WordPress Vulnerability & Patch Roundup June 2023
2023-6-27 23:11:20 Author: blog.sucuri.net(查看原文) 阅读量:22 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.


Jetpack – Arbitrary File Overwrite

Security Risk: High
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Broken Access Control
Number of Installations: 5,000,000+
Affected Software: Jetpack <= 12.1.0
Patched Versions: Jetpack 12.1.1

Mitigation steps: Update to Jetpack plugin version 12.1.1 or greater.


WooCommerce Stripe Payment Gateway – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-35049
Number of Installations: 900,000+
Affected Software: WooCommerce Stripe Payment Gateway <= 7.4.0
Patched Versions: WooCommerce Stripe Payment Gateway 7.4.1

Mitigation steps: Update to WooCommerce Stripe Payment Gateway version 7.4.1 or greater.


Password Protected – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Admin authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-32580
Number of Installations: 300,000+
Affected Software: Password Protected <= 2.6.2
Patched Versions: Password Protected 2.6.3

Mitigation steps: Update to Password Protected plugin version 2.6.3 or greater.


Photo Gallery by 10Web – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-33995
Number of Installations: 200,000+
Affected Software: Photo Gallery by 10Web <= 1.8.15
Patched Versions: Photo Gallery by 10Web 1.8.16

Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.16 or greater.


Unlimited Elements For Elementor – Arbitrary File Upload

Security Risk: High
Exploitation Level: Contributor or higher level authentication required.
Vulnerability: Security Misconfiguration
CVE: CVE-2023-31231
Number of Installations: 200,000+
Affected Software: Unlimited Elements For Elementor <= 1.5.65
Patched Versions: Unlimited Elements For Elementor 1.5.66

Mitigation steps: Update to Unlimited Elements For Elementor plugin version 1.5.66 or greater.


Metform Elementor Contact Form Builder – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-0708
Number of Installations: 200,000+
Affected Software: Metform Elementor Contact Form Builder <= 3.3.1
Patched Versions: Metform Elementor Contact Form Builder 3.3.1

Mitigation steps: Update to Metform Elementor Contact Form Builder plugin version 3.3.1 or greater.


Social Media Share Buttons & Social Sharing Icons – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Admin authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-1166
Number of Installations: 200,000+
Affected Software: Social Media Share Buttons & Social Sharing Icons <= 2.8.2
Patched Versions: Social Media Share Buttons & Social Sharing Icons 2.8.2

Mitigation steps: Update to Social Media Share Buttons & Social Sharing Icons plugin version 2.8.2 or greater.


WP Mail Logging – Cross-Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-3081
Number of Installations: 200,000+
Affected Software: WP Mail Logging <= 1.11.0
Patched Versions: WP Mail Logging 1.11.2

Mitigation steps: Update to WP Mail Logging plugin version 1.11.2 or greater.


Download Monitor – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: Subscriber or higher level authentication required.
Vulnerability: Arbitrary File Upload
CVE: CVE-2023-34007
Number of Installations: 100,000+
Affected Software: Download Monitor <= 4.8.3
Patched Versions: Download Monitor 4.8.4

Mitigation steps: Update to Download Monitor plugin version 4.8.4 or greater.


WooCommerce Square – Insecure Direct Object References (IDOR)

Security Risk: High
Exploitation Level: Contributor or higher level authentication required.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2023-35876
Number of Installations: 100,000+
Affected Software: WooCommerce Square <= 3.8.1
Patched Versions: WooCommerce Square 3.8.2

Mitigation steps: Update to WooCommerce Square plugin version 3.8.2 or greater.


Download Manager – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-1524
Number of Installations: 100,000+
Affected Software: Download Manager <= 3.2.70
Patched Versions: Download Manager 3.2.71

Mitigation steps: Update to Download Manager plugin version 3.2.71 or greater.


Download Monitor – Arbitrary File Upload

Security Risk: High
Exploitation Level: Subscriber or higher level authentication required.
Vulnerability: Injection
CVE: CVE-2023-31219
Number of Installations: 100,000+
Affected Software: Download Monitor <= 4.8.1
Patched Versions: Download Monitor 4.8.2

Mitigation steps: Update to Download Monitor plugin version 4.8.2 or greater.


FiboSearch – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Admin authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-2450
Number of Installations: 100,000+
Affected Software: FiboSearch <= 1.23.0
Patched Versions: FiboSearch 1.24.0

Mitigation steps: Update to FiboSearch plugin version 1.24.0 or greater.


Tutor LMS – SQL Injection

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Injection
CVE: CVE-2023-25700
Number of Installations: 70,000+
Affected Software: Tutor LMS <= 2.1.9
Patched Versions: Tutor LMS 2.2.0

Mitigation steps: Update to Tutor LMS plugin version 2.2.0 or greater.


Conditional Menus – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-2654
Number of Installations: 70,000+
Affected Software: Conditional Menus <= 1.2.0
Patched Versions: Conditional Menus 1.2.1

Mitigation steps: Update to Conditional Menus plugin version 1.2.1 or greater.


VK Blocks – Auth. Settings Update

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-0583
Number of Installations: 70,000+
Affected Software: VK Blocks <= 1.57.1.1
Patched Versions: VK Blocks 1.57.1.2

Mitigation steps: Update to VK Blocks plugin version 1.57.1.2 or greater.


Visual Composer – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication required.
Vulnerability: Multiple Cross-Site Scripting (XSS)
CVE: CVE-2020-36722
Number of Installations: 70,000+
Affected Software: Visual Composer <= 26.0
Patched Versions: Visual Composer 27.0

Mitigation steps: Update to Visual Composer plugin version 27.0 or greater.


Dokan – PHP Object Injection

Security Risk: Medium
Exploitation Level: Shop manager authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2023-34382
Number of Installations: 60,000+
Affected Software: Dokan <= 3.7.19
Patched Versions: Dokan 3.7.20

Mitigation steps: Update to Dokan plugin version 3.7.20 or greater.


PowerPress Podcasting – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Admin authentication.
Vulnerability: Cross-Site Scripting (XSS)
Number of Installations: 40,000+
Affected Software: PowerPress Podcasting <= 10.2.3
Patched Versions: PowerPress Podcasting 10.2.4

Mitigation steps: Update to PowerPress Podcasting plugin version 10.2.4 or greater.


Dynamic Visibility for Elementor – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2023-35046
Number of Installations: 40,000+
Affected Software: Dynamic Visibility for Elementor <= 5.0.5
Patched Versions: Dynamic Visibility for Elementor 5.0.6

Mitigation steps: Update to Dynamic Visibility for Elementor plugin version 5.0.6 or greater.


Super Socializer – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-35882
Number of Installations: 40,000+
Affected Software: Super Socializer <= 7.13.52
Patched Versions: Super Socializer 7.13.53

Mitigation steps: Update to Super Socializer plugin version 7.13.53 or greater.


Gutenverse – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-35875
Number of Installations: 30,000+
Affected Software: Gutenverse – Gutenberg Blocks – Page Builder for Site Editor <= 1.8.5
Patched Versions: Gutenverse – Gutenberg Blocks – Page Builder for Site Editor 1.8.6

Mitigation steps: Update to Gutenverse plugin version 1.8.6 or greater.


Abandoned Cart Lite for WooCommerce – Authentication Bypass

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2023-2986
Number of Installations: 30,000+
Affected Software: Abandoned Cart Lite for WooCommerce <= 5.14.0
Patched Versions: Abandoned Cart Lite for WooCommerce 5.15.0

Mitigation steps: Update to Abandoned Cart Lite for WooCommerce version 5.15.0 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.


文章来源: https://blog.sucuri.net/2023/06/wordpress-vulnerability-patch-roundup-june-2023.html
如有侵权请联系:admin#unsafe.sh