WordPress Vulnerability & Patch Roundup March 2023

  • March 30, 2023
WordPress Patch & Vulnerability Round up March 2023

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.

Yoast SEO – DOM-Based XSS

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: DOM-Based Cross-Site Scripting
Number of Installations: 5,000,000+
Affected Software: Yoast SEO <= 20.2.0
Patched Versions: Yoast SEO 20.2.1

Mitigation steps: Update to Yoast SEO plugin version 20.2.1 or greater.

UpdraftPlus WordPress Backup – Broken Access Control

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
Number of Installations: 3,000,000+
Affected Software: UpdraftPlus WordPress Backup Plugin <= 1.23.2
Patched Versions: UpdraftPlus WordPress Backup Plugin 1.23.3

Mitigation steps: Update to UpdraftPlus Plugin version 1.23.3 or greater.

Cookie Notice & Compliance for GDPR / CCPA – XSS

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-24400
Number of Installations: 1,000,000+
Affected Software: Cookie Notice & Compliance for GDPR / CCPA <= 2.4.6
Patched Versions: Cookie Notice & Compliance for GDPR / CCPA 2.4.7

Mitigation steps: Update to Cookie Notice & Compliance for GDPR / CCPA plugin version 2.4.7 or greater.

Smart Slider 3 – Stored XSS

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-0660
Number of Installations: 900,000+
Affected Software: Smart Slider 3 <= 3.5.1.13
Patched Versions: Smart Slider 3 3.5.1.14

Mitigation steps: Update to Smart Slider 3 plugin version 3.5.1.14 or greater.

Popup Maker – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2022-47597
Number of Installations: 700,000+
Affected Software: Popup Maker <= 1.17.1
Patched Versions: Popup Maker 1.18.0

Mitigation steps: Update to Popup Maker plugin version 1.18.0 or greater.

Complianz GDPR/CCPA Cookie Consent – XSS

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-1069
Number of Installations: 600,000+
Affected Software: Complianz – GDPR/CCPA Cookie Consent <= 6.4.1
Patched Versions: Complianz – GDPR/CCPA Cookie Consent 6.4.2

Mitigation steps: Update to Complianz – GDPR/CCPA Cookie Consent plugin version 6.4.2 or greater.

Easy Table of Contents – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or other high level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2023-25469
Number of Installations: 400,000+
Affected Software: Easy Table of Contents <= 2.0.45
Patched Versions: Easy Table of Contents 2.0.46

Mitigation steps: Update to Easy Table of Contents plugin version 2.0.46 or greater.

Squirrly SEO – Reflected XSS

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Reflected Cross Site Scripting (XSS)
CVE: CVE-2022-45065
Number of Installations: 200,000+
Affected Software: Squirrly SEO <= 12.1.20
Patched Versions: Squirrly SEO 12.1.21

Mitigation steps: Update to Squirrly SEO Plugin version 12.1.21 or greater.

FluentSMTP – Stored XSS

Security Risk: Medium
Exploitation Level: Requires Admin.
Vulnerability: Stored XSS via Email Logs
CVE: CVE-2023-0219
Number of Installations: 100,000+
Affected Software: FluentSMTP <= 2.2.2
Patched Versions: FluentSMTP 2.2.3

Mitigation steps: Update to FluentSMTP plugin version 2.2.3 or greater.

GiveWP – XSS

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-40211
Number of Installations: 100,000+
Affected Software: GiveWP - Donation Plugin and Fundraising Platform <= 2.25.1
Patched Versions: GiveWP - Donation Plugin and Fundraising Platform 2.25.2

Mitigation steps: Update to GiveWP – Donation Plugin and Fundraising Platform version 2.25.2 or greater.

Paid Memberships Pro – SQL Injection

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2023-0631
Number of Installations: 100,000+
Affected Software: Paid Memberships Pro <= 2.9.11
Patched Versions: Paid Memberships Pro 2.9.12

Mitigation steps: Update to Paid Memberships Pro plugin version 2.9.12 or greater.

Slimstat Analytics – SQL Injection

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2023-0630
Number of Installations: 100,000+
Affected Software: Slimstat Analytics <= 4.9.3.2
Patched Versions: Slimstat Analytics 4.9.3.3

Mitigation steps: Update to Slimstat Analytics plugin version 4.9.3.3 or greater.

Auto Featured Image – Arbitrary File Upload

Security Risk: High
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Author+ Arbitrary File Upload
CVE: CVE-2023-0477
Number of Installations: 80,000+
Affected Software: Auto Featured Image (Auto Post Thumbnail) <= 3.9.15
Patched Versions: Auto Featured Image (Auto Post Thumbnail) 3.9.16

Mitigation steps: Update to Auto Featured Image plugin version 3.9.16 or greater.

Embed Any Document – XSS

Security Risk: High
Exploitation Level: Easy
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-23707
Number of Installations: 70,000+
Affected Software: Embed Any Document <= 2.7.1
Patched Versions: Embed Any Document 2.7.2

Mitigation steps: Update to Embed Any Document plugin version 2.7.2 or greater.

Bookly – Stored Cross-Site Scripting

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Stored Cross-Site Scripting
CVE: CVE-2023-1172
Number of Installations: 60,000+
Affected Software: Bookly <= 21.5.0
Patched Versions: Bookly 21.5.1

Mitigation steps: Update to Bookly plugin version 21.5.1 or greater.

User Registration – PHP Object Injection

Security Risk: High
Exploitation Level: Subscriber or higher level authentication required.
Vulnerability: Authenticated PHP Object Injection
CVE: CVE-2023-27459
Number of Installations: 60,000+
Affected Software: User Registration <= 2.3.2
Patched Versions: User Registration 2.3.3

Mitigation steps: Update to User Registration plugin version 2.3.3 or greater.

Infinite Scroll – Ajax Load More – XSS

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-4466
Number of Installations: 50,000+
Affected Software: Infinite Scroll – Ajax Load More <= 5.6.0.2
Patched Versions: Infinite Scroll – Ajax Load More 5.6.0.3

Mitigation steps: Update to Infinite Scroll – Ajax Load More plugin version 5.6.0.3 or greater.

Robo Gallery – Stored XSS

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-27620
Number of Installations: 50,000+
Affected Software: Robo Gallery <= 3.2.12
Patched Versions: Robo Gallery 3.2.13

Mitigation steps: Update to Robo Gallery plugin version 3.2.13 or greater.

Jetpack CRM – Stored XSS

Security Risk: Medium
Exploitation Level: Requires Administrator  or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-27429
Number of Installations: 40,000+
Affected Software: Jetpack CRM <= 5.5.4
Patched Versions: Jetpack CRM 5.5.4

Mitigation steps: Update to Jetpack CRM plugin version 5.5.0 or greater.

Klaviyo – Stored XSS

Security Risk: Medium
Exploitation Level: Requires Admin or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-25456
Number of Installations: 30,000+
Affected Software: Klaviyo <= 3.0.7
Patched Versions: Klaviyo 3.0.8

Mitigation steps: Update to Klaviyo plugin version 3.0.8 or greater.

GN Publisher – XSS

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-1080
Number of Installations: 30,000+
Affected Software: GN Publisher <= 1.5.5
Patched Versions: GN Publisher 1.5.6

Mitigation steps: Update to GN Publisher plugin version 1.5.6 or greater.

Ecwid Ecommerce Shopping Cart – XSS

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-24408
Number of Installations: 30,000+
Affected Software: Ecwid Ecommerce Shopping Cart <= 6.11.4
Patched Versions: Ecwid Ecommerce Shopping Cart 6.11.5

Mitigation steps: Update to Ecwid Ecommerce Shopping Cart plugin version 6.11.5 or greater.

Rife Elementor Extensions & Templates – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2023-27454
Number of Installations: 30,000+
Affected Software: Rife Elementor Extensions & Templates <= 1.1.10
Patched Versions: Rife Elementor Extensions & Templates 1.2.0

Mitigation steps: Update to Rife Elementor Extensions & Templates plugin version 1.2.0 or greater.

Advanced Product Labels for WooCommerce – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2022-45813
Number of Installations: 20,000+
Affected Software: Advanced Product Labels for WooCommerce <= 1.2.4
Patched Versions: Advanced Product Labels for WooCommerce 1.2.4.1

Mitigation steps: Update to Advanced Product Labels for WooCommerce plugin version 1.2.4.1 or greater.

Branda – Authenticated Stored XSS

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Stored Cross-Site Scripting
Number of Installations: 20,000+
Affected Software: Branda <= 3.4.8
Patched Versions: Branda 3.4.9

Mitigation steps: Update to Branda plugin version 3.4.9 or greater.

Load More Products for WooCommerce – Broken Access Control

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2022-45813
Number of Installations: 20,000+
Affected Software: Load More Products for WooCommerce <= 1.1.9.7
Patched Versions: Load More Products for WooCommerce 1.1.9.8

Mitigation steps: Update to Load More Products for WooCommerce plugin version 1.1.9.8 or greater.

Min and Max Quantity for WooCommerce – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2022-45813
Number of Installations: 20,000+
Affected Software: Min and Max Quantity for WooCommerce <= 1.3.2.6
Patched Versions: Min and Max Quantity for WooCommerce 1.3.2.7

Mitigation steps: Update to Min and Max Quantity for WooCommerce plugin version 1.3.2.7 or greater.

Store Locator WordPress – XSS

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-27618
Number of Installations: 10,000+
Affected Software: Store Locator WordPress <= 1.4.9
Patched Versions: Store Locator WordPress 1.4.10

Mitigation steps: Update to Store Locator WordPress plugin version 1.4.10 or greater.

eCommerce Product Catalog – Stored XSS

Security Risk: Medium
Exploitation Level: Require Administrator or higher level authentication.
Vulnerability: Stored Cross-Site Scripting
CVE: CVE-2023-1470
Number of Installations: 10,000+
Affected Software: eCommerce Product Catalog Plugin for WordPress <= 3.3.8
Patched Versions: eCommerce Product Catalog Plugin for WordPress 3.3.9

Mitigation steps: Update to eCommerce Product Catalog plugin version 3.3.9 or greater.

Slideshow Gallery LITE – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2023-28491
Number of Installations: 10,000+
Affected Software: Slideshow Gallery LITE <= 1.7.6
Patched Versions: Slideshow Gallery LITE 1.7.7

Mitigation steps: Update to Slideshow Gallery LITE plugin version 1.7.7 or greater.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Related Tags
Related Categories
You May Also Like