Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
Elementor Website Builder – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2023-48777 Number of Installations: 5,000,000+ Affected Software: Elementor <= 3.18.1 Patched Versions: Elementor 3.18.2
Mitigation steps: Update to Elementor Website Builder plugin version 3.18.2 or greater.
Limit Login Attempts Reloaded – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-6934 Number of Installations: 2,000,000+ Affected Software: Limit Login Attempts Reloaded <= 2.25.26 Patched Versions: Limit Login Attempts Reloaded 2.25.27
Mitigation steps: Update to Limit Login Attempts Reloaded plugin version 2.25.27 or greater.
WooCommerce Payments – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-49828 Number of Installations: 700,000+ Affected Software: WooCommerce Payments <= 6.4.2 Patched Versions: WooCommerce Payments 6.5.0
Mitigation steps: Update to WooCommerce Payments plugin version 6.5.0 or greater.
Spectra WordPress Gutenberg Blocks – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-49833 Number of Installations: 600,000+ Affected Software: Spectra WordPress Gutenberg Blocks <= 2.7.9 Patched Versions: Spectra WordPress Gutenberg Blocks 2.7.10
Mitigation steps: Update to Spectra WordPress Gutenberg Blocks plugin version 2.7.10 or greater.
WP Shortcodes Ultimate Plugin – Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-6488 Number of Installations: 600,000+ Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.0 Patched Versions: WP Shortcodes Plugin — Shortcodes Ultimate 7.0.1
Mitigation steps: Update to WP Shortcodes Plugin — Shortcodes Ultimate version 7.0.1 or greater.
WP Go Maps – Cross Site Scripting
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-6627 Number of Installations: 400,000+ Affected Software: WP Go Maps < 9.0.28 Patched Versions: WP Go Maps 9.0.28
Mitigation steps: Update to WP Go Maps plugin version 9.0.28 or greater.
Photo Gallery by 10Web – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-6924 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web <= 1.8.18 Patched Versions: Photo Gallery by 10Web 1.8.19
Mitigation steps: Update to Photo Gallery by 10Web version 1.8.19 or greater.
Login Lockdown – SQL Injection
Security Risk: Medium Exploitation Level: Requires Administrator level authentication. Vulnerability: Injection CVE: CVE-2023-50837 Number of Installations: 100,000+ Affected Software: Login Lockdown <= 2.06 Patched Versions: Login Lockdown 2.07
Mitigation steps: Update to Login Lockdown plugin version 2.07 or greater.
Burst Statistics – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Injection CVE: CVE-2023-5761 Number of Installations: 100,000+ Affected Software: Burst Statistics – Privacy-Friendly Analytics for WordPress 1.4.0 - 1.4.6.1 Patched Versions: Burst Statistics – Privacy-Friendly Analytics for WordPress 1.5.0
Mitigation steps: Update to Burst Statistics – Privacy-Friendly Analytics for WordPress plugin version 1.5.0 or greater.
Advanced Database Cleaner – SQL Injection
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Injection CVE: CVE-2023-49764 Number of Installations: 100,000+ Affected Software: Advanced Database Cleaner <= 3.1.2 Patched Versions: Advanced Database Cleaner 3.1.3
Mitigation steps: Update to Advanced Database Cleaner plugin version 3.1.3 or greater.
SpeedyCache – Server-Side Request Forgery
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Server-Side Request Forgery (SSRF) CVE: CVE-2023-49746 Number of Installations: 100,000+ Affected Software: SpeedyCache <= 1.1.2 Patched Versions: SpeedyCache 1.1.3
Mitigation steps: Update to SpeedyCache plugin version 1.1.3 or greater.
Manage Notification E-mails – Missing Authorization
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Missing Authorization CVE: CVE-2023-6496 Number of Installations: 100,000+ Affected Software: Manage Notification E-mails <= 1.8.5 Patched Versions: Manage Notification E-mails 1.8.6
Mitigation steps: Update to Manage Notification E-mails plugin version 1.8.6 or greater.
Shortcoder – Missing Authorization
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Missing Authorization CVE: CVE-2023-49849 Number of Installations: 100,000+ Affected Software: Shortcoder <= 6.3 Patched Versions: Shortcoder 6.3.1
Mitigation steps: Update to Shortcoder plugin version 6.3.1 or greater.
Menu Image Icons Made Easy – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Administrator level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-50826 Number of Installations: 100,000+ Affected Software: Menu Image Icons Made Easy <= 3.10 Patched Versions: Menu Image Icons Made Easy 3.11
Mitigation steps: Update to Menu Image Icons Made Easy plugin version 3.11 or greater.
AMP for WP – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2023-6782 Number of Installations: N/A Affected Software: AMP for WP <= 1.0.92 Patched Versions: AMP for WP 1.0.92.1
Mitigation steps: Update to AMP for WP plugin version 1.0.92.1 or greater.
Backup Migration – Remote Code Execution
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Code Injection CVE: CVE-2023-6553 Number of Installations: 90,000+ Affected Software: Backup Migration <= 1.3.7 Patched Versions: Backup Migration 1.3.8
Mitigation steps: Update to Backup Migration plugin version 1.3.8 or greater.
Import and Export Users and Customers – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-6624 Number of Installations: 80,000+ Affected Software: Import and Export Users and Customers <= 1.24.3 Patched Versions: Import and Export Users and Customers 1.24.4
Mitigation steps: Update to Import and Export Users and Customers plugin version 1.24.3 or greater.
Export and Import Users and Customers – Arbitrary File Upload
Security Risk: Medium Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: Unrestricted Upload of File with Dangerous Type CVE: CVE-2023-6558 Number of Installations: 80,000+ Affected Software: Export and Import Users and Customers <= 2.4.8 Patched Versions: Export and Import Users and Customers 2.4.9
Mitigation steps: Update to Export and Import Users and Customers plugin version 2.4.9 or greater.
EmbedPress – Missing Authorization
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Missing Authorization Number of Installations: 80,000+ Affected Software: EmbedPress <= 3.9.4 Patched Versions: EmbedPress 3.9.5
Mitigation steps: Update to EmbedPress plugin version 3.9.5 or greater.
Amelia – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-50860 Number of Installations: 60,000+ Affected Software: Amelia <= 1.0.85 Patched Versions: Amelia 1.0.86
Mitigation steps: Update to Amelia plugin version 1.0.86 or greater.
Bold Page Builder – Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-49823 Number of Installations: 50,000+ Affected Software: Bold Page Builder <= 4.6.1 Patched Versions: Bold Page Builder 4.7.0
Mitigation steps: Update to Bold Page Builder plugin version 4.7.0 or greater.
Ajax Load More – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-50874 Number of Installations: 50,000+ Affected Software: Ajax Load More <= 6.1.0.1 Patched Versions: Ajax Load More 6.2.0
Mitigation steps: Update to Ajax Load More plugin version 6.2.0 or greater.
Simple Membership – Cross Site Scripting
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-50376 Number of Installations: 50,000+ Affected Software: Simple Membership <= 4.3.8 Patched Versions: Simple Membership 4.3.9
Mitigation steps: Update to Simple Membership plugin version 4.3.9 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.
Victor Santoyo
Rodrigo Escobar
Denis Sinegubko
Cesar Anjos
Alycia Mitchell
Luke Leal
John Castro
Daniel Cid
Marc-Alexandre Montpas
Ben Martin