WordPress Vulnerability & Patch Roundup February 2023
2023-2-28 00:59:14 Author: blog.sucuri.net(查看原文) 阅读量:39 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.


All-In-One Security (AIOS) – Directory Traversal

Security Risk: Low
Exploitation Level: Requires Admin or other high level authentication.
Exploitation Level: Sensitive Data Exposure
Number of Installations: 1,000,000+
Affected Software: All-In-One Security (AIOS) – Security and Firewall <= 5.1.4
Patched Versions: All-In-One Security (AIOS) – Security and Firewall 5.1.5

The plugin is vulnerable to directory traversal potentially allowing Admins to read the contents of arbitrary files on the server.

Mitigation steps: Update to All-In-One Security (AIOS) plugin version 5.1.5 or greater.


Rank Math SEO – Local File Inclusion

Security Risk: High
Exploitation Level: Requires Contributor role or higher level authentication.
Exploitation Level: Local File Inclusion vulnerability
CVE: CVE-2023-23888
Number of Installations: 1,000,000+
Affected Software: Rank Math SEO <= 1.0.107.2
Patched Versions: Rank Math SEO 1.0.107.3

Vulnerability allows a hacker to include local files of the victim’s site and display outputs on the screen, potentially allowing an attacker to completely take over the database if they are able to access files storing credentials.

Mitigation steps: Update to Rank Math SEO plugin version 1.0.107.3 or greater.


WordPress Shortcodes Ultimate – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Exploitation Level: Cross Site Scripting (XSS)
CVE: CVE-2023-25040
Number of Installations: 700,000+
Affected Software: Shortcodes Ultimate <= 5.12.6
Patched Versions: Shortcodes Ultimate 5.12.7

Mitigation steps: Update to Shortcodes Ultimate plugin version 5.12.7 or greater.


Redirection for Contact Form 7 – Privilege Escalation

Security Risk: High
Exploitation Level: Broken Access Control
CVE: CVE-2023-23990
Number of Installations: 300,000+
Affected Software: Redirection for Contact Form 7 <= 2.7.9
Patched Versions: Redirection for Contact Form 7 2.8.0

Mitigation steps: Update to Redirection for Contact Form 7 plugin version 2.8.0 or greater.


Plugin for Google Reviews – SQL Injection

Security Risk: Critical
Exploitation Level: Subscriber or other high level authentication required.
Exploitation Level: Injection
CVE: CVE-2022-44580
Number of Installations: 100,000+
Affected Software: Plugin for Google Reviews <= 2.2.3
Patched Versions: Plugin for Google Reviews 2.2.4

Mitigation steps: Update to Plugin for Google Reviews version 2.2.4 or greater.


Profile Builder – Sensitive Information Disclosure

Security Risk: High
Exploitation Level: Subscriber or other high level authentication required.
Exploitation Level: Sensitive Information Disclosure
CVE: CVE-2023-0814
Number of Installations: 60,000+
Affected Software: Profile Builder  <= 3.9.0
Patched Versions: Profile Builder 3.9.1

Mitigation steps: Update to Profile Builder plugin version 3.9.1 or greater.


Ocean Extra – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or other high level authentication required.
Exploitation Level: Cross Site Scripting (XSS)
CVE: CVE-2023-24399
Number of Installations: 700,000+
Affected Software: Ocean Extra <= 2.1.2
Patched Versions: Ocean Extra 2.1.3

Mitigation steps: Update to Ocean Extra plugin version 2.1.3 or greater.


ProfilePress – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required
Exploitation Level: Cross Site Scripting (XSS)
CVE: CVE-2023-23820
Number of Installations: 300,000+
Affected Software: ProfilePress <= 4.5.4
Patched Versions: ProfilePress 4.5.5

Mitigation steps: Update to ProfilePress version 4.5.5 or greater.


VK All in One Expansion Unit – Stored Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or other high level authentication.
Exploitation Level: Cross Site Scripting
CVE: CVE-2023-0230
Number of Installations: 100,000+
Affected Software: VK All in One Expansion Unit <= 9.86.0.0
Patched Versions: VK All in One Expansion Unit 9.86.0.0

Mitigation steps: Update to VK All in One Expansion Unit plugin version 9.86.0.0 or greater.


Metform Elementor Contact Form Builder – Stored XSS

Security Risk: CriticalHigh
Exploitation Level: No authentication required.
Exploitation Level: Cross Site Scripting
CVE: CVE-2023-0084
Number of Installations: 100,000+
Affected Software: Metform Elementor Contact Form Builder <= 3.1.2
Patched Versions: Metform Elementor Contact Form Builder 3.2.0

Mitigation steps: Update to Metform Elementor Contact Form Builder plugin version 3.2.0 or greater.


Media Library Assistant – SQL Injection

Security Risk: LowMedium
Exploitation Level: Requires Admin.
Exploitation Level: Injection
CVE: CVE-2023-0279
Number of Installations: 70,000+
Affected Software: Media Library Assistant <= 3.05
Patched Versions: Media Library Assistant 3.06

Mitigation steps: Update to Media Library Assistant plugin version 3.06 or greater.


wpDataTables – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or other high level authentication.
Exploitation Level: Cross Site Scripting (XSS)
CVE: CVE-2023-23876
Number of Installations: 70,000+
Affected Software: wpDataTables <= 2.1.49
Patched Versions: wpDataTables 2.1.50

Mitigation steps: Update to wpDataTables plugin version 2.1.50 or greater.


Profile Builder – Sensitive Information Disclosure

Security Risk: Medium
Exploitation Level:
Exploitation Level: Sensitive Information Disclosure
CVE: CVE-2023-0814
Number of Installations: 60,000+
Affected Software: Profile Builder <= 3.9.0
Patched Versions: Profile Builder 3.9.1

Mitigation steps: Update to Profile Builder – User Profile & User Registration Forms plugin version 3.9.1 or greater.


Table Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator permissions
Exploitation Level: Cross Site Scripting (XSS)
CVE: CVE-2022-46852
Number of Installations: 60,000+
Affected Software: WP Table Builder – WordPress Table Plugin <= 1.4.6
Patched Versions: WP Table Builder – WordPress Table Plugin 1.4.7

Mitigation steps: Update to Table Builder version 1.4.7 or greater.


Print Invoice & Delivery Notes for WooCommerce – Reflected XSS

Security Risk: High
Exploitation Level: No authentication required.
Exploitation Level: Cross Site Scripting (XSS)
CVE: CVE-2023-0479
Number of Installations: 40,000+
Affected Software: Print Invoice & Delivery Notes for WooCommerce <= 4.7.1
Patched Versions: Print Invoice & Delivery Notes for WooCommerce 4.7.2

Mitigation steps: Update to Print Invoice & Delivery Notes for WooCommerce plugin version 4.7.2 or greater.


Ditty – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or other high level authentication.
Exploitation Level: Cross Site Scripting (XSS)
CVE: CVE-2023-23874
Number of Installations: 40,000+
Affected Software: Ditty WordPress Plugin <= 3.0.32
Patched Versions: Ditty WordPress Plugin 3.0.33

Mitigation steps: Update to Ditty plugin version 3.0.33 or greater.


Quiz And Survey Master – Arbitrary Media Deletion

Security Risk: Medium
Exploitation Level: No authentication required.
Exploitation Level: Arbitrary Media Deletion
CVE: CVE-2023-0291
Number of Installations: 40,000+
Affected Software: Quiz And Survey Master for WordPress <= 8.0.8
Patched Versions: Quiz And Survey Master for WordPress 8.0.9

Mitigation steps: Update to Quiz And Survey Master plugin version 8.0.9 or greater.


All-In-One Floating Contact Form – SQL Injection

Security Risk: Medium
Exploitation Level: Authenticated (Admin+)
Exploitation Level: SQL Injection
CVE: CVE-2023-0487
Number of Installations: 40,000+
Affected Software: All-In-One Floating Contact Form <= 2.0.8
Patched Versions: All-In-One Floating Contact Form 2.0.9

Mitigation steps: Update to All-In-One Floating Contact Form plugin version 2.0.9 or greater.


Visualizer: Tables and Charts Manager – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or other high level authentication.
Exploitation Level: Cross Site Scripting (XSS)
CVE: CVE-2023-23708
Number of Installations: 40,000+
Affected Software: Visualizer: Tables and Charts Manager for WordPress <= 3.9.3
Patched Versions: Visualizer: Tables and Charts Manager for WordPress 3.9.4

Mitigation steps: Update to Visualizer: Tables and Charts Manager for WordPress plugin version 3.9.4 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.


文章来源: https://blog.sucuri.net/2023/02/wordpress-vulnerability-patch-roundup-february-2023.html
如有侵权请联系:admin#unsafe.sh