Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
Jetpack – Arbitrary File Overwrite
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control Number of Installations: 5,000,000+ Affected Software: Jetpack <= 12.1.0 Patched Versions: Jetpack 12.1.1
Mitigation steps: Update to Jetpack plugin version 12.1.1 or greater.
WooCommerce Stripe Payment Gateway – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-35049 Number of Installations: 900,000+ Affected Software: WooCommerce Stripe Payment Gateway <= 7.4.0 Patched Versions: WooCommerce Stripe Payment Gateway 7.4.1
Mitigation steps: Update to WooCommerce Stripe Payment Gateway version 7.4.1 or greater.
Password Protected – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Admin authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-32580 Number of Installations: 300,000+ Affected Software: Password Protected <= 2.6.2 Patched Versions: Password Protected 2.6.3
Mitigation steps: Update to Password Protected plugin version 2.6.3 or greater.
Photo Gallery by 10Web – Broken Access Control
Security Risk: Medium Exploitation Level: Subscriber or higher level authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-33995 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web <= 1.8.15 Patched Versions: Photo Gallery by 10Web 1.8.16
Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.16 or greater.
Unlimited Elements For Elementor – Arbitrary File Upload
Security Risk: High Exploitation Level: Contributor or higher level authentication required. Vulnerability: Security Misconfiguration CVE: CVE-2023-31231 Number of Installations: 200,000+ Affected Software: Unlimited Elements For Elementor <= 1.5.65 Patched Versions: Unlimited Elements For Elementor 1.5.66
Mitigation steps: Update to Unlimited Elements For Elementor plugin version 1.5.66 or greater.
Metform Elementor Contact Form Builder – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-0708 Number of Installations: 200,000+ Affected Software: Metform Elementor Contact Form Builder <= 3.3.1 Patched Versions: Metform Elementor Contact Form Builder 3.3.1
Mitigation steps: Update to Metform Elementor Contact Form Builder plugin version 3.3.1 or greater.
Social Media Share Buttons & Social Sharing Icons – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Admin authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-1166 Number of Installations: 200,000+ Affected Software: Social Media Share Buttons & Social Sharing Icons <= 2.8.2 Patched Versions: Social Media Share Buttons & Social Sharing Icons 2.8.2
Mitigation steps: Update to Social Media Share Buttons & Social Sharing Icons plugin version 2.8.2 or greater.
WP Mail Logging – Cross-Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-3081 Number of Installations: 200,000+ Affected Software: WP Mail Logging <= 1.11.0 Patched Versions: WP Mail Logging 1.11.2
Mitigation steps: Update to WP Mail Logging plugin version 1.11.2 or greater.
Download Monitor – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Subscriber or higher level authentication required. Vulnerability: Arbitrary File Upload CVE: CVE-2023-34007 Number of Installations: 100,000+ Affected Software: Download Monitor <= 4.8.3 Patched Versions: Download Monitor 4.8.4
Mitigation steps: Update to Download Monitor plugin version 4.8.4 or greater.
WooCommerce Square – Insecure Direct Object References (IDOR)
Security Risk: High Exploitation Level: Contributor or higher level authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2023-35876 Number of Installations: 100,000+ Affected Software: WooCommerce Square <= 3.8.1 Patched Versions: WooCommerce Square 3.8.2
Mitigation steps: Update to WooCommerce Square plugin version 3.8.2 or greater.
Download Manager – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-1524 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.2.70 Patched Versions: Download Manager 3.2.71
Mitigation steps: Update to Download Manager plugin version 3.2.71 or greater.
Download Monitor – Arbitrary File Upload
Security Risk: High Exploitation Level: Subscriber or higher level authentication required. Vulnerability: Injection CVE: CVE-2023-31219 Number of Installations: 100,000+ Affected Software: Download Monitor <= 4.8.1 Patched Versions: Download Monitor 4.8.2
Mitigation steps: Update to Download Monitor plugin version 4.8.2 or greater.
FiboSearch – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Admin authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-2450 Number of Installations: 100,000+ Affected Software: FiboSearch <= 1.23.0 Patched Versions: FiboSearch 1.24.0
Mitigation steps: Update to FiboSearch plugin version 1.24.0 or greater.
Tutor LMS – SQL Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Injection CVE: CVE-2023-25700 Number of Installations: 70,000+ Affected Software: Tutor LMS <= 2.1.9 Patched Versions: Tutor LMS 2.2.0
Mitigation steps: Update to Tutor LMS plugin version 2.2.0 or greater.
Conditional Menus – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-2654 Number of Installations: 70,000+ Affected Software: Conditional Menus <= 1.2.0 Patched Versions: Conditional Menus 1.2.1
Mitigation steps: Update to Conditional Menus plugin version 1.2.1 or greater.
VK Blocks – Auth. Settings Update
Security Risk: Medium Exploitation Level: Contributor or higher level authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-0583 Number of Installations: 70,000+ Affected Software: VK Blocks <= 1.57.1.1 Patched Versions: VK Blocks 1.57.1.2
Mitigation steps: Update to VK Blocks plugin version 1.57.1.2 or greater.
Visual Composer – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Contributor or higher level authentication required. Vulnerability: Multiple Cross-Site Scripting (XSS) CVE: CVE-2020-36722 Number of Installations: 70,000+ Affected Software: Visual Composer <= 26.0 Patched Versions: Visual Composer 27.0
Mitigation steps: Update to Visual Composer plugin version 27.0 or greater.
Dokan – PHP Object Injection
Security Risk: Medium Exploitation Level: Shop manager authentication required. Vulnerability: PHP Object Injection CVE: CVE-2023-34382 Number of Installations: 60,000+ Affected Software: Dokan <= 3.7.19 Patched Versions: Dokan 3.7.20
Mitigation steps: Update to Dokan plugin version 3.7.20 or greater.
PowerPress Podcasting – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Admin authentication. Vulnerability: Cross-Site Scripting (XSS) Number of Installations: 40,000+ Affected Software: PowerPress Podcasting <= 10.2.3 Patched Versions: PowerPress Podcasting 10.2.4
Mitigation steps: Update to PowerPress Podcasting plugin version 10.2.4 or greater.
Dynamic Visibility for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-35046 Number of Installations: 40,000+ Affected Software: Dynamic Visibility for Elementor <= 5.0.5 Patched Versions: Dynamic Visibility for Elementor 5.0.6
Mitigation steps: Update to Dynamic Visibility for Elementor plugin version 5.0.6 or greater.
Super Socializer – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Contributor or higher level authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-35882 Number of Installations: 40,000+ Affected Software: Super Socializer <= 7.13.52 Patched Versions: Super Socializer 7.13.53
Mitigation steps: Update to Super Socializer plugin version 7.13.53 or greater.
Gutenverse – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-35875 Number of Installations: 30,000+ Affected Software: Gutenverse – Gutenberg Blocks – Page Builder for Site Editor <= 1.8.5 Patched Versions: Gutenverse – Gutenberg Blocks – Page Builder for Site Editor 1.8.6
Mitigation steps: Update to Gutenverse plugin version 1.8.6 or greater.
Abandoned Cart Lite for WooCommerce – Authentication Bypass
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2023-2986 Number of Installations: 30,000+ Affected Software: Abandoned Cart Lite for WooCommerce <= 5.14.0 Patched Versions: Abandoned Cart Lite for WooCommerce 5.15.0
Mitigation steps: Update to Abandoned Cart Lite for WooCommerce version 5.15.0 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Denis Sinegubko
Cesar Anjos
Daniel Cid
Mohit Jawanjal
Marc-Alexandre Montpas
Luke Leal
Alycia Mitchell