Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
SiteGround Security – SQL injection
Security Risk: Low Exploitation Level: Requires Admin authentication. Vulnerability: Injection CVE: CVE-2023-0234 Number of Installations: 700,000+ Affected Software: SiteGround Security <= 1.3.0 Patched Versions: SiteGround Security 1.3.1
User input is not properly sanitized by the plugin prior to use in an SQL query which can potentially lead to authentication SQL injections.
Mitigation steps: Update to SiteGround Security plugin version 1.3.1 or greater.
ExactMetrics – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-0082 Number of Installations: 700,000+ Affected Software: ExactMetrics <= 7.12.0 Patched Versions: ExactMetrics 7.12.1
Block options are not properly validated and escaped properly prior to outputting them back on a page or post where the block is embedded, potentially allowing Contributors or higher to perform stored cross site scripting attacks.
Mitigation steps: Update to ExactMetrics plugin version or greater.
Enable Media Replace – Arbitrary File Upload
Security Risk: Medium Exploitation Level: Requires Author level authentication or higher. Vulnerability: Arbitrary File Upload CVE: CVE-2023-0255 Number of Installations: 600,000+ Affected Software: Enable Media Replace <= 4.0.1 Patched Versions: Enable Media Replace 4.0.2
Authors and other high permission authentication users are potentially able to upload arbitrary files to affected environments.
Mitigation steps: Update to Enable Media Replace plugin version or greater.
Spectra WordPress Gutenberg Blocks – Stored Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2020-36656 Number of Installations: 400,000+ Affected Software: Spectra < 2.3.2 Patched Versions: Spectra 2.3.2
User inputs are not properly sanitized by the plugin, potentially allowing contributors and other high level authenticated users to conduct stored cross-site scripting attacks.
Mitigation steps: Update to Spectra plugin version 2.3.2 or greater.
GiveWP – SQL Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Injection CVE: CVE-2023-0224 Number of Installations: 100,000+ Affected Software: GiveWP <= 2.24.0 Patched Versions: GiveWP 2.24.1
User input is not properly escaped by the plugin, potentially allowing unauthenticated users to perform SQL injection attacks on affected websites.
Mitigation steps: Update to GiveWP plugin version 2.24.1 or greater.
Better Font Awesome – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor level authentication or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-4512 Number of Installations: 100,000+ Affected Software: Better Font Awesome < 2.0.4 Patched Versions: Better Font Awesome 2.0.4
Shortcode attributes are not properly validated and escaped prior to outputting into a page or post where the shortcode is embedded, potentially allowing contributors or other high level authenticated users to perform stored cross site scripting attacks.
Mitigation steps: Update to Better Font Awesome plugin version 2.0.4 or greater.
LearnPress – SQL Injection
Security Risk: High Exploitation Level: No authentication needed. Vulnerability: Injection CVE: CVE-2022-45808 Number of Installations: 100,000+ Affected Software: LearnPress <= 4.1.7.3.2 Patched Versions: LearnPress 4.2.0
User input is not properly escaped by the plugin, potentially allowing an unauthenticated user to perform SQL injection attacks on affected websites.
Mitigation steps: Update to LearnPress plugin version 4.2.0 or greater.
Royal Elementor Addons and Templates – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-4710 Number of Installations: 100,000+ Affected Software: Royal Elementor <= 1.3.59 Patched Versions: Royal Elementor 1.3.60
A parameter is not properly escaped and outputted by the plugin, potentially allowing an unauthenticated attacker to inject arbitrary code and perform reflected cross-site scripting attacks on affected websites.
Mitigation steps: Update to Royal Elementor plugin version or greater.
Strong Testimonials – Stored Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires contributor or higher. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-4717 Number of Installations: Affected Software: Strong Testimonials <= 3.0.2 Patched Versions: Strong Testimonials 3.0.3
Some shortcode attributes are not properly validated and escaped prior to being outputted back into a page, potentially allowing a Contributor or other user with high level authentication to perform stored cross site scripting attacks.
Mitigation steps: Update to Strong Testimonials plugin version 3.0.3 or greater.
HUSKY (formerly WOOF) – PHP Object Injection
Security Risk: Low Exploitation Level: Requires Admin authentication. Vulnerability: Injection CVE: CVE-2022-4489 Number of Installations: 100,000+ Affected Software: HUSKY (formerly WOOF) < 1.3.2 Patched Versions: HUSKY (formerly WOOF) 1.3.2
User input provided in the settings is unserialized by the plugin, potentially allowing admins or other high privilege users to perform PHP object injections.
Mitigation steps: Update to HUSKY plugin version 1.3.2 or greater.
WP Show Posts – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Required Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-4459 Number of Installations: 100,000+ Affected Software: WP Show Posts <= 1.1.3 Patched Versions: WP Show Posts 1.1.4
Some shortcode attributes are not properly validated and escaped prior to outputting back into a page, potentially allowing a Contributor or other high level authenticated user to perform stored cross site scripting attacks on affected websites.
Mitigation steps: Update to WP Show Posts plugin version 1.1.4 or greater.
Widgets for Google Reviews – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-4470 Number of Installations: 100,000+ Affected Software: Widgets for Google Reviews < 9.8 Patched Versions: Widgets for Google Reviews 9.8
Some shortcode attributes are not properly validated and escaped prior to outputting back into a page, potentially allowing a Contributor or other high level authenticated user to perform stored cross site scripting attacks on affected websites.
Mitigation steps: Update to Widgets for Google Reviews plugin version or greater.
Strong Testimonials – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-4717 Number of Installations: 100,000+ Affected Software: Strong Testimonials < 3.0.3 Patched Versions: Strong Testimonials 3.0.3
Some shortcode attributes are not properly validated and escaped prior to outputting back into a page, potentially allowing a Contributor or other high level authenticated user to perform stored cross site scripting attacks on affected websites.
Mitigation steps: Update to Strong Testimonials plugin version 3.0.3 or greater.
Simple Sitemap – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-4472 Number of Installations: 90,000+ Affected Software: Simple Sitemap < 3.5.8 Patched Versions: Simple Sitemap 3.5.8
Some shortcode attributes are not properly validated and escaped prior to outputting back into a page, potentially allowing a Contributor or other high level authenticated user to perform stored cross site scripting attacks on affected websites.
Mitigation steps: Update to Simple Sitemap plugin version 3.5.8 or greater.
Contextual Related Posts – Stored Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-0252 Number of Installations: 70,000+ Affected Software: Contextual Related Posts < 3.3.1 Patched Versions: Contextual Related Posts 3.3.1
User supplied attributes are not sufficiently sanitized or escaped, potentially allowing Contributors and other high level authenticated users to perform stored cross site scripting attacks.
Mitigation steps: Update to Contextual Related Posts plugin version 3.3.1 or greater.
Stream – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher authentication. Vulnerability: Broken Access Control CVE: CVE-2022-4384 Number of Installations: 70,000+ Affected Software: Stream < 3.9.2 Patched Versions: Stream 3.9.2
Low privilege users (such as Subscribers) are allowed to access and utilize the alert creation functionality, potentially leaking sensitive information from affected websites.
Mitigation steps: Update to Stream plugin version 3.9.2 or greater.
Customer Reviews for WooCommerce – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-0079 Number of Installations: 50,000+ Affected Software: Customer Reviews for WooCommerce < 5.17.0 Patched Versions: Customer Reviews for WooCommerce 5.17.0
Some shortcode attributes are not properly validated and escaped prior to outputting back into a page, potentially allowing a Contributor or other high level authenticated user to perform stored cross site scripting attacks on affected websites.
Mitigation steps: Update to Customer Reviews for WooCommerce plugin version 5.17.0 or greater.
Themify Portfolio Post – Stored Cross Site Scripting
Security Risk: Medium Exploitation Level: Contributor Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-0362 Number of Installations: 50,000+ Affected Software: Themify Portfolio Post < 1.2.2 Patched Versions: Themify Portfolio Post 1.2.2
Some shortcode attributes are not properly validated and escaped prior to outputting back into a page, potentially allowing a Contributor or other high level authenticated user to perform stored cross site scripting attacks on affected websites.
Mitigation steps: Update to Themify Portfolio Post plugin version or greater.
Spotlight Social Media Feeds – Stored Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Contributor Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-0379 Number of Installations: 50,000+ Affected Software: Spotlight Social Media Feeds < 1.4.3 Patched Versions: Spotlight Social Media Feeds 1.4.3
Some block options are not properly validated or escaped prior to being outputted back into a page or post where the block is embedded, potentially allowing Contributors or higher authenticated users to perform stored cross site scripting attacks.
Mitigation steps: Update to Spotlight Social Media Feeds plugin version 1.4.3 or greater.
RSS Aggregator by Feedzy – Stored Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Contributor Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-4667 Number of Installations: 50,000+ Affected Software: RSS Aggregator by Feedzy < 4.1.1 Patched Versions: RSS Aggregator by Feedzy 4.1.1
Some block options are not properly validated or escaped prior to being outputted back into a page where the block is embedded, potentially allowing Contributors or higher authenticated users to perform stored cross site scripting attacks.
Mitigation steps: Update to RSS Aggregator by Feedzy plugin version 4.1.1 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.