Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
WooCommerce – Sensitive Information Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Security Misconfiguration Number of Installations: 5,000,000+ Affected Software: WooCommerce <= 7.8.2 Patched Versions: WooCommerce 7.9.0
Mitigation steps: Update to WooCommerce plugin version 7.9.0 or greater.
EWWW Image Optimizer – Sensitive Information Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Security Misconfiguration Number of Installations: 1,000,000+ Affected Software: EWWW Image Optimizer < 7.2.1 Patched Versions: EWWW Image Optimizer 7.2.1
Mitigation steps: Update to EWWW Image Optimizer plugin version 7.2.1 or greater.
Essential Addons for Elementor – Privilege Escalation
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Privilege Escalation CVE: CVE-2023-41955 Number of Installations: 1,000,000+ Affected Software: Essential Addons for Elementor <= 5.8.8 Patched Versions: Essential Addons for Elementor 5.8.9
Mitigation steps: Update to Essential Addons for Elementor plugin version 5.8.9 or greater.
Enable Media Replace – PHP Object Injection
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Injection Number of Installations: 600,000+ Affected Software: Enable Media Replace <= 4.1.2 Patched Versions: Enable Media Replace 4.1.3
Mitigation steps: Update to Enable Media Replace plugin version 4.1.3 or greater.
GTranslate – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Admin level authentication. Vulnerability: Cross-Site Scripting (XSS) Number of Installations: 500,000+ Affected Software: GTranslate <= 3.0.3 Patched Versions: GTranslate 3.0.4
Mitigation steps: Update to GTranslate plugin version 3.0.4 or greater.
ShortPixel Image Optimizer – PHP Object Injection
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Injection Number of Installations: 300,000+ Affected Software: ShortPixel Image Optimizer <= 5.4.1 Patched Versions: ShortPixel Image Optimizer 5.4.2
Mitigation steps: Update to ShortPixel Image Optimizer plugin version 5.4.2 or greater.
FluentForm – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-41952 Number of Installations: 300,000+ Affected Software: FluentForm <= 5.0.8 Patched Versions: FluentForm 5.0.9
Mitigation steps: Update to FluentForm plugin version 5.0.9 or greater.
Ad Inserter – Sensitive Information Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Security Misconfiguration CVE: CVE-2023-4645 Number of Installations: 300,000+ Affected Software: Ad Inserter <= 2.7.30 Patched Versions: Ad Inserter 2.7.31
Mitigation steps: Update to Ad Inserter plugin version 2.7.31 or greater.
WPvivid Backup and Migration – Arbitrary File Deletion
Security Risk: Low Exploitation Level: Requires Admin authentication. Vulnerability: Security Misconfiguration CVE: CVE-2023-4274 Number of Installations: 300,000+ Affected Software: WPvivid Backup and Migration <= 0.9.89 Patched Versions: WPvivid Backup and Migration 0.9.90
Mitigation steps: Update to WPvivid Backup and Migration plugin version 0.9.90 or greater.
ProfilePress – Privilege Escalation
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2023-41954 Number of Installations: 200,000+ Affected Software: ProfilePress <= 4.13.1 Patched Versions: ProfilePress 4.13.2
Mitigation steps: Update to ProfilePress plugin version 4.13.2 or greater.
Metform Elementor Contact Form Builder – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires subscriber or higher level authentication. Vulnerability: Security Misconfiguration CVE: CVE-2023-0689 Number of Installations: 200,000+ Affected Software: Metform Elementor Contact Form Builder <= 3.3.1 Patched Versions: Metform Elementor Contact Form Builder 3.3.2
Mitigation steps: Update to Metform Elementor Contact Form Builder plugin version 3.3.2 or greater.
PageLayer – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting Number of Installations: 200,000+ Affected Software: PageLayer <= 1.7.6 Patched Versions: PageLayer 1.7.7
Mitigation steps: Update to PageLayer plugin version 1.7.7 or greater.
Slimstat Analytics – SQL Injection
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2023-4598 Number of Installations: 100,000+ Affected Software: Slimstat Analytics <= 5.0.9 Patched Versions: Slimstat Analytics 5.0.10
Mitigation steps: Update to Slimstat Analytics plugin version 5.0.10 or greater.
GiveWP – Privilege Escalation
Security Risk: Medium Exploitation Level: Requires Vulnerability: Identification and Authentication Failures CVE: CVE-2023-41665 Number of Installations: 100,000+ Affected Software: GiveWP <= 2.33.0 Patched Versions: GiveWP 2.33.1
Mitigation steps: Update to GiveWP plugin version 2.33.1 or greater.
User Feedback – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication level required. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-39308 Number of Installations: 100,000+ Affected Software: User Feedback plugin <= 1.0.7 Patched Versions: User Feedback 1.0.8
Mitigation steps: Update to User Feedback plugin version 1.0.8 or greater.
FileOrganizer – Arbitrary File Download
Security Risk: Low Exploitation Level: Requires Admin or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2023-3664 Number of Installations: 100,000+ Affected Software: FileOrganizer <= 1.0.2 Patched Versions: FileOrganizer 1.0.3
Mitigation steps: Update to FileOrganizer plugin version 1.0.3 or greater.
wpDiscuz – SQL Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Injection Number of Installations: 100,000+ Affected Software: wpDiscuz < 7.6.6 Patched Versions: wpDiscuz 7.6.6
Mitigation steps: Update to wpDiscuz plugin version 7.6.6 or greater.
Media Library Assistant – Remote Code Execution
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Injection CVE: CVE-2023-4634 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.09 Patched Versions: Media Library Assistant 3.10
Mitigation steps: Update to Media Library Assistant plugin version 3.10 or greater.
Booking Calendar – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting CVE: CVE-2023-4620 Number of Installations: 60,000+ Affected Software: Booking Calendar <= 9.7.3 Patched Versions: Booking Calendar 9.7.3.1
Mitigation steps: Update to Booking Calendar plugin version 9.7.3.1 or greater.
Booster for WooCommerce – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-4945 Number of Installations: 60,000+ Affected Software: Booster for WooCommerce <= 7.1.0 Patched Versions: Booster for WooCommerce 7.1.1
Mitigation steps: Update to Booster for WooCommerce/ plugin version 7.1.1 or greater.
Feeds for YouTube – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-4841 Number of Installations: 60,000+ Affected Software: Feeds for YouTube <= 2.1 Patched Versions: Feeds for YouTube 2.1.2
Mitigation steps: Update to Feeds for YouTube plugin version 2.1.2 or greater.
Form Maker by 10Web – Arbitrary File Upload
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Injection Number of Installations: 60,000+ Affected Software: Form Maker by 10Web < 1.15.20 Patched Versions: Form Maker by 10Web 1.15.20
Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.20 or greater.
Connect Matomo (WP-Matomo, WP-Piwik) – Stored Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-4774 Number of Installations: 60,000+ Affected Software: Connect Matomo (WP-Matomo, WP-Piwik) <= 1.0.28 Patched Versions: Connect Matomo (WP-Matomo, WP-Piwik) 1.0.29
Mitigation steps: Update to Connect Matomo (WP-Matomo, WP-Piwik) plugin version 1.0.29 or greater.
MapPress Maps for WordPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-4840 Number of Installations: 50,000+ Affected Software: MapPress Maps for WordPress <= 2.88.4 Patched Versions: MapPress Maps for WordPress 2.88.5
Mitigation steps: Update to MapPress Maps for WordPress plugin version 2.88.5 or greater.
Super Socializer – Broken Access Control
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-41802 Number of Installations: 40,000+ Affected Software: Super Socializer <= 7.13.54 Patched Versions: Super Socializer 7.13.55
Mitigation steps: Update to Super Socializer plugin version 7.13.55 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.
Alycia Mitchell
Fernando Barbosa
Peter Gramantik
Denis Sinegubko
Ben Martin
Luke Leal
Sucuri Malware Research Team