Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
WordPress 6.3.2 Security Update
A new core update for WordPress has been released which features security and bug fixes in WordPress 6.3.2. This update includes 19 bug fixes for WordPress Core, 22 for the Block Editor, and 8 crucial security fixes.
The security updates in this release include fixes for vulnerabilities such as potential disclosure of user email addresses, RCE POP Chains vulnerability, XSS issues in post link navigation block and application password screen, leakage of comments on private posts, potential for logged-in users to execute any shortcode, XSS vulnerability in the footnotes block, and a cache poisoning DoS vulnerability.
We strongly encourage you to always keep your CMS patched with the latest core updates to mitigate risk and protect your site.
LiteSpeed Cache – Stored Cross-Site Scripting via Shortcode
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-4372 Number of Installations: 4,000,000+ Affected Software: LiteSpeed Cache <= 5.6 Patched Versions: LiteSpeed Cache 5.7
Mitigation steps: Update to LiteSpeed Cache plugin version 5.7 or greater.
All In One WP Security – Protection Bypass via URL Encoding
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Protection Bypass of Renamed Login Page via URL Encoding Number of Installations: 1,000,000 Affected Software: All In One WP Security <= 5.2.4 Patched Versions: All In One WP Security 5.2.5
Mitigation steps: Update to All In One WP Security plugin version 5.2.5 or greater.
Post SMTP – SQL Injection
Security Risk: Low Exploitation Level: Requires Administrator authentication. Vulnerability: SQL Injection Number of Installations: 300,000+ Affected Software: Post SMTP <= 2.6.0 Patched Versions: Post SMTP 2.6.1
Mitigation steps: Update to Post SMTP plugin version 2.6.1 or greater.
Redirection for Contact Form 7 – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-39920 Number of Installations: 300,000+ Affected Software: Redirection for Contact Form 7 <= 2.9.2 Patched Versions: Redirection for Contact Form 7 3.0.0
Mitigation steps: Update to Redirection for Contact Form 7 plugin version 3.0.0 or greater.
Migration, Backup, Staging WPvivid – Google Drive Client Secret Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Information Exposure CVE: CVE-2023-5576 Number of Installations: 300,000+ Affected Software: Migration, Backup, Staging – WPvivid <= 0.9.91 Patched Versions: Migration, Backup, Staging – WPvivid 9.9.92
Mitigation steps: Update to Migration, Backup, Staging – WPvivid plugin version 9.9.92 or greater.
WordPress Popular Posts – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-45607 Number of Installations: 200,000+ Affected Software: WordPress Popular Posts <= 6.3.2 Patched Versions: WordPress Popular Posts 6.3.3
Mitigation steps: Update to WordPress Popular Posts plugin version 6.3.3 or greater.
ProfilePress – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2023-44150 Number of Installations: 200,000+ Affected Software: ProfilePress <= 4.13.2 Patched Versions: ProfilePress 4.13.3
Mitigation steps: Update to ProfilePress plugin version 4.13.3 or greater.
WordPress Popular Posts – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-45607 Number of Installations: 200,000+ Affected Software: WordPress Popular Posts <= 6.3.2 Patched Versions: WordPress Popular Posts 6.3.3
Mitigation steps: Update to WordPress Popular Posts plugin version 6.3.3 or greater.
Templately – Broken Access Control
Security Risk: Medium CVE: CVE-2023-5454 Exploitation Level: No authentication required. Vulnerability: Broken Access Control Number of Installations: 200,000+ Affected Software: Templately <= 2.2.5 Patched Versions: Templately 2.2.6
Mitigation steps: Update to Templately plugin version 2.2.6 or greater.
Icegram Express – Path Traversal
Security Risk: Medium Exploitation Level: Requires Administrator authentication. Vulnerability: Injection CVE: CVE-2023-5414 Number of Installations: 100,000+ Affected Software: Icegram Express <= 5.6.23 Patched Versions: Icegram Express 5.6.24
Mitigation steps: Update to Icegram Express plugin version 5.6.24 or greater.
Social Media & Share Icons – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Subscriber Vulnerability: Sensitive Data Exposure CVE: CVE-2023-5070 Number of Installations: 100,000+ Affected Software: Social Media & Share Icons <= 2.8.5 Patched Versions: Social Media & Share Icons 2.8.6
Mitigation steps: Update to Social Media & Share Icons plugin version 2.8.6 or greater.
User Feedback – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-46153 Number of Installations: 100,000+ Affected Software: User Feedback <= 1.0.9 Patched Versions: User Feedback 1.0.10
Mitigation steps: Update to User Feedback plugin version 1.0.10 or greater.
wpDiscuz – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-46309 Number of Installations: 80,000+ Affected Software: wpDiscuz <= 7.6.10 Patched Versions: wpDiscuz 7.6.11
Mitigation steps: Update to wpDiscuz plugin version 7.6.11 or greater.
VK Blocks – Stored Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-5706 Number of Installations: 80,000+ Affected Software: VK Blocks <= 1.63.0.1 Patched Versions: VK Blocks 1.64.0.0
Mitigation steps: Update to VK Blocks plugin version 1.64.0.0 or a newer patched version.
Media Library Assistant – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-24385 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.11 Patched Versions: Media Library Assistant 3.12
Mitigation steps: Update to Media Library Assistant version 3.12 or greater.
Customer Reviews for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-45101 Number of Installations: 60,000+ Affected Software: Customer Reviews for WooCommerce <= 5.36.0 Patched Versions: Customer Reviews for WooCommerce 5.36.1
Mitigation steps: Update to Customer Reviews for WooCommerce plugin version 5.36.1 or greater.
Form Maker by 10Web – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-45070 Number of Installations: 60,000+ Affected Software: Form Maker by 10Web <= 1.15.18 Patched Versions: Form Maker by 10Web 1.15.19
Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.19 or greater.
Booster for WooCommerce – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-5638 Number of Installations: 60,000+ Affected Software: Booster for WooCommerce <= 7.1.2 Patched Versions: Booster for WooCommerce 7.1.3
Mitigation steps: Update to Booster for WooCommerce plugin version 7.1.3 or greater.
Master Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) Number of Installations: 50,000+ Affected Software: Master Addons for Elementor <= 2.0.3 Patched Versions: Master Addons for Elementor 2.0.4
Mitigation steps: Update to Master Addons for Elementor plugin version 2.0.4 or greater.
News & Blog Designer Pack – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Remote Code Execution CVE: CVE-2023-5815 Number of Installations: 30,000+ Affected Software: News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 Patched Versions: News & Blog Designer Pack – WordPress Blog Plugin 3.4.2
Mitigation steps: Update to News & Blog Designer Pack version 3.4.2 or greater.
Giveaways and Contests by RafflePress – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting via Shortcode CVE: CVE-2023-5049 Number of Installations: 20,000+ Affected Software: Giveaways and Contests by RafflePress <= 1.12.0 Patched Versions: Giveaways and Contests by RafflePress 1.12.2
Mitigation steps: Update to Giveaways and Contests by RafflePress plugin version 1.12.2 or greater.
Store Exporter for WooCommerce – Reflected Cross-Site Scripting
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting Number of Installations: 10,000+ Affected Software: Store Exporter for WooCommerce <= 2.7.2 Patched Versions: Store Exporter for WooCommerce 2.7.2.1
Mitigation steps: Update to Store Exporter for WooCommerce plugin version 2.7.2.1 or greater.
10Web Booster – Arbitrary Option Deletion
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control Number of Installations: 80,000+ Affected Software: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer <= 2.24.14 Patched Versions: 10Web Booster 2.24.18
Mitigation steps: Update to 10Web Booster plugin version 2.24.18 or greater.
WP EXtra – Missing Authorization
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Missing Authorization CVE: CVE-2023-5311 Number of Installations: 10,000+ Affected Software: WP EXtra <= 6.2 Patched Versions: WP EXtra 6.3
Mitigation steps: Update to WP EXtra plugin version 6.3 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.