Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
Advanced Custom Fields – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Admin level authentication. Vulnerability: Authenticated Cross Site Scripting (XSS) Number of Installations: 2,000,000+ Affected Software: Advanced Custom Fields (ACF) <= 6.1.7 Patched Versions: Advanced Custom Fields (ACF) 6.1.8
Mitigation steps: Update to Advanced Custom Fields plugin version 6.1.8 or greater.
ElementsKit Elementor Addons – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-39993 Number of Installations: 1,000,000+ Affected Software: ElementsKit Elementor addons <= 2.9.0 Patched Versions: ElementsKit Elementor addons 2.9.1
Mitigation steps: Update to ElementsKit Elementor addons plugin version 2.9.1 or greater.
Forminator – Arbitrary File Upload
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Injection Number of Installations: 400,000+ Affected Software: Forminator <= 1.24.6 Patched Versions: Forminator 1.25.0
Mitigation steps: Update to Forminator plugin version 1.25.0 or greater.
Gutenberg Blocks by Kadence Blocks – Arbitrary File Upload
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary File Upload Number of Installations: 300,000+ Affected Software: Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.1.10 Patched Versions: Gutenberg Blocks by Kadence Blocks – Page Builder Features 3.1.11
Mitigation steps: Update to Gutenberg Blocks by Kadence Blocks plugin version 3.1.11 or greater.
InfiniteWP Client – Sensitive Data Exposure
Security Risk: Low Exploitation Level: Subscriber or higher level authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2023-2916 Number of Installations: 300,000+ Affected Software: InfiniteWP Client <= 1.12.0 Patched Versions: InfiniteWP Client 1.12.1
Mitigation steps: Update to InfiniteWP Client plugin version 1.12.1 or greater.
Hide My WP Ghost – Bypass Vulnerability
Security Risk: Medium Exploitation Level: Vulnerability: Bypass Vulnerability CVE: CVE-2023-34001 Number of Installations: 200,000+ Affected Software: Hide My WP Ghost <= 5.0.25 Patched Versions: Hide My WP Ghost 5.0.26
Mitigation steps: Update to Hide My WP Ghost – Security Plugin version 5.0.26 or greater.
TI WooCommerce Wishlist – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection Number of Installations: 100,000+ Affected Software: TI WooCommerce Wishlist <= 2.7.3 Patched Versions: TI WooCommerce Wishlist 2.7.4
Mitigation steps: Update to TI WooCommerce Wishlist plugin version 2.7.4 or greater.
Slimstat Analytics – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Admin level authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-40676 Number of Installations: 100,000+ Affected Software: Slimstat Analytics <= 5.0.8 Patched Versions: Slimstat Analytics 5.0.9
Mitigation steps: Update to Slimstat Analytics plugin version 5.0.9 or greater.
Advanced File Manager – Sensitive Data Exposure
Security Risk: Low Exploitation Level: Admin level authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2023-3814 Number of Installations: 100,000+ Affected Software: Advanced File Manager <= 5.1.0 Patched Versions: Advanced File Manager 5.1.1
Mitigation steps: Update to Advanced File Manager plugin version 5.1.1 or greater.
Change WP Admin Login – Bypass Vulnerability
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Security Misconfiguration CVE: CVE-2023-3604 Number of Installations: 90,000+ Affected Software: Change WP Admin Login <= 1.1.3 Patched Versions: Change WP Admin Login 1.1.4
Mitigation steps: Update to Change WP Admin Login plugin version 1.1.4 or greater.
EmbedPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Contributor or higher level authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-4283 Number of Installations: 80,000+ Affected Software: EmbedPress <= 3.8.2 Patched Versions: EmbedPress 3.8.3
Mitigation steps: Update to EmbedPress plugin version 3.8.3 or greater.
Blog2Social – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-40554 Number of Installations: 70,000+ Affected Software: Blog2Social <= 7.2.0 Patched Versions: Blog2Social 7.2.1
Mitigation steps: Update to Blog2Social: Social Media Auto Post & Scheduler plugin version 7.2.1 or greater.
wpDataTables – PHP Object Injection
Security Risk: Low Exploitation Level: Admin level authentication required. Vulnerability: PHP Object Injection CVE: N/A Number of Installations: 70,000+ Affected Software: wpDataTables <= 2.1.65 Patched Versions: wpDataTables 2.1.66
Mitigation steps: Update to wpDataTables plugin version 2.1.66 or greater.
Booster for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: Shop Manager authentication required. Vulnerability: Broken Access Control Number of Installations: 60,000+ Affected Software: Folders <= 7.0.0 Patched Versions: Folders 7.1.0
Mitigation steps: Update to Booster for WooCommerce plugin version 7.1.0 or greater.
Folders – Arbitrary File Upload
Security Risk: Medium Exploitation Level: Author or higher level authentication required. Vulnerability: Arbitrary File Upload CVE: CVE-2023-40204 Number of Installations: 60,000+ Affected Software: Folders <= 2.9.2 Patched Versions: Folders 2.9.3
Mitigation steps: Update to Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin version 2.9.3 or greater.
Post Grid Combo – Sensitive Data Exposure
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2023-40211 Number of Installations: 50,000+ Affected Software: Post Grid Combo <= 2.2.50 Patched Versions: Post Grid Combo 2.2.51
Mitigation steps: Update to Post Grid Combo plugin version 2.2.51 or greater.
iThemes Sync – Broken Access Control
Security Risk: Medium Exploitation Level: Subscriber or higher level authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-40001 Number of Installations: 50,000+ Affected Software: iThemes Sync <= 2.1.13 Patched Versions: iThemes Sync 2.1.14
Mitigation steps: Update to iThemes Sync plugin version 2.1.14 or greater.
Profile Builder – User Profile & User Registration Forms – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control Number of Installations: 50,000+ Affected Software: Profile Builder <= 3.9.7 Patched Versions: Profile Builder 3.9.8
Mitigation steps: Update to Profile Builder plugin version 3.9.8 or greater.
Cost Calculator Builder – Broken Access Control
Security Risk: Medium Exploitation Level: Author or higher level authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-40011 Number of Installations: 30,000+ Affected Software: Cost Calculator Builder <= 3.1.42 Patched Versions: Cost Calculator Builder 3.1.43
Mitigation steps: Update to Cost Calculator Builder plugin version 3.1.43 or greater.
AI Engine: ChatGPT Chatbot – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Administrator level authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-4254 Number of Installations: 30,000+ Affected Software: AI Engine <= 4.7.7 Patched Versions: AI Engine 4.7.8
Mitigation steps: Update to AI Engine plugin version 4.7.8 or greater.
PostX – Gutenberg Post Grid Blocks – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-3992 Number of Installations: 30,000+ Affected Software: PostX – Gutenberg Post Grid Blocks <= 3.0.5 Patched Versions: PostX – Gutenberg Post Grid Blocks 3.0.6
Mitigation steps: Update to PostX – Gutenberg Post Grid Blocks plugin version 3.0.6 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.