps: Update to Contact Form 7 plugin version 5.9.2 or greater.

Essential Addons for Elementor – Stored Cross-Site Scripting

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1537
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 5.9.9
Patched Versions: Essential Addons for Elementor 5.9.10

Mitigation steps: Update to Essential Addons for Elementor plugin version 5.9.10 or greater.

ElementsKit Elementor addons – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1239
Number of Installations: 1,000,000+
Affected Software: ElementsKit Elementor addons <= 3.0.4
Patched Versions: ElementsKit Elementor addons 3.0.5

Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.0.5 or greater.

Elementor Header & Footer Builder – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1237
Number of Installations: 1,000,000+
Affected Software: Elementor Header & Footer Builder <= 1.6.24
Patched Versions: Elementor Header & Footer Builder 1.6.25

Mitigation steps: Update to Elementor Header & Footer Builder plugin version 1.6.25 or greater.

ElementsKit Elementor addons – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2042
Number of Installations: 1,000,000+
Affected Software: ElementsKit Elementor addons <= 3.0.5
Patched Versions: ElementsKit Elementor addons 3.0.6

Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.0.6 or greater.

Premium Addons for Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-0326
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.10.17
Patched Versions: Premium Addons for Elementor 4.10.18

Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.18 or greater.

WP Statistics – Stored Cross-Site Scripting

Security Risk: High
Exploitation Level: No authentication required.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2194
Number of Installations: 600,000+
Affected Software: WP Statistics <= 14.5
Patched Versions: WP Statistics 14.5.1

Mitigation steps: Update to WP Statistics plugin version 14.5.1 or greater.

Happy Addons for Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1366
Number of Installations: 400,000+
Affected Software: Happy Addons for Elementor <= 3.10.3
Patched Versions: Happy Addons for Elementor 3.10.4

Mitigation steps: Update to Happy Addons for Elementor plugin version 3.10.4 or greater.

Fluent Forms – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-6957
Number of Installations: 400,000+
Affected Software: Fluent Forms <= 5.1.9
Patched Versions: Fluent Forms 5.1.10

Mitigation steps: Update to Fluent Forms plugin version 5.1.10 or greater.

WP Go Maps – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-4839
Number of Installations: 400,000+
Affected Software: WP Go Maps <= 9.0.32
Patched Versions: WP Go Maps 9.0.33

Mitigation steps: Update to WP Go Maps plugin version 9.0.33 or greater.

Royal Elementor Addons and Templates – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1500
Number of Installations: 300,000+
Affected Software: Royal Elementor Addons and Templates <= 1.3.91
Patched Versions: Royal Elementor Addons and Templates 1.3.92

Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.3.92 or greater.

Otter Blocks – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2226
Number of Installations: 300,000+
Affected Software: Otter Blocks <= 2.6.4
Patched Versions: Otter Blocks 2.6.5

Mitigation steps: Update to Otter Blocks plugin version 2.6.5 or greater.

Page Builder: Pagelayer – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2127
Number of Installations: 200,000+
Affected Software: Page Builder: Pagelayer <= 1.8.3
Patched Versions: Page Builder: Pagelayer 1.8.4

Mitigation steps: Update to Page Builder: Pagelayer plugin version 1.8.4 or greater.

ProfilePress – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1535
Number of Installations: 200,000+
Affected Software: ProfilePress <= 4.15.2
Patched Versions: ProfilePress 4.15.3

Mitigation steps: Update to ProfilePress plugin version 4.15.3 or greater.

Blocksy Companion – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2392
Number of Installations: 200,000+
Affected Software: Blocksy Companion <= 2.0.31
Patched Versions: Blocksy 2.0.32

Mitigation steps: Update to Blocksy Companion version 2.0.32 or greater.

Qi Addons For Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-0826
Number of Installations: 100,000+
Affected Software: Qi Addons For Elementor <= 1.6.7
Patched Versions: Qi Addons For Elementor 1.6.8

Mitigation steps: Update to Qi Addons For Elementor version 1.6.8 or greater.

Advanced Access Manager – Reflected Cross-Site Scripting

Security Risk: Medium
Exploitation Level: No authentication required.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-29127
Number of Installations: 100,000+
Affected Software: Advanced Access Manager <= 6.9.20
Patched Versions: Advanced Access Manager 6.9.21

Mitigation steps: Update to Advanced Access Manager version 6.9.21 or greater.

GiveWP –  Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1424
Number of Installations: 100,000+
Affected Software: GiveWP <= 3.5.1
Patched Versions: GiveWP 3.6.0

Mitigation steps: Update to GiveWP version 3.6.0 or greater.

Essential Blocks – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2255
Number of Installations: 100,000+
Affected Software: Essential Blocks <= 4.5.2
Patched Versions: Essential Blocks 4.5.4

Mitigation steps: Update to Essential Blocks version 4.5.4 or greater.

WP Chat App – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1761
Number of Installations: 100,000+
Affected Software: WP Chat App <= 3.6.1
Patched Versions: WP Chat App 3.6.2

Mitigation steps: Update to WP Chat App plugin version 3.6.2 or greater.

Prime Slider – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1506
Number of Installations: 100,000+
Affected Software: Prime Slider <= 3.13.1
Patched Versions: Prime Slider 3.13.2

Mitigation steps: Update to Prime Slider plugin version 3.13.2 or greater.

Sassy Social Share – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1989
Number of Installations: 100,000+
Affected Software: Sassy Social Share <= 3.3.58
Patched Versions: Sassy Social Share 3.3.59

Mitigation steps: Update to Sassy Social Share plugin version 3.3.59 or greater.

The Plus Addons for Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1419
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 5.4.0
Patched Versions: The Plus Addons for Elementor 5.4.1

Mitigation steps: Update to The Plus Addons for Elementor plugin version 5.4.1 or greater.

Prime Slider – Addons For Elementor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1507
Number of Installations: 100,000+
Affected Software: Prime Slider <= 3.13.3
Patched Versions: Prime Slider 3.13.4

Mitigation steps: Update to Prime Slider plugin version 3.13.4 or greater.

ShopLentor – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1960
Number of Installations: 100,000+
Affected Software: ShopLentor <= 2.8.1
Patched Versions: ShopLentor 2.8.2

Mitigation steps: Update to ShopLentor plugin version 2.8.2 or greater.

HUSKY – Products Filter for WooCommerce – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1796
Number of Installations: 100,000+
Affected Software: HUSKY <= 1.3.5.1
Patched Versions: HUSKY 1.3.5.2

Mitigation steps: Update to HUSKY plugin version 1.3.5.2 or greater.

Prime Slider – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1508
Number of Installations: 100,000+
Affected Software: Prime Slider <= 3.13.2
Patched Versions: Prime Slider 3.13.3

Mitigation steps: Update to Prime Slider plugin version 3.13.3 or greater.

HT Mega – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1397
Number of Installations: 100,000+
Affected Software: HT Mega <= 2.4.6
Patched Versions: HT Mega 2.4.7

Mitigation steps: Update to HT Mega plugin version 2.4.7 or greater.

Beaver Builder – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-1080
Number of Installations: 100,000+
Affected Software: Beaver Builder <= 2.7.4.4
Patched Versions: Beaver Builder 2.7.4.5

Mitigation steps: Update to Beaver Builder plugin version 2.7.4.5 or greater.

Permalink Manager Lite and Pro – Reflected Cross-Site Scripting

Security Risk: Medium
Exploitation Level: No authentication required.or greater. 
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2024-2738
Number of Installations: 80,000+
Affected Software: Permalink Manager Lite and Pro <= 2.4.3.1
Patched Versions: Permalink Manager Lite and Pro 2.4.3.2

Mitigation steps: Update to Permalink Manager version 2.4.3.2 or greater.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.