Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
A new update for WordPress has been released which features security and bug fixes in WordPress 6.2.1. This latest security and maintenance release addresses a number of bug fixes and vulnerability patches, including an unauthenticated Directory Traversal vulnerability, unauthenticated Cross-Site Scripting vulnerability, and several other lower-severity vulnerabilities.
We strongly encourage you to always keep your CMS patched with the latest core updates to mitigate risk and protect your WordPress website.
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Missing Authorization to Settings Update Number of Installations: 5,000,000+ Affected Software: Elementor Website Builder <= 3.13.1 Patched Versions: Elementor Website Builder 3.13.2
Mitigation steps: Update to Elementor Website Builder plugin version 3.13.2 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-30777 Number of Installations: 2,000,000+ Affected Software: Advanced Custom Fields (ACF) <= 6.1.5 Patched Versions: Advanced Custom Fields (ACF) 6.1.6
Mitigation steps: Update to Advanced Custom Fields PRO plugin version 6.1.6 or greater.
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2023-32243 Number of Installations: 1,000,000+ Affected Software: Essential Addons for Elementor <= 5.7.1 Patched Versions: Essential Addons for Elementor 5.7.2
Mitigation steps: Update to Essential Addons for Elementor plugin version 5.7.2 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-2296 Number of Installations: 1,000,000+ Affected Software: Loginizer <= 1.7.8 Patched Versions: Loginizer 1.7.9
Mitigation steps: Update to Loginizer plugin version 1.7.9 or greater.
Security Risk: High Exploitation Level: Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-1835 Number of Installations: 900,000+ Affected Software: Ninja Forms Contact Form <= 3.6.21 Patched Versions: Ninja Forms Contact Form 3.6.22
Mitigation steps: Update to Ninja Forms Contact Form plugin version 3.6.22 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-23880 Number of Installations: 700,000+ Affected Software: ExactMetrics <= 7.14.1 Patched Versions: ExactMetrics 7.14.2
Mitigation steps: Update to ExactMetrics plugin version 7.14.2 or greater.
Security Risk: Low Exploitation Level: Requires Administrator authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-2584 Number of Installations: 400,000+ Affected Software: PixelYourSite <= 9.3.6 Patched Versions: PixelYourSite 9.3.7
Mitigation steps: Update to PixelYourSite version 9.3.7 or greater.
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2023-2288 Number of Installations: 300,000+ Affected Software: Otter – Gutenberg Blocks <= 2.2.5 Patched Versions: Otter – Gutenberg Blocks 2.2.6
Mitigation steps: Update to Otter – Gutenberg Blocks plugin version 2.2.6 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-25019 Number of Installations: 200,000+ Affected Software: Chaty <= 3.0 Patched Versions: Chaty 3.1
Mitigation steps: Update to Chaty plugin version 3.1 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-32798 Number of Installations: 200,000+ Affected Software: Simple Page Ordering <= 2.5.0 Patched Versions: Simple Page Ordering 2.5.1
Mitigation steps: Update to Simple Page Ordering plugin version 2.5.1 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control Number of Installations: 200,000+ Affected Software: MW WP Form <= 4.4.2 Patched Versions: MW WP Form 4.4.3
Mitigation steps: Update to MW WP Form plugin version 4.4.3 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2022-45354 Number of Installations: 100,000+ Affected Software: Download Monitor <= 4.7.69 Patched Versions: Download Monitor 4.7.70
Mitigation steps: Update to Download Monitor plugin version 4.7.70 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting Number of Installations: 100,000+ Affected Software: Newsletter by Sendinblue <= 3.1.60 Patched Versions: Newsletter by Sendinblue 3.1.61
Mitigation steps: Update to Newsletter by Sendinblue plugin version 3.1.61 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Reflected Cross Site Scripting (XSS) CVE: CVE-2022-45366 Number of Installations: 100,000+ Affected Software: Slimstat Analytics <= 5.0.4 Patched Versions: Slimstat Analytics 5.0.5
Mitigation steps: Update to Slimstat Analytics plugin version 5.0.5 or greater.
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2023-0579 Number of Installations: 100,000+ Affected Software: YARPP <= 5.30.2 Patched Versions: YARPP 5.30.3
Mitigation steps: Update to YARPP plugin version 5.30.3 or greater.
Security Risk: Low Exploitation Level: Requires Administrator level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-2452 Number of Installations: 70,000+ Affected Software: Advanced Woo Search <= 2.77 Patched Versions: Advanced Woo Search 2.78
Mitigation steps: Update to Advanced Woo Search plugin version 2.78 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-33311 Number of Installations: 60,000+ Affected Software: Contact Form Entries <= 1.3.0 Patched Versions: Contact Form Entries 1.3.1
Mitigation steps: Update to Contact Form Entries plugin version 1.3.1 or greater.
Security Risk: High Exploitation Level: Contributor or higher level authentication required. Vulnerability: SQL Injection CVE: CVE-2023-31212 Number of Installations: 60,000+ Affected Software: Contact Form Entries <= 1.3.0 Patched Versions: Contact Form Entries 1.3.1
Mitigation steps: Update to Contact Form Entries plugin version 1.3.1 or greater.
Security Risk: Low Exploitation Level: Requires Administrator authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-33211 Number of Installations: 60,000+ Affected Software: WP-Piwik <= 1.0.27 Patched Versions: WP-Piwik 1.0.28
Mitigation steps: Update to WP-Piwik plugin version 1.0.28 or greater.
Security Risk: Low Exploitation Level: Requires Administrator level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-32515 Number of Installations: 50,000+ Affected Software: Custom Field Suite <= 2.6.2 Patched Versions: Custom Field Suite 2.6.3
Mitigation steps: Update to Custom Field Suite plugin version 2.6.3 or greater.
Security Risk: Low Exploitation Level: Requires Administrator level authentication. Vulnerability: Cross-Site Scripting Number of Installations: 50,000+ Affected Software: Ultimate Dashboard <= 3.7.5 Patched Versions: Ultimate Dashboard 3.7.6
Mitigation steps: Update to Ultimate Dashboard plugin version 3.7.6 or greater.
Security Risk: Low Exploitation Level: Requires Administrator level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-32505 Number of Installations: 40,000+ Affected Software: Easy Hide Login <= 1.0.7 Patched Versions: Easy Hide Login 1.0.8
Mitigation steps: Update to Easy Hide Login plugin version 1.0.8 or greater.
Security Risk: Low Exploitation Level: Requires Administrator level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-25459 Number of Installations: 30,000+ Affected Software: Post Snippets <= 4.0.2 Patched Versions: Post Snippets 4.0.3
Mitigation steps: Update to Post Snippets plugin version 4.0.3 or greater.
Security Risk: Low Exploitation Level: Requires Administrator level authentication. Vulnerability: SQL Injection CVE: CVE-2023-32121 Number of Installations: 30,000+ Affected Software: Zero Spam for WordPress <= 5.4.4 Patched Versions: Zero Spam for WordPress 5.4.5
Mitigation steps: Update to Zero Spam for WordPress plugin version 5.4.5 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.