WordPress Vulnerability & Patch Roundup December 2023

December WordPress Vulnerability Roundup

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.


Elementor Website Builder – Arbitrary File Upload

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2023-48777
Number of Installations: 5,000,000+
Affected Software: Elementor <= 3.18.1
Patched Versions: Elementor 3.18.2

Mitigation steps: Update to Elementor Website Builder plugin version 3.18.2 or greater.


Limit Login Attempts Reloaded – Cross Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-6934
Number of Installations: 2,000,000+
Affected Software: Limit Login Attempts Reloaded <= 2.25.26
Patched Versions: Limit Login Attempts Reloaded 2.25.27

Mitigation steps: Update to Limit Login Attempts Reloaded plugin version 2.25.27 or greater.


WooCommerce Payments – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-49828
Number of Installations: 700,000+
Affected Software: WooCommerce Payments <= 6.4.2
Patched Versions: WooCommerce Payments 6.5.0

Mitigation steps: Update to WooCommerce Payments plugin version 6.5.0 or greater.


Spectra WordPress Gutenberg Blocks – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-49833
Number of Installations: 600,000+
Affected Software: Spectra WordPress Gutenberg Blocks <= 2.7.9
Patched Versions: Spectra WordPress Gutenberg Blocks 2.7.10

Mitigation steps: Update to Spectra WordPress Gutenberg Blocks plugin version 2.7.10 or greater.


WP Shortcodes Ultimate Plugin – Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-6488
Number of Installations: 600,000+
Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.0
Patched Versions: WP Shortcodes Plugin — Shortcodes Ultimate 7.0.1

Mitigation steps: Update to WP Shortcodes Plugin — Shortcodes Ultimate version 7.0.1 or greater.


WP Go Maps – Cross Site Scripting

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-6627
Number of Installations: 400,000+
Affected Software: WP Go Maps < 9.0.28
Patched Versions: WP Go Maps 9.0.28

Mitigation steps: Update to WP Go Maps plugin version 9.0.28 or greater.


Photo Gallery by 10Web – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-6924
Number of Installations: 200,000+
Affected Software: Photo Gallery by 10Web <= 1.8.18
Patched Versions: Photo Gallery by 10Web 1.8.19

Mitigation steps: Update to Photo Gallery by 10Web version 1.8.19 or greater.


Login Lockdown – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Administrator level authentication.
Vulnerability: Injection
CVE: CVE-2023-50837
Number of Installations: 100,000+
Affected Software: Login Lockdown <= 2.06
Patched Versions: Login Lockdown 2.07

Mitigation steps: Update to Login Lockdown plugin version 2.07 or greater.


Burst Statistics  – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Injection
CVE: CVE-2023-5761
Number of Installations: 100,000+
Affected Software: Burst Statistics – Privacy-Friendly Analytics for WordPress 1.4.0 - 1.4.6.1
Patched Versions: Burst Statistics – Privacy-Friendly Analytics for WordPress 1.5.0

Mitigation steps: Update to Burst Statistics – Privacy-Friendly Analytics for WordPress plugin version 1.5.0 or greater.


Advanced Database Cleaner – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Injection
CVE: CVE-2023-49764
Number of Installations: 100,000+
Affected Software: Advanced Database Cleaner <= 3.1.2
Patched Versions: Advanced Database Cleaner 3.1.3

Mitigation steps: Update to Advanced Database Cleaner plugin version 3.1.3 or greater.


SpeedyCache – Server-Side Request Forgery

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Server-Side Request Forgery (SSRF)
CVE: CVE-2023-49746
Number of Installations: 100,000+
Affected Software: SpeedyCache <= 1.1.2
Patched Versions: SpeedyCache 1.1.3

Mitigation steps: Update to SpeedyCache plugin version 1.1.3 or greater.


Manage Notification E-mails – Missing Authorization

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Missing Authorization
CVE: CVE-2023-6496
Number of Installations: 100,000+
Affected Software: Manage Notification E-mails <= 1.8.5
Patched Versions: Manage Notification E-mails 1.8.6

Mitigation steps: Update to Manage Notification E-mails plugin version 1.8.6 or greater.


Shortcoder – Missing Authorization

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Missing Authorization
CVE: CVE-2023-49849
Number of Installations: 100,000+
Affected Software: Shortcoder <= 6.3
Patched Versions: Shortcoder 6.3.1

Mitigation steps: Update to Shortcoder plugin version 6.3.1 or greater.


Menu Image Icons Made Easy – Cross Site Scripting

Security Risk: Medium
Exploitation Level: Requires Administrator level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-50826
Number of Installations: 100,000+
Affected Software: Menu Image Icons Made Easy <= 3.10
Patched Versions: Menu Image Icons Made Easy 3.11

Mitigation steps: Update to Menu Image Icons Made Easy plugin version 3.11 or greater.


AMP for WP – Cross Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-6782
Number of Installations: N/A
Affected Software: AMP for WP <= 1.0.92
Patched Versions: AMP for WP 1.0.92.1

Mitigation steps: Update to AMP for WP plugin version 1.0.92.1 or greater.


Backup Migration – Remote Code Execution

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Code Injection
CVE: CVE-2023-6553
Number of Installations: 90,000+
Affected Software: Backup Migration <= 1.3.7
Patched Versions: Backup Migration 1.3.8

Mitigation steps: Update to Backup Migration plugin version 1.3.8 or greater.


Import and Export Users and Customers – Cross Site Scripting

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-6624
Number of Installations: 80,000+
Affected Software: Import and Export Users and Customers <= 1.24.3
Patched Versions: Import and Export Users and Customers 1.24.4

Mitigation steps: Update to Import and Export Users and Customers plugin version 1.24.3 or greater.


Export and Import Users and Customers – Arbitrary File Upload

Security Risk: Medium
Exploitation Level: Requires Shop Manager or higher level authentication.
Vulnerability: Unrestricted Upload of File with Dangerous Type
CVE: CVE-2023-6558
Number of Installations: 80,000+
Affected Software: Export and Import Users and Customers <= 2.4.8
Patched Versions: Export and Import Users and Customers 2.4.9

Mitigation steps: Update to Export and Import Users and Customers plugin version 2.4.9 or greater.


EmbedPress – Missing Authorization

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Missing Authorization
Number of Installations: 80,000+
Affected Software: EmbedPress <= 3.9.4
Patched Versions: EmbedPress 3.9.5

Mitigation steps: Update to EmbedPress plugin version 3.9.5 or greater.


Amelia – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-50860
Number of Installations: 60,000+
Affected Software: Amelia <= 1.0.85
Patched Versions: Amelia 1.0.86

Mitigation steps: Update to Amelia plugin version 1.0.86 or greater.


Bold Page Builder – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-49823
Number of Installations: 50,000+
Affected Software: Bold Page Builder <= 4.6.1
Patched Versions: Bold Page Builder 4.7.0

Mitigation steps: Update to Bold Page Builder plugin version 4.7.0 or greater.


Ajax Load More – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-50874
Number of Installations: 50,000+
Affected Software: Ajax Load More <= 6.1.0.1
Patched Versions: Ajax Load More 6.2.0

Mitigation steps: Update to Ajax Load More plugin version 6.2.0 or greater.


Simple Membership – Cross Site Scripting

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-50376
Number of Installations: 50,000+
Affected Software: Simple Membership <= 4.3.8
Patched Versions: Simple Membership 4.3.9

Mitigation steps: Update to Simple Membership plugin version 4.3.9 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.

You May Also Like