Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
Elementor Website Builder – SQL Injection
Security Risk: Medium Exploitation Level: Requires Admin authentication. Vulnerability: SQL Injection Number of Installations: 5,000,000+ Affected Software: Elementor <= 3.12.1 Patched Versions: Elementor 3.12.2
Mitigation steps: Update to Elementor Website Builder plugin version 3.12.2 or greater.
Advanced Custom Fields – PHP Object Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: PHP Object Injection vulnerability Number of Installations: 2,000,000+ Affected Software: Advanced Custom Fields (ACF) <= 6.0.9 Patched Versions: Advanced Custom Fields (ACF) 6.1.0
Mitigation steps: Update to Advanced Custom Fields plugin version 6.1.0 or greater.
Autoptimize – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Admin authentication. Vulnerability: Cross Site Scripting (XSS) Number of Installations: 1,000,000+ Affected Software: Autoptimize <= 3.1.6 Patched Versions: Autoptimize 3.1.7
Mitigation steps: Update to Autoptimize plugin version 3.1.7 or greater.
All In One WP Security & Firewall – Stored Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-0157 Number of Installations: 1,000,000+ Affected Software: All In One WP Security & Firewall <= 5.1.4 Patched Versions: All In One WP Security & Firewall 5.1.5
Mitigation steps: Update to All In One WP Security & Firewall plugin version 5.1.5 or greater.
Limit Login Attempts – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication needed. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-1861 Number of Installations: 600,000+ Affected Software: Limit Login Attempts <= 1.7.1 Patched Versions: Limit Login Attempts 1.7.2
Mitigation steps: Update to Limit Login Attempts plugin version 1.7.2 or greater.
Forminator – Broken Access Control
Security Risk: Low Exploitation Level: Subscriber or higher level authentication required. Vulnerability: Broken Access Control Number of Installations: 400,000+ Affected Software: Forminator <= 1.23.2 Patched Versions: Forminator 1.23.3
Mitigation steps: Update to Forminator plugin version 1.23.3 or greater.
FluentForm – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-0546 Number of Installations: 300,000+ Affected Software: FluentForm <= 4.3.24 Patched Versions: FluentForm 4.3.25
Mitigation steps: Update to FluentForm plugin version 4.3.25 or greater.
Photo Gallery by 10Web – Directory Traversal
Security Risk: Medium Exploitation Level: Requires Admin authentication. Vulnerability: Directory Traversal CVE: CVE-2023-1427 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web <= 1.8.14 Patched Versions: Photo Gallery by 10Web 1.8.15
Mitigation steps: Update to Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin version 1.8.15 or greater.
SEOPress – PHP Object Injection
Security Risk: Medium Exploitation Level: Requires Admin authentication. Vulnerability: PHP Object Injection Number of Installations: 200,000+ Affected Software: SEOPress <= 6.5.0.2 Patched Versions: SEOPress 6.5.0.3
Mitigation steps: Update to SEOPress plugin version 6.5.0.3 or greater.
Cyr to Lat Enhanced – SQL Injection
Security Risk: High Vulnerability: SQL Injection CVE: CVE-2022-4290 Number of Installations: 100,000+ Affected Software: Cyr to Lat Enhanced <= 3.6 Patched Versions: Cyr to Lat Enhanced 3.7
Mitigation steps: Update to Cyr to Lat Enhanced plugin version 3.7 or greater.
Blocksy Companion – Sensitive Data Exposure
Security Risk: Low Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2023-1911 Number of Installations: 100,000+ Affected Software: Blocksy Companion <= 1.8.81 Patched Versions: Blocksy Companion 1.8.82
Mitigation steps: Update to Blocksy Companion plugin version 1.8.82 or greater.
Hummingbird – Path Traversal
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Path Traversal CVE: CVE-2023-1478 Number of Installations: 100,000+ Affected Software: Hummingbird <= 3.4.1 Patched Versions: Hummingbird 3.4.2
Mitigation steps: Update to Hummingbird plugin version 3.4.2 or greater.
Slimstat Analytics – SQL Injection
Security Risk: High Exploitation Level: Subscriber or higher level authentication required. Vulnerability: SQL Injection Number of Installations: 100,000+ Affected Software: Slimstat Analytics <= 4.9.3 Patched Versions: Slimstat Analytics 4.9.4
Mitigation steps: Update to Slimstat Analytics plugin version 4.9.4 or greater.
Easy Forms for MailChimp – Reflected XSS
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-1324 Number of Installations: 100,000+ Affected Software: Easy Forms for Mailchimp <= 6.8.7 Patched Versions: Easy Forms for Mailchimp 6.8.8
Mitigation steps: Update to Easy Forms for Mailchimp plugin version 6.8.8 or greater.
Essential Blocks for Gutenberg – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-2084 Number of Installations: 80,000+ Affected Software: Essential Blocks <= 4.0.6 Patched Versions: Essential Blocks 4.0.7
Mitigation steps: Update to Essential Blocks for Gutenberg plugin version 4.0.7 or greater.
Ninja Tables – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-47137 Number of Installations: 80,000+ Affected Software: Ninja Tables – Best Data Table Plugin for WordPress <= 4.3.4 Patched Versions: Ninja Tables – Best Data Table Plugin for WordPress 4.3.5
Mitigation steps: Update to Ninja Tables – Best Data Table Plugin for WordPress plugin version 4.3.5 or greater.
Ajax Search Lite – Reflected Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Reflected Cross-Site Scripting (XSS) CVE: CVE-2023-1420 Number of Installations: 70,000+ Affected Software: Ajax Search Lite <= 4.11.0 Patched Versions: Ajax Search Lite 4.11.1
Mitigation steps: Update to Ajax Search Lite plugin version 4.11.1 or greater.
CMS Tree Page View – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-30868 Number of Installations: 70,000+ Affected Software: CMS Tree Page View <= 1.6.7 Patched Versions: CMS Tree Page View 1.6.8
Mitigation steps: Update to CMS Tree Page View plugin version 1.6.8 or greater.
TaxoPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-2168 Number of Installations: 70,000+ Affected Software: TaxoPress <= 3.6.4 Patched Versions: TaxoPress 3.6.5
Mitigation steps: Update to TaxoPress plugin version 3.6.5 or greater.
User Registration – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-29429 Number of Installations: 60,000+ Affected Software: User Registration <= 2.3.2 Patched Versions: User Registration 2.3.3
Mitigation steps: Update to User Registration plugin version 2.3.3 or greater.
OoohBoi Steroids for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: Subscriber or higher level authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-1169 Number of Installations: 60,000+ Affected Software: OoohBoi Steroids for Elementor <= 2.1.4 Patched Versions: OoohBoi Steroids for Elementor 2.1.5
Mitigation steps: Update to OoohBoi Steroids for Elementor plugin version 2.1.5 or greater.
Amelia – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-29427 Number of Installations: 50,000+ Affected Software: Amelia <= 1.0.75 Patched Versions: Amelia 1.0.76
Mitigation steps: Update to Amelia plugin version 1.0.76 or greater.
PowerPress Podcasting – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-30778 Number of Installations: 50,000+ Affected Software: PowerPress Podcasting plugin by Blubrry <= 10.0.1 Patched Versions: PowerPress Podcasting plugin by Blubrry 10.0.2
Mitigation steps: Update to PowerPress Podcasting plugin by Blubrry version 10.0.2 or greater.
Maps Widget for Google Maps – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Admin authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-1913 Number of Installations: 50,000+ Affected Software: Maps Widget for Google Maps <= 4.24 Patched Versions: Maps Widget for Google Maps 4.25
Mitigation steps: Update to Maps Widget for Google Maps plugin version 4.25 or greater.
Visual CSS Style Editor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Admin authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-33961 Number of Installations: 50,000+ Affected Software: Visual CSS Style Editor <= 7.5.8 Patched Versions: Visual CSS Style Editor 7.5.9
Mitigation steps: Update to Visual CSS Style Editor plugin version 7.5.9 or greater.
MapPress Maps for WordPress – Authenticated SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Authenticated SQL Injection CVE: CVE-2023-26015 Number of Installations: 50,000+ Affected Software: MapPress Maps for WordPress <= 2.85.4 Patched Versions: MapPress Maps for WordPress 2.85.5
Mitigation steps: Update to MapPress Maps for WordPress plugin version 2.85.5 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Cesar Anjos
Liam Smith
Rianna MacLeod
John Castro
Nathan Chaddock
Ben Martin
Peter Gramantik
Luke Leal
Daniel Cid