Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Security Misconfiguration Number of Installations: 5,000,000+ Affected Software: WooCommerce <= 7.8.2 Patched Versions: WooCommerce 7.9.0
Mitigation steps: Update to WooCommerce plugin version 7.9.0 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Security Misconfiguration Number of Installations: 1,000,000+ Affected Software: EWWW Image Optimizer < 7.2.1 Patched Versions: EWWW Image Optimizer 7.2.1
Mitigation steps: Update to EWWW Image Optimizer plugin version 7.2.1 or greater.
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Privilege Escalation CVE: CVE-2023-41955 Number of Installations: 1,000,000+ Affected Software: Essential Addons for Elementor <= 5.8.8 Patched Versions: Essential Addons for Elementor 5.8.9
Mitigation steps: Update to Essential Addons for Elementor plugin version 5.8.9 or greater.
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Injection Number of Installations: 600,000+ Affected Software: Enable Media Replace <= 4.1.2 Patched Versions: Enable Media Replace 4.1.3
Mitigation steps: Update to Enable Media Replace plugin version 4.1.3 or greater.
Security Risk: Low Exploitation Level: Requires Admin level authentication. Vulnerability: Cross Site Scripting (XSS) Number of Installations: 500,000+ Affected Software: GTranslate <= 3.0.3 Patched Versions: GTranslate 3.0.4
Mitigation steps: Update to GTranslate plugin version 3.0.4 or greater.
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Injection Number of Installations: 300,000+ Affected Software: ShortPixel Image Optimizer <= 5.4.1 Patched Versions: ShortPixel Image Optimizer 5.4.2
Mitigation steps: Update to ShortPixel Image Optimizer plugin version 5.4.2 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-41952 Number of Installations: 300,000+ Affected Software: FluentForm <= 5.0.8 Patched Versions: FluentForm 5.0.9
Mitigation steps: Update to FluentForm plugin version 5.0.9 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Security Misconfiguration CVE: CVE-2023-4645 Number of Installations: 300,000+ Affected Software: Ad Inserter <= 2.7.30 Patched Versions: Ad Inserter 2.7.31
Mitigation steps: Update to Ad Inserter plugin version 2.7.31 or greater.
Security Risk: Low Exploitation Level: Requires Admin authentication. Vulnerability: Security Misconfiguration CVE: CVE-2023-4274 Number of Installations: 300,000+ Affected Software: WPvivid Backup and Migration <= 0.9.89 Patched Versions: WPvivid Backup and Migration 0.9.90
Mitigation steps: Update to WPvivid Backup and Migration plugin version 0.9.90 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2023-41954 Number of Installations: 200,000+ Affected Software: ProfilePress <= 4.13.1 Patched Versions: ProfilePress 4.13.2
Mitigation steps: Update to ProfilePress plugin version 4.13.2 or greater.
Security Risk: Medium Exploitation Level: Requires subscriber or higher level authentication. Vulnerability: Security Misconfiguration CVE: CVE-2023-0689 Number of Installations: 200,000+ Affected Software: Metform Elementor Contact Form Builder <= 3.3.1 Patched Versions: Metform Elementor Contact Form Builder 3.3.2
Mitigation steps: Update to Metform Elementor Contact Form Builder plugin version 3.3.2 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting Number of Installations: 200,000+ Affected Software: PageLayer <= 1.7.6 Patched Versions: PageLayer 1.7.7
Mitigation steps: Update to PageLayer plugin version 1.7.7 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2023-4598 Number of Installations: 100,000+ Affected Software: Slimstat Analytics <= 5.0.9 Patched Versions: Slimstat Analytics 5.0.10
Mitigation steps: Update to Slimstat Analytics plugin version 5.0.10 or greater.
Security Risk: Medium Exploitation Level: Requires Vulnerability: Identification and Authentication Failures CVE: CVE-2023-41665 Number of Installations: 100,000+ Affected Software: GiveWP <= 2.33.0 Patched Versions: GiveWP 2.33.1
Mitigation steps: Update to GiveWP plugin version 2.33.1 or greater.
Security Risk: High Exploitation Level: No authentication level required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-39308 Number of Installations: 100,000+ Affected Software: User Feedback plugin <= 1.0.7 Patched Versions: User Feedback 1.0.8
Mitigation steps: Update to User Feedback plugin version 1.0.8 or greater.
Security Risk: Low Exploitation Level: Requires Admin or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2023-3664 Number of Installations: 100,000+ Affected Software: FileOrganizer <= 1.0.2 Patched Versions: FileOrganizer 1.0.3
Mitigation steps: Update to FileOrganizer plugin version 1.0.3 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Injection Number of Installations: 100,000+ Affected Software: wpDiscuz < 7.6.6 Patched Versions: wpDiscuz 7.6.6
Mitigation steps: Update to wpDiscuz plugin version 7.6.6 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Injection CVE: CVE-2023-4634 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.09 Patched Versions: Media Library Assistant 3.10
Mitigation steps: Update to Media Library Assistant plugin version 3.10 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting CVE: CVE-2023-4620 Number of Installations: 60,000+ Affected Software: Booking Calendar <= 9.7.3 Patched Versions: Booking Calendar 9.7.3.1
Mitigation steps: Update to Booking Calendar plugin version 9.7.3.1 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-4945 Number of Installations: 60,000+ Affected Software: Booster for WooCommerce <= 7.1.0 Patched Versions: Booster for WooCommerce 7.1.1
Mitigation steps: Update to Booster for WooCommerce/ plugin version 7.1.1 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-4841 Number of Installations: 60,000+ Affected Software: Feeds for YouTube <= 2.1 Patched Versions: Feeds for YouTube 2.1.2
Mitigation steps: Update to Feeds for YouTube plugin version 2.1.2 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Injection Number of Installations: 60,000+ Affected Software: Form Maker by 10Web < 1.15.20 Patched Versions: Form Maker by 10Web 1.15.20
Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.20 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-4774 Number of Installations: 60,000+ Affected Software: Connect Matomo (WP-Matomo, WP-Piwik) <= 1.0.28 Patched Versions: Connect Matomo (WP-Matomo, WP-Piwik) 1.0.29
Mitigation steps: Update to Connect Matomo (WP-Matomo, WP-Piwik) plugin version 1.0.29 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-4840 Number of Installations: 50,000+ Affected Software: MapPress Maps for WordPress <= 2.88.4 Patched Versions: MapPress Maps for WordPress 2.88.5
Mitigation steps: Update to MapPress Maps for WordPress plugin version 2.88.5 or greater.
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-41802 Number of Installations: 40,000+ Affected Software: Super Socializer <= 7.13.54 Patched Versions: Super Socializer 7.13.55
Mitigation steps: Update to Super Socializer plugin version 7.13.55 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.