Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
Elementor Website Builder – Stored Cross-Site Scripting
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-47505 Number of Installations: 5,000,000+ Affected Software: Elementor Website Builder <= 3.16.4 Patched Versions: Elementor Website Builder 3.16.5
Mitigation Steps: Update to Elementor Website Builder plugin version 3.16.5 or greater.
WooCommerce Checkout Manager – Missing Authorization
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-47681 Number of Installations: 100,000+ Affected Software: WooCommerce Checkout Manager <= 7.3.0 Patched Versions: WooCommerce Checkout Manager 7.3.1
Mitigation Steps: Update to WooCommerce Checkout Manager version 7.3.1 or greater.
NitroPack – Missing Authorization
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Missing Authorization Number of Installations: 100,000+ Affected Software: NitroPack <= 1.9.2 Patched Versions: NitroPack 1.10.0
Mitigation Steps: Update to NitroPack plugin version 1.10.0 or greater.
Cloud Templates & Patterns Collection – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2023-47529 Number of Installations: 100,000+ Affected Software: Cloud Templates & Patterns collection <= 1.2.2 Patched Versions: Cloud Templates & Patterns collection 1.2.3
Mitigation Steps: Update to Cloud Templates & Patterns Collection plugin version 1.2.3 or greater.
LearnPress – Reflected Cross-Site Scripting
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting (XSS) Number of Installations: 90,000+ Affected Software: LearnPress – WordPress LMS Plugin <= 4.2.5.3 Patched Versions: LearnPress – WordPress LMS Plugin 4.2.5.4
Mitigation Steps: Update to LearnPress – WordPress LMS Plugin version 4.2.5.4 or greater.
Advanced iFrame – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-4775 Number of Installations: 60,000+ Affected Software: Advanced iFrame <= 2023.8 Patched Versions: Advanced iFrame 2023.9Mitigation Steps: Update to Advanced iFrame plugin version 2023.9 or greater.
Ultimate Dashboard – Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires Admin authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-4726 Number of Installations: 60,000+ Affected Software: Ultimate Dashboard <= 3.7.7 Patched Versions: Ultimate Dashboard 3.7.8
Mitigation Steps: Update to Ultimate Dashboard plugin version 3.7.8 or greater.
Solid Central – Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting (XSS) Number of Installations: 50,000+ Affected Software: Solid Central <= 3.0.0 Patched Versions: Solid Central 3.0.1
Mitigation Steps: Update to Solid Central plugin version 3.0.1 or greater.
Easy Social Icons – Missing Authorization
Security Risk: Low Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-33998 Number of Installations: 30,000+ Affected Software: Easy Social Icons <= 3.2.4 Patched Versions: Easy Social Icons 3.2.5
Mitigation Steps: Update to Easy Social Icons plugin version 3.2.5 or greater.
OneClick Chat to Order – Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires Admin authentication and a multi-site installation where unfiltered_html has been disabled. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-47546 Number of Installations: 30,000+ Affected Software: OneClick Chat to Order <= 1.0.4.2 Patched Versions: OneClick Chat to Order 1.0.5
Mitigation Steps: Update to OneClick Chat to Order plugin version 1.0.5 or greater.
Social Sharing Plugin – Social Warfare – Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-4842 Number of Installations: 30,000+ Affected Software: Social Sharing Plugin - Social Warfare <= 4.4.3 Patched Versions: Social Sharing Plugin - Social Warfare 4.4.4
Mitigation Steps: Update to Social Sharing Plugin – Social Warfare plugin version 4.4.4 or greater.
Ultimate Addons for Contact Form 7 – Missing Authorization
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-47693 Number of Installations: 30,000+ Affected Software: Ultimate Addons for Contact Form 7 <= 3.2.10 Patched Versions: Ultimate Addons for Contact Form 7 3.2.11
Mitigation Steps: Update to Ultimate Addons for Contact Form 7 plugin version 3.2.11 or greater.
Simple Like Page Plugin – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-4888 Number of Installations: 20,000+ Affected Software: Simple Like Page Plugin <= 1.5.1 Patched Versions: Simple Like Page Plugin 1.5.2
Mitigation Steps: Update to Simple Like Page Plugin version 1.5.2 or greater.
Delete Duplicate Posts – Missing Authorization
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-47754 Number of Installations: 20,000+ Affected Software: Delete Duplicate Posts < 4.9 Patched Versions: Delete Duplicate Posts 4.9
Mitigation Steps: Update to Delete Duplicate Posts plugin version 4.9 or greater.
Ecwid Ecommerce Shopping Cart – Missing Authorization
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control Number of Installations: 20,000+ Affected Software: Ecwid Ecommerce Shopping Cart <= 6.12.3 Patched Versions: Ecwid Ecommerce Shopping Cart 6.12.4
Mitigation Steps: Update to Ecwid Ecommerce Shopping Cart plugin version 6.12.4 or greater.
Responsive Pricing Table – Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires Admin level authentication and multi-site installations where unfiltered_html has been disabled. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-4810 Number of Installations: 20,000+ Affected Software: Responsive Pricing Table < 5.1.8 Patched Versions: Responsive Pricing Table 5.1.8
Mitigation Steps: Update to Responsive Pricing Table plugin version 5.1.8 or greater.
Popup Box – Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires Admin level authentication and multi-site installations where unfiltered_html has been disabled. Vulnerability: Cross-Site Scripting (XSS) Number of Installations: 20,000+ Affected Software: Popup Box – Best WordPress Popup Plugin < 3.8.7 Patched Versions: Popup Box – Best WordPress Popup Plugin 3.8.7
Mitigation Steps: Update to Popup Box plugin version 3.8.7 or greater.
Redirect 404 Error Page to Homepage or Custom Page with Logs – SQL Injection
Security Risk: Low Exploitation Level: Requires Admin level authentication. Vulnerability: SQL Injection CVE: CVE-2023-47530 Number of Installations: 20,000+ Affected Software: Redirect 404 Error Page to Homepage or Custom Page with Logs <= 1.8.7 Patched Versions: Redirect 404 Error Page to Homepage or Custom Page with Logs 1.8.8
Mitigation Steps: Update to Redirect 404 Error Page to Homepage or Custom Page with Logs plugin version 1.8.8 or greater.
URL Shortify – Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires Admin level authentication and multi-site installations where unfiltered_html has been disabled. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-5605 Number of Installations: 20,000+ Affected Software: URL Shortify <= 1.7.9 Patched Versions: URL Shortify 1.7.9.1
Mitigation Steps: Update to URL Shortify plugin version 1.7.9.1 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.
Victor Santoyo
Luke Leal
Krasimir Konov
Ben Martin
Antony Garand
Denis Sinegubko
Rianna MacLeod
Daniel Cid