WordPress Vulnerability & Patch Roundup April 2023
2023-4-28 02:28:20 Author: blog.sucuri.net(查看原文) 阅读量:30 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.


Elementor Website Builder – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Admin authentication.
Vulnerability: SQL Injection
Number of Installations: 5,000,000+
Affected Software: Elementor <= 3.12.1
Patched Versions: Elementor 3.12.2

Mitigation steps: Update to Elementor Website Builder plugin version 3.12.2 or greater.


Advanced Custom Fields – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: PHP Object Injection vulnerability
Number of Installations: 2,000,000+
Affected Software: Advanced Custom Fields (ACF) <= 6.0.9
Patched Versions: Advanced Custom Fields (ACF) 6.1.0

Mitigation steps: Update to Advanced Custom Fields plugin version 6.1.0 or greater.


Autoptimize – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Admin authentication.
Vulnerability: Cross Site Scripting (XSS)
Number of Installations: 1,000,000+
Affected Software: Autoptimize <= 3.1.6
Patched Versions: Autoptimize 3.1.7

Mitigation steps: Update to Autoptimize plugin version 3.1.7 or greater.


All In One WP Security & Firewall – Stored Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level:
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-0157
Number of Installations: 1,000,000+
Affected Software: All In One WP Security & Firewall <= 5.1.4
Patched Versions: All In One WP Security & Firewall 5.1.5

Mitigation steps: Update to All In One WP Security & Firewall plugin version 5.1.5 or greater.


Limit Login Attempts – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication needed.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-1861
Number of Installations: 600,000+
Affected Software: Limit Login Attempts <= 1.7.1
Patched Versions: Limit Login Attempts 1.7.2

Mitigation steps: Update to Limit Login Attempts plugin version 1.7.2 or greater.


Forminator – Broken Access Control

Security Risk: Low
Exploitation Level: Subscriber or higher level authentication required.
Vulnerability: Broken Access Control
Number of Installations: 400,000+
Affected Software: Forminator <= 1.23.2
Patched Versions: Forminator 1.23.3

Mitigation steps: Update to Forminator plugin version 1.23.3 or greater.


FluentForm – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-0546
Number of Installations: 300,000+
Affected Software: FluentForm <= 4.3.24
Patched Versions: FluentForm 4.3.25

Mitigation steps: Update to FluentForm plugin version 4.3.25 or greater.


Security Risk: Medium
Exploitation Level: Requires Admin authentication.
Vulnerability: Directory Traversal
CVE: CVE-2023-1427
Number of Installations: 200,000+
Affected Software: Photo Gallery by 10Web <= 1.8.14
Patched Versions: Photo Gallery by 10Web 1.8.15

Mitigation steps: Update to Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin version 1.8.15 or greater.


SEOPress – PHP Object Injection

Security Risk: Medium
Exploitation Level: Requires Admin authentication.
Vulnerability: PHP Object Injection
Number of Installations: 200,000+
Affected Software: SEOPress <= 6.5.0.2
Patched Versions: SEOPress 6.5.0.3

Mitigation steps: Update to SEOPress plugin version 6.5.0.3 or greater.


Cyr to Lat Enhanced – SQL Injection

Security Risk: High
Vulnerability: SQL Injection
CVE: CVE-2022-4290
Number of Installations: 100,000+
Affected Software: Cyr to Lat Enhanced <= 3.6
Patched Versions: Cyr to Lat Enhanced 3.7

Mitigation steps: Update to Cyr to Lat Enhanced plugin version 3.7 or greater.


Blocksy Companion – Sensitive Data Exposure

Security Risk: Low
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2023-1911
Number of Installations: 100,000+
Affected Software: Blocksy Companion <= 1.8.81
Patched Versions: Blocksy Companion 1.8.82

Mitigation steps: Update to Blocksy Companion plugin version 1.8.82 or greater.


Hummingbird – Path Traversal

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Path Traversal
CVE: CVE-2023-1478
Number of Installations: 100,000+
Affected Software: Hummingbird <= 3.4.1
Patched Versions: Hummingbird 3.4.2

Mitigation steps: Update to Hummingbird plugin version 3.4.2 or greater.


Slimstat Analytics – SQL Injection

Security Risk: High
Exploitation Level: Subscriber or higher level authentication required.
Vulnerability: SQL Injection
Number of Installations: 100,000+
Affected Software: Slimstat Analytics <= 4.9.3
Patched Versions: Slimstat Analytics 4.9.4

Mitigation steps: Update to Slimstat Analytics plugin version 4.9.4 or greater.


Easy Forms for MailChimp – Reflected XSS

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-1324
Number of Installations: 100,000+
Affected Software: Easy Forms for Mailchimp <= 6.8.7
Patched Versions: Easy Forms for Mailchimp 6.8.8

Mitigation steps: Update to Easy Forms for Mailchimp plugin version 6.8.8 or greater.


Essential Blocks for Gutenberg – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-2084
Number of Installations: 80,000+
Affected Software: Essential Blocks <= 4.0.6
Patched Versions: Essential Blocks 4.0.7

Mitigation steps: Update to Essential Blocks for Gutenberg plugin version 4.0.7 or greater.


Ninja Tables – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-47137
Number of Installations: 80,000+
Affected Software: Ninja Tables – Best Data Table Plugin for WordPress <= 4.3.4
Patched Versions: Ninja Tables – Best Data Table Plugin for WordPress 4.3.5

Mitigation steps: Update to Ninja Tables – Best Data Table Plugin for WordPress plugin version 4.3.5 or greater.


Ajax Search Lite – Reflected Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Reflected Cross-Site Scripting (XSS)
CVE: CVE-2023-1420
Number of Installations: 70,000+
Affected Software: Ajax Search Lite <= 4.11.0
Patched Versions: Ajax Search Lite 4.11.1

Mitigation steps: Update to Ajax Search Lite plugin version 4.11.1 or greater.


CMS Tree Page View – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-30868
Number of Installations: 70,000+
Affected Software: CMS Tree Page View <= 1.6.7
Patched Versions: CMS Tree Page View 1.6.8

Mitigation steps: Update to CMS Tree Page View plugin version 1.6.8 or greater.


TaxoPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Editor or higher authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-2168
Number of Installations: 70,000+
Affected Software: TaxoPress <= 3.6.4
Patched Versions: TaxoPress 3.6.5

Mitigation steps: Update to TaxoPress plugin version 3.6.5 or greater.


User Registration – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-29429
Number of Installations: 60,000+
Affected Software: User Registration <= 2.3.2
Patched Versions: User Registration 2.3.3

Mitigation steps: Update to User Registration plugin version 2.3.3 or greater.


OoohBoi Steroids for Elementor – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-1169
Number of Installations: 60,000+
Affected Software: OoohBoi Steroids for Elementor <= 2.1.4
Patched Versions: OoohBoi Steroids for Elementor 2.1.5

Mitigation steps: Update to OoohBoi Steroids for Elementor plugin version 2.1.5 or greater.


Amelia – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-29427
Number of Installations: 50,000+
Affected Software: Amelia <= 1.0.75
Patched Versions: Amelia 1.0.76

Mitigation steps: Update to Amelia plugin version 1.0.76 or greater.


PowerPress Podcasting – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-30778
Number of Installations: 50,000+
Affected Software: PowerPress Podcasting plugin by Blubrry <= 10.0.1
Patched Versions: PowerPress Podcasting plugin by Blubrry 10.0.2

Mitigation steps: Update to PowerPress Podcasting plugin by Blubrry version 10.0.2 or greater.


Security Risk: Medium
Exploitation Level: Requires Admin authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-1913
Number of Installations: 50,000+
Affected Software: Maps Widget for Google Maps <= 4.24
Patched Versions: Maps Widget for Google Maps 4.25

Mitigation steps: Update to Maps Widget for Google Maps plugin version 4.25 or greater.


Visual CSS Style Editor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Admin authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-33961
Number of Installations: 50,000+
Affected Software: Visual CSS Style Editor <= 7.5.8
Patched Versions: Visual CSS Style Editor 7.5.9

Mitigation steps: Update to Visual CSS Style Editor plugin version 7.5.9 or greater.


MapPress Maps for WordPress – Authenticated SQL Injection

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Authenticated SQL Injection
CVE: CVE-2023-26015
Number of Installations: 50,000+
Affected Software: MapPress Maps for WordPress <= 2.85.4
Patched Versions: MapPress Maps for WordPress 2.85.5

Mitigation steps: Update to MapPress Maps for WordPress plugin version 2.85.5 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.


文章来源: https://blog.sucuri.net/2023/04/wordpress-vulnerability-patch-roundup-april-2023.html
如有侵权请联系:admin#unsafe.sh