Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
All-In-One Security (AIOS) – Directory Traversal
Security Risk: Low Exploitation Level: Requires Admin or other high level authentication. Exploitation Level: Sensitive Data Exposure Number of Installations: 1,000,000+ Affected Software: All-In-One Security (AIOS) – Security and Firewall <= 5.1.4 Patched Versions: All-In-One Security (AIOS) – Security and Firewall 5.1.5
The plugin is vulnerable to directory traversal potentially allowing Admins to read the contents of arbitrary files on the server.
Mitigation steps: Update to All-In-One Security (AIOS) plugin version 5.1.5 or greater.
Rank Math SEO – Local File Inclusion
Security Risk: High Exploitation Level: Requires Contributor role or higher level authentication. Exploitation Level: Local File Inclusion vulnerability CVE: CVE-2023-23888 Number of Installations: 1,000,000+ Affected Software: Rank Math SEO <= 1.0.107.2 Patched Versions: Rank Math SEO 1.0.107.3
Vulnerability allows a hacker to include local files of the victim’s site and display outputs on the screen, potentially allowing an attacker to completely take over the database if they are able to access files storing credentials.
Mitigation steps: Update to Rank Math SEO plugin version 1.0.107.3 or greater.
WordPress Shortcodes Ultimate – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Exploitation Level: Cross Site Scripting (XSS) CVE: CVE-2023-25040 Number of Installations: 700,000+ Affected Software: Shortcodes Ultimate <= 5.12.6 Patched Versions: Shortcodes Ultimate 5.12.7
Mitigation steps: Update to Shortcodes Ultimate plugin version 5.12.7 or greater.
Redirection for Contact Form 7 – Privilege Escalation
Security Risk: High Exploitation Level: Broken Access Control CVE: CVE-2023-23990 Number of Installations: 300,000+ Affected Software: Redirection for Contact Form 7 <= 2.7.9 Patched Versions: Redirection for Contact Form 7 2.8.0
Mitigation steps: Update to Redirection for Contact Form 7 plugin version 2.8.0 or greater.
Plugin for Google Reviews – SQL Injection
Security Risk: Critical Exploitation Level: Subscriber or other high level authentication required. Exploitation Level: Injection CVE: CVE-2022-44580 Number of Installations: 100,000+ Affected Software: Plugin for Google Reviews <= 2.2.3 Patched Versions: Plugin for Google Reviews 2.2.4
Mitigation steps: Update to Plugin for Google Reviews version 2.2.4 or greater.
Profile Builder – Sensitive Information Disclosure
Security Risk: High Exploitation Level: Subscriber or other high level authentication required. Exploitation Level: Sensitive Information Disclosure CVE: CVE-2023-0814 Number of Installations: 60,000+ Affected Software: Profile Builder <= 3.9.0 Patched Versions: Profile Builder 3.9.1
Mitigation steps: Update to Profile Builder plugin version 3.9.1 or greater.
Ocean Extra – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Contributor or other high level authentication required. Exploitation Level: Cross Site Scripting (XSS) CVE: CVE-2023-24399 Number of Installations: 700,000+ Affected Software: Ocean Extra <= 2.1.2 Patched Versions: Ocean Extra 2.1.3
Mitigation steps: Update to Ocean Extra plugin version 2.1.3 or greater.
ProfilePress – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required Exploitation Level: Cross Site Scripting (XSS) CVE: CVE-2023-23820 Number of Installations: 300,000+ Affected Software: ProfilePress <= 4.5.4 Patched Versions: ProfilePress 4.5.5
Mitigation steps: Update to ProfilePress version 4.5.5 or greater.
VK All in One Expansion Unit – Stored Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or other high level authentication. Exploitation Level: Cross Site Scripting CVE: CVE-2023-0230 Number of Installations: 100,000+ Affected Software: VK All in One Expansion Unit <= 9.86.0.0 Patched Versions: VK All in One Expansion Unit 9.86.0.0
Mitigation steps: Update to VK All in One Expansion Unit plugin version 9.86.0.0 or greater.
Metform Elementor Contact Form Builder – Stored XSS
Security Risk: CriticalHigh Exploitation Level: No authentication required. Exploitation Level: Cross Site Scripting CVE: CVE-2023-0084 Number of Installations: 100,000+ Affected Software: Metform Elementor Contact Form Builder <= 3.1.2 Patched Versions: Metform Elementor Contact Form Builder 3.2.0
Mitigation steps: Update to Metform Elementor Contact Form Builder plugin version 3.2.0 or greater.
Media Library Assistant – SQL Injection
Security Risk: LowMedium Exploitation Level: Requires Admin. Exploitation Level: Injection CVE: CVE-2023-0279 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.05 Patched Versions: Media Library Assistant 3.06
Mitigation steps: Update to Media Library Assistant plugin version 3.06 or greater.
wpDataTables – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or other high level authentication. Exploitation Level: Cross Site Scripting (XSS) CVE: CVE-2023-23876 Number of Installations: 70,000+ Affected Software: wpDataTables <= 2.1.49 Patched Versions: wpDataTables 2.1.50
Mitigation steps: Update to wpDataTables plugin version 2.1.50 or greater.
Profile Builder – Sensitive Information Disclosure
Security Risk: Medium Exploitation Level: Exploitation Level: Sensitive Information Disclosure CVE: CVE-2023-0814 Number of Installations: 60,000+ Affected Software: Profile Builder <= 3.9.0 Patched Versions: Profile Builder 3.9.1
Mitigation steps: Update to Profile Builder – User Profile & User Registration Forms plugin version 3.9.1 or greater.
Table Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator permissions Exploitation Level: Cross Site Scripting (XSS) CVE: CVE-2022-46852 Number of Installations: 60,000+ Affected Software: WP Table Builder – WordPress Table Plugin <= 1.4.6 Patched Versions: WP Table Builder – WordPress Table Plugin 1.4.7
Mitigation steps: Update to Table Builder version 1.4.7 or greater.
Print Invoice & Delivery Notes for WooCommerce – Reflected XSS
Security Risk: High Exploitation Level: No authentication required. Exploitation Level: Cross Site Scripting (XSS) CVE: CVE-2023-0479 Number of Installations: 40,000+ Affected Software: Print Invoice & Delivery Notes for WooCommerce <= 4.7.1 Patched Versions: Print Invoice & Delivery Notes for WooCommerce 4.7.2
Mitigation steps: Update to Print Invoice & Delivery Notes for WooCommerce plugin version 4.7.2 or greater.
Ditty – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or other high level authentication. Exploitation Level: Cross Site Scripting (XSS) CVE: CVE-2023-23874 Number of Installations: 40,000+ Affected Software: Ditty WordPress Plugin <= 3.0.32 Patched Versions: Ditty WordPress Plugin 3.0.33
Mitigation steps: Update to Ditty plugin version 3.0.33 or greater.
Quiz And Survey Master – Arbitrary Media Deletion
Security Risk: Medium Exploitation Level: No authentication required. Exploitation Level: Arbitrary Media Deletion CVE: CVE-2023-0291 Number of Installations: 40,000+ Affected Software: Quiz And Survey Master for WordPress <= 8.0.8 Patched Versions: Quiz And Survey Master for WordPress 8.0.9
Mitigation steps: Update to Quiz And Survey Master plugin version 8.0.9 or greater.
All-In-One Floating Contact Form – SQL Injection
Security Risk: Medium Exploitation Level: Authenticated (Admin+) Exploitation Level: SQL Injection CVE: CVE-2023-0487 Number of Installations: 40,000+ Affected Software: All-In-One Floating Contact Form <= 2.0.8 Patched Versions: All-In-One Floating Contact Form 2.0.9
Mitigation steps: Update to All-In-One Floating Contact Form plugin version 2.0.9 or greater.
Visualizer: Tables and Charts Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or other high level authentication. Exploitation Level: Cross Site Scripting (XSS) CVE: CVE-2023-23708 Number of Installations: 40,000+ Affected Software: Visualizer: Tables and Charts Manager for WordPress <= 3.9.3 Patched Versions: Visualizer: Tables and Charts Manager for WordPress 3.9.4
Mitigation steps: Update to Visualizer: Tables and Charts Manager for WordPress plugin version 3.9.4 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Rianna MacLeod
Bruno Zanelato
Cesar Anjos
Denis Sinegubko
Luke Leal
John Castro
