Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
WooCommerce – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting Number of Installations: 5,000,000+ Affected Software: WooCommerce < 8.4.0 Patched Versions: WooCommerce 8.4.0
Mitigation steps: Update to WooCommerce plugin version 8.4.0 or greater.
Essential Addons for Elementor – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-7044 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 5.9.4 Patched Versions: Essential Addons for Elementor 5.9.5
Mitigation steps: Update to Essential Addons for Elementor version 5.9.5 or greater.
Hostinger – Unauthorized Plugin Settings Update
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Missing Authorization CVE: CVE-2023-6751 Number of Installations: 2,000,000+ Affected Software: Hostinger <= 1.9.7 Patched Versions: Hostinger 1.9.8
Mitigation steps: Update to Hostinger plugin version 1.9.8 or greater.
Complianz GDPR/CCPA Cookie Consent – Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-6498 Number of Installations: 800,000+ Affected Software: Complianz GDPR/CCPA Cookie Consent <= 6.5.5 Patched Versions: Complianz GDPR/CCPA Cookie Consent 6.5.6
Mitigation steps: Update to Complianz GDPR/CCPA Cookie Consent plugin version 6.5.6 or greater.
LightStart – Missing Authorization
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Missing Authorization CVE: CVE-2023-7019 Number of Installations: 700,000+ Affected Software: LightStart <= 2.6.8 Patched Versions: LightStart 2.6.9
Mitigation steps: Update to LightStart plugin version 2.6.9 or greater.
Happy Elementor Addons – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting Number of Installations: 400,000+ Affected Software: Happy Elementor Addons <= 3.10.0 Patched Versions: Happy Elementor Addons 3.10.1
Mitigation steps: Update to Happy Elementor Addons plugin version 3.10.1 or greater.
FluentForm – Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Administrator authentication required. Vulnerability: Cross-Site Scripting CVE: CVE-2024-0618 Number of Installations: 400,000+ Affected Software: FluentForm <= 5.1.5 Patched Versions: FluentForm 5.1.7
Mitigation steps: Update to FluentForm plugin version 5.1.7 or greater.
WP Google Maps – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting CVE: CVE-2023-6697 Number of Installations: 400,000+ Affected Software: WP Google Maps <= 9.0.28 Patched Versions: WP Google Maps 9.0.29
Mitigation steps: Update to WP Google Maps plugin version 9.0.29 or greater.
OMGF GDPR/DSGVO Compliant, Faster Google Fonts – Cross-Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Missing Authorization & Cross-Site Scripting CVE: CVE-2023-6600 Number of Installations: 300,000+ Affected Software: OMGF <= 5.7.9 Patched Versions: OMGF 5.7.10
Mitigation steps: Update to OMGF GDPR/DSGVO Compliant, Faster Google Fonts plugin version 5.7.10 or greater.
POST SMTP Mailer – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting CVE: CVE-2023-7027 Number of Installations: 300,000+ Affected Software: POST SMTP Mailer <= 2.8.7 Patched Versions: POST SMTP Mailer 2.8.8
Mitigation steps: Update to POST SMTP Mailer plugin version 2.8.8 or greater.
PDF Invoices & Packing Slips for WooCommerce – SQL Injection
Security Risk: Medium Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-22147 Number of Installations: 300,000+ Affected Software: PDF Invoices & Packing Slips for WooCommerce <= 3.7.5 Patched Versions: PDF Invoices & Packing Slips for WooCommerce 3.7.6
Mitigation steps: Update to PDF Invoices & Packing Slips for WooCommerce plugin version 3.7.6 or greater.
Orbit Fox Companion – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2024-0508 Number of Installations: 200,000+ Affected Software: Orbit Fox Companion <= 2.10.27 Patched Versions: Orbit Fox Companion 2.10.28
Mitigation steps: Update to Orbit Fox Companion plugin version 2.10.28 or greater.
PageLayer – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-6738 Number of Installations: 200,000+ Affected Software: PageLayer <= 1.7.8 Patched Versions: PageLayer 1.7.9
Mitigation steps: Update to PageLayer plugin version 1.7.9 or greater.
GiveWP – Cross-Site Scripting (XSS)
Security Risk: High Exploitation Level: Contributor authentication required Vulnerability: Cross-Site Scripting CVE: CVE-2023-51415 Number of Installations: 100,000+ Affected Software: GiveWP <= 3.2.2 Patched Versions: GiveWP 3.3.0
Mitigation steps: Update to GiveWP plugin version 3.3.0 or greater.
AMP for WP – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting CVE: CVE-2024-0587 Number of Installations: 100,000+ Affected Software: AMP for WP <= 1.0.92.1 Patched Versions: AMP for WP 1.0.93
Mitigation steps: Update to AMP for WP plugin version 1.0.93 or greater.
Filebird – Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Administrator authentication required Vulnerability: Cross-Site Scripting CVE: CVE-2024-0691 Number of Installations: N/A Affected Software: Filebird <= 5.6.0 Patched Versions: Filebird 5.6.1
Mitigation steps: Update to Filebird plugin version 5.6.1 or greater.
Essential Blocks – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-7071 Number of Installations: 100,000+ Affected Software: Essential Blocks <= 4.4.6 Patched Versions: Essential Blocks 4.4.7
Mitigation steps: Update to Essential Blocks plugin version 4.4.7 or greater.
Schema & Structured Data for WP & AMP – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2024-22146 Number of Installations: 100,000+ Affected Software: Schema & Structured Data for WP & AMP <= 1.25 Patched Versions: Schema & Structured Data for WP & AMP 1.26
Mitigation steps: Update to Schema & Structured Data for WP & AMP plugin version 1.26 or greater.
WordPress Button Plugin MaxButtons – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-6594 Number of Installations: 100,000+ Affected Software: WordPress Button Plugin MaxButtons <= 9.7.4 Patched Versions: WordPress Button Plugin MaxButtons 9.7.6
Mitigation steps: Update to WordPress Button Plugin MaxButtons plugin version 9.7.6 or greater.
List category posts – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-6994 Number of Installations: 100,000+ Affected Software: List category posts <= 0.89.3 Patched Versions: List category posts 0.89.4
Mitigation steps: Update to List category posts plugin version 0.89.4 or greater.
Plugin for Google Reviews – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-6884 Number of Installations: 100,000+ Affected Software: Plugin for Google Reviews <= 3.1 Patched Versions: Plugin for Google Reviews 3.2
Mitigation steps: Update to Plugin for Google Reviews plugin version 3.2 or greater.
LearnPress – SQL Injection (SQLi)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2023-6634 Number of Installations: 90,000+ Affected Software: LearnPress <= 4.2.5.7 Patched Versions: LearnPress 4.2.5.8
Mitigation steps: Update to LearnPress plugin version 4.2.5.8 or greater.
EmbedPress – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-6986 Number of Installations: 80,000+ Affected Software: EmbedPress < 3.9.5 Patched Versions: EmbedPress 3.9.6
Mitigation steps: Update to EmbedPress plugin version 3.9.6 or greater.
3D Flipbook – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-6776 Number of Installations: 70,000+ Affected Software: 3D Flipbook <= 1.15.2 Patched Versions: 3D Flipbook 1.15.3
Mitigation steps: Update to 3D Flipbook plugin version 1.15.3 or greater.
WP RSS Aggregator – Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Admin level authentication required. Vulnerability: Cross-Site Scripting CVE: CVE-2024-0630 Number of Installations: 60,000+ Affected Software: WP RSS Aggregator <= 4.23.4 Patched Versions: WP RSS Aggregator 4.23.5
Mitigation steps: Update to WP RSS Aggregator plugin version 4.23.5 or greater.
Amelia – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-6808 Number of Installations: 60,000+ Affected Software: Amelia <= 1.0.93 Patched Versions: Amelia 1.0.94
Mitigation steps: Update to Amelia plugin version 1.0.94 or greater.
MapPress Maps for WordPress – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-6524 Number of Installations: 50,000+ Affected Software: MapPress Maps for WordPress <= 2.88.16 Patched Versions: MapPress Maps for WordPress 2.88.17
Mitigation steps: Update to MapPress Maps for WordPress plugin version 2.88.17 or greater.
WP Recipe Maker – Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-6958 Number of Installations: 50,000+ Affected Software: WP Recipe Maker <= 9.1.0 Patched Versions: WP Recipe Maker 9.1.1
Mitigation steps: Update to WP Recipe Maker plugin version 9.1.1 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.
Sucuri Malware Research Team
Alycia Mitchell
Ashley Sand
Northon Torga
Denis Sinegubko
Luke Leal
Marc-Alexandre Montpas
Rianna MacLeod