Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
Yoast SEO – DOM-Based XSS
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: DOM-Based Cross-Site Scripting Number of Installations: 5,000,000+ Affected Software: Yoast SEO <= 20.2.0 Patched Versions: Yoast SEO 20.2.1
Mitigation steps: Update to Yoast SEO plugin version 20.2.1 or greater.
UpdraftPlus WordPress Backup – Broken Access Control
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control Number of Installations: 3,000,000+ Affected Software: UpdraftPlus WordPress Backup Plugin <= 1.23.2 Patched Versions: UpdraftPlus WordPress Backup Plugin 1.23.3
Mitigation steps: Update to UpdraftPlus Plugin version 1.23.3 or greater.
Cookie Notice & Compliance for GDPR / CCPA – XSS
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-24400 Number of Installations: 1,000,000+ Affected Software: Cookie Notice & Compliance for GDPR / CCPA <= 2.4.6 Patched Versions: Cookie Notice & Compliance for GDPR / CCPA 2.4.7
Mitigation steps: Update to Cookie Notice & Compliance for GDPR / CCPA plugin version 2.4.7 or greater.
Smart Slider 3 – Stored XSS
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-0660 Number of Installations: 900,000+ Affected Software: Smart Slider 3 <= 3.5.1.13 Patched Versions: Smart Slider 3 3.5.1.14
Mitigation steps: Update to Smart Slider 3 plugin version 3.5.1.14 or greater.
Popup Maker – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2022-47597 Number of Installations: 700,000+ Affected Software: Popup Maker <= 1.17.1 Patched Versions: Popup Maker 1.18.0
Mitigation steps: Update to Popup Maker plugin version 1.18.0 or greater.
Complianz GDPR/CCPA Cookie Consent – XSS
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-1069 Number of Installations: 600,000+ Affected Software: Complianz – GDPR/CCPA Cookie Consent <= 6.4.1 Patched Versions: Complianz – GDPR/CCPA Cookie Consent 6.4.2
Mitigation steps: Update to Complianz – GDPR/CCPA Cookie Consent plugin version 6.4.2 or greater.
Easy Table of Contents – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or other high level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-25469 Number of Installations: 400,000+ Affected Software: Easy Table of Contents <= 2.0.45 Patched Versions: Easy Table of Contents 2.0.46
Mitigation steps: Update to Easy Table of Contents plugin version 2.0.46 or greater.
Squirrly SEO – Reflected XSS
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Reflected Cross Site Scripting (XSS) CVE: CVE-2022-45065 Number of Installations: 200,000+ Affected Software: Squirrly SEO <= 12.1.20 Patched Versions: Squirrly SEO 12.1.21
Mitigation steps: Update to Squirrly SEO Plugin version 12.1.21 or greater.
FluentSMTP – Stored XSS
Security Risk: Medium Exploitation Level: Requires Admin. Vulnerability: Stored XSS via Email Logs CVE: CVE-2023-0219 Number of Installations: 100,000+ Affected Software: FluentSMTP <= 2.2.2 Patched Versions: FluentSMTP 2.2.3
Mitigation steps: Update to FluentSMTP plugin version 2.2.3 or greater.
GiveWP – XSS
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-40211 Number of Installations: 100,000+ Affected Software: GiveWP - Donation Plugin and Fundraising Platform <= 2.25.1 Patched Versions: GiveWP - Donation Plugin and Fundraising Platform 2.25.2
Mitigation steps: Update to GiveWP – Donation Plugin and Fundraising Platform version 2.25.2 or greater.
Paid Memberships Pro – SQL Injection
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2023-0631 Number of Installations: 100,000+ Affected Software: Paid Memberships Pro <= 2.9.11 Patched Versions: Paid Memberships Pro 2.9.12
Mitigation steps: Update to Paid Memberships Pro plugin version 2.9.12 or greater.
Slimstat Analytics – SQL Injection
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2023-0630 Number of Installations: 100,000+ Affected Software: Slimstat Analytics <= 4.9.3.2 Patched Versions: Slimstat Analytics 4.9.3.3
Mitigation steps: Update to Slimstat Analytics plugin version 4.9.3.3 or greater.
Auto Featured Image – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: Author+ Arbitrary File Upload CVE: CVE-2023-0477 Number of Installations: 80,000+ Affected Software: Auto Featured Image (Auto Post Thumbnail) <= 3.9.15 Patched Versions: Auto Featured Image (Auto Post Thumbnail) 3.9.16
Mitigation steps: Update to Auto Featured Image plugin version 3.9.16 or greater.
Embed Any Document – XSS
Security Risk: High Exploitation Level: Easy Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-23707 Number of Installations: 70,000+ Affected Software: Embed Any Document <= 2.7.1 Patched Versions: Embed Any Document 2.7.2
Mitigation steps: Update to Embed Any Document plugin version 2.7.2 or greater.
Bookly – Stored Cross-Site Scripting
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Stored Cross-Site Scripting CVE: CVE-2023-1172 Number of Installations: 60,000+ Affected Software: Bookly <= 21.5.0 Patched Versions: Bookly 21.5.1
Mitigation steps: Update to Bookly plugin version 21.5.1 or greater.
User Registration – PHP Object Injection
Security Risk: High Exploitation Level: Subscriber or higher level authentication required. Vulnerability: Authenticated PHP Object Injection CVE: CVE-2023-27459 Number of Installations: 60,000+ Affected Software: User Registration <= 2.3.2 Patched Versions: User Registration 2.3.3
Mitigation steps: Update to User Registration plugin version 2.3.3 or greater.
Infinite Scroll – Ajax Load More – XSS
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-4466 Number of Installations: 50,000+ Affected Software: Infinite Scroll – Ajax Load More <= 5.6.0.2 Patched Versions: Infinite Scroll – Ajax Load More 5.6.0.3
Mitigation steps: Update to Infinite Scroll – Ajax Load More plugin version 5.6.0.3 or greater.
Robo Gallery – Stored XSS
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-27620 Number of Installations: 50,000+ Affected Software: Robo Gallery <= 3.2.12 Patched Versions: Robo Gallery 3.2.13
Mitigation steps: Update to Robo Gallery plugin version 3.2.13 or greater.
Jetpack CRM – Stored XSS
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-27429 Number of Installations: 40,000+ Affected Software: Jetpack CRM <= 5.5.4 Patched Versions: Jetpack CRM 5.5.4
Mitigation steps: Update to Jetpack CRM plugin version 5.5.0 or greater.
Klaviyo – Stored XSS
Security Risk: Medium Exploitation Level: Requires Admin or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-25456 Number of Installations: 30,000+ Affected Software: Klaviyo <= 3.0.7 Patched Versions: Klaviyo 3.0.8
Mitigation steps: Update to Klaviyo plugin version 3.0.8 or greater.
GN Publisher – XSS
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-1080 Number of Installations: 30,000+ Affected Software: GN Publisher <= 1.5.5 Patched Versions: GN Publisher 1.5.6
Mitigation steps: Update to GN Publisher plugin version 1.5.6 or greater.
Ecwid Ecommerce Shopping Cart – XSS
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-24408 Number of Installations: 30,000+ Affected Software: Ecwid Ecommerce Shopping Cart <= 6.11.4 Patched Versions: Ecwid Ecommerce Shopping Cart 6.11.5
Mitigation steps: Update to Ecwid Ecommerce Shopping Cart plugin version 6.11.5 or greater.
Rife Elementor Extensions & Templates – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-27454 Number of Installations: 30,000+ Affected Software: Rife Elementor Extensions & Templates <= 1.1.10 Patched Versions: Rife Elementor Extensions & Templates 1.2.0
Mitigation steps: Update to Rife Elementor Extensions & Templates plugin version 1.2.0 or greater.
Advanced Product Labels for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2022-45813 Number of Installations: 20,000+ Affected Software: Advanced Product Labels for WooCommerce <= 1.2.4 Patched Versions: Advanced Product Labels for WooCommerce 1.2.4.1
Mitigation steps: Update to Advanced Product Labels for WooCommerce plugin version 1.2.4.1 or greater.
Branda – Authenticated Stored XSS
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Stored Cross-Site Scripting Number of Installations: 20,000+ Affected Software: Branda <= 3.4.8 Patched Versions: Branda 3.4.9
Mitigation steps: Update to Branda plugin version 3.4.9 or greater.
Load More Products for WooCommerce – Broken Access Control
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2022-45813 Number of Installations: 20,000+ Affected Software: Load More Products for WooCommerce <= 1.1.9.7 Patched Versions: Load More Products for WooCommerce 1.1.9.8
Mitigation steps: Update to Load More Products for WooCommerce plugin version 1.1.9.8 or greater.
Min and Max Quantity for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2022-45813 Number of Installations: 20,000+ Affected Software: Min and Max Quantity for WooCommerce <= 1.3.2.6 Patched Versions: Min and Max Quantity for WooCommerce 1.3.2.7
Mitigation steps: Update to Min and Max Quantity for WooCommerce plugin version 1.3.2.7 or greater.
Store Locator WordPress – XSS
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-27618 Number of Installations: 10,000+ Affected Software: Store Locator WordPress <= 1.4.9 Patched Versions: Store Locator WordPress 1.4.10
Mitigation steps: Update to Store Locator WordPress plugin version 1.4.10 or greater.
eCommerce Product Catalog – Stored XSS
Security Risk: Medium Exploitation Level: Require Administrator or higher level authentication. Vulnerability: Stored Cross-Site Scripting CVE: CVE-2023-1470 Number of Installations: 10,000+ Affected Software: eCommerce Product Catalog Plugin for WordPress <= 3.3.8 Patched Versions: eCommerce Product Catalog Plugin for WordPress 3.3.9
Mitigation steps: Update to eCommerce Product Catalog plugin version 3.3.9 or greater.
Slideshow Gallery LITE – SQL Injection
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2023-28491 Number of Installations: 10,000+ Affected Software: Slideshow Gallery LITE <= 1.7.6 Patched Versions: Slideshow Gallery LITE 1.7.7
Mitigation steps: Update to Slideshow Gallery LITE plugin version 1.7.7 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Rianna MacLeod
Kyle Knight
Justin Channell
Krasimir Konov
Moe O
Gerson Ruiz
Cesar Anjos
Fioravante Souza
