WordPress Vulnerability & Patch Roundup May 2023

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.

WordPress 6.2.1 Security & Maintenance Release

A new update for WordPress has been released which features security and bug fixes in WordPress 6.2.1. This latest security and maintenance release addresses a number of bug fixes and vulnerability patches, including an unauthenticated Directory Traversal vulnerability, unauthenticated Cross-Site Scripting vulnerability, and several other lower-severity vulnerabilities.

We strongly encourage you to always keep your CMS patched with the latest core updates to mitigate risk and protect your WordPress website.

Elementor – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Missing Authorization to Settings Update
Number of Installations: 5,000,000+
Affected Software: Elementor Website Builder <= 3.13.1
Patched Versions: Elementor Website Builder 3.13.2

Mitigation steps: Update to Elementor Website Builder plugin version 3.13.2 or greater.

Advanced Custom Fields Pro – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-30777
Number of Installations: 2,000,000+
Affected Software: Advanced Custom Fields (ACF) <= 6.1.5
Patched Versions: Advanced Custom Fields (ACF) 6.1.6

Mitigation steps: Update to Advanced Custom Fields PRO plugin version 6.1.6 or greater.

Essential Addons for Elementor – Critical Privilege Escalation

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2023-32243
Number of Installations: 1,000,000+
Affected Software: Essential Addons for Elementor <= 5.7.1
Patched Versions: Essential Addons for Elementor 5.7.2

Mitigation steps: Update to Essential Addons for Elementor plugin version 5.7.2 or greater.

Loginizer – Reflected Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-2296
Number of Installations: 1,000,000+
Affected Software: Loginizer <= 1.7.8
Patched Versions: Loginizer 1.7.9

Mitigation steps: Update to Loginizer plugin version 1.7.9 or greater.

Ninja Forms – Reflected Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level:
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-1835
Number of Installations: 900,000+
Affected Software: Ninja Forms Contact Form <= 3.6.21
Patched Versions: Ninja Forms Contact Form 3.6.22

Mitigation steps: Update to Ninja Forms Contact Form plugin version 3.6.22 or greater.

ExactMetrics – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-23880
Number of Installations: 700,000+
Affected Software: ExactMetrics  <= 7.14.1
Patched Versions: ExactMetrics 7.14.2

Mitigation steps: Update to ExactMetrics plugin version 7.14.2 or greater.

PixelYourSite – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Administrator authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-2584
Number of Installations: 400,000+
Affected Software: PixelYourSite <= 9.3.6
Patched Versions: PixelYourSite 9.3.7

Mitigation steps: Update to PixelYourSite version 9.3.7 or greater.

Otter Gutenberg Blocks – PHP Object Injection

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2023-2288
Number of Installations: 300,000+
Affected Software: Otter – Gutenberg Blocks <= 2.2.5
Patched Versions: Otter – Gutenberg Blocks 2.2.6

Mitigation steps: Update to Otter – Gutenberg Blocks plugin version 2.2.6 or greater.

Chaty – Cross-Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-25019
Number of Installations: 200,000+
Affected Software: Chaty <= 3.0
Patched Versions: Chaty 3.1

Mitigation steps: Update to Chaty plugin version 3.1 or greater.

Simple Page Ordering – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-32798
Number of Installations: 200,000+
Affected Software: Simple Page Ordering <= 2.5.0
Patched Versions: Simple Page Ordering 2.5.1

Mitigation steps: Update to Simple Page Ordering plugin version 2.5.1 or greater.

MW WP Form – Directory Traversal

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
Number of Installations: 200,000+
Affected Software: MW WP Form <= 4.4.2
Patched Versions: MW WP Form 4.4.3

Mitigation steps: Update to MW WP Form plugin version 4.4.3 or greater.

Download Monitor – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2022-45354
Number of Installations: 100,000+
Affected Software: Download Monitor <= 4.7.69
Patched Versions: Download Monitor 4.7.70

Mitigation steps: Update to Download Monitor plugin version 4.7.70 or greater.

Newsletter by Sendinblue – Reflected Cross-Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting
Number of Installations: 100,000+
Affected Software: Newsletter by Sendinblue <= 3.1.60
Patched Versions: Newsletter by Sendinblue 3.1.61

Mitigation steps: Update to Newsletter by Sendinblue plugin version 3.1.61 or greater.

Slimstat Analytics – Reflected Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Reflected Cross Site Scripting (XSS)
CVE: CVE-2022-45366
Number of Installations: 100,000+
Affected Software: Slimstat Analytics <= 5.0.4
Patched Versions: Slimstat Analytics 5.0.5

Mitigation steps: Update to Slimstat Analytics plugin version 5.0.5 or greater.

YARPP – SQL Injection

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2023-0579
Number of Installations: 100,000+
Affected Software: YARPP <= 5.30.2
Patched Versions: YARPP 5.30.3

Mitigation steps: Update to YARPP plugin version 5.30.3 or greater.

Advanced Woo Search – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-2452
Number of Installations: 70,000+
Affected Software: Advanced Woo Search <= 2.77
Patched Versions: Advanced Woo Search 2.78

Mitigation steps: Update to Advanced Woo Search plugin version 2.78 or greater.

Contact Form Entries – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-33311
Number of Installations: 60,000+
Affected Software: Contact Form Entries <= 1.3.0
Patched Versions: Contact Form Entries 1.3.1

Mitigation steps: Update to Contact Form Entries plugin version 1.3.1 or greater.

Contact Form Entries – SQL Injection

Security Risk: High
Exploitation Level: Contributor or higher level authentication required.
Vulnerability: SQL Injection
CVE: CVE-2023-31212
Number of Installations: 60,000+
Affected Software: Contact Form Entries <= 1.3.0
Patched Versions: Contact Form Entries 1.3.1

Mitigation steps: Update to Contact Form Entries plugin version 1.3.1 or greater.

WP-Piwik – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-33211
Number of Installations: 60,000+
Affected Software: WP-Piwik <= 1.0.27
Patched Versions: WP-Piwik 1.0.28

Mitigation steps: Update to WP-Piwik plugin version 1.0.28 or greater.

Custom Field Suite – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-32515
Number of Installations: 50,000+
Affected Software: Custom Field Suite <= 2.6.2
Patched Versions: Custom Field Suite 2.6.3

Mitigation steps: Update to Custom Field Suite plugin version 2.6.3 or greater.

Ultimate Dashboard – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Administrator level authentication.
Vulnerability: Cross-Site Scripting
Number of Installations: 50,000+
Affected Software: Ultimate Dashboard <= 3.7.5
Patched Versions: Ultimate Dashboard 3.7.6

Mitigation steps: Update to Ultimate Dashboard plugin version 3.7.6 or greater.

Easy Hide Login – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-32505
Number of Installations: 40,000+
Affected Software: Easy Hide Login <= 1.0.7
Patched Versions: Easy Hide Login 1.0.8

Mitigation steps: Update to Easy Hide Login plugin version 1.0.8 or greater.

Post Snippets – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-25459
Number of Installations: 30,000+
Affected Software: Post Snippets <= 4.0.2
Patched Versions: Post Snippets 4.0.3

Mitigation steps: Update to Post Snippets plugin version 4.0.3 or greater.

Zero Spam – SQL Injection

Security Risk: Low
Exploitation Level: Requires Administrator level authentication.
Vulnerability: SQL Injection
CVE: CVE-2023-32121
Number of Installations: 30,000+
Affected Software: Zero Spam for WordPress <= 5.4.4
Patched Versions: Zero Spam for WordPress 5.4.5

Mitigation steps: Update to Zero Spam for WordPress plugin version 5.4.5 or greater.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.