Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.

Advanced Custom Fields – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Admin level authentication.
Vulnerability: Authenticated Cross Site Scripting (XSS)
Number of Installations: 2,000,000+
Affected Software: Advanced Custom Fields (ACF) <= 6.1.7
Patched Versions: Advanced Custom Fields (ACF) 6.1.8

Mitigation steps: Update to Advanced Custom Fields plugin version 6.1.8 or greater.

ElementsKit Elementor Addons – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2023-39993
Number of Installations: 1,000,000+
Affected Software: ElementsKit Elementor addons <= 2.9.0
Patched Versions: ElementsKit Elementor addons 2.9.1

Mitigation steps: Update to ElementsKit Elementor addons plugin version 2.9.1 or greater.

Forminator – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Injection
Number of Installations: 400,000+
Affected Software: Forminator <= 1.24.6
Patched Versions: Forminator 1.25.0

Mitigation steps: Update to Forminator plugin version 1.25.0 or greater.

Gutenberg Blocks by Kadence Blocks – Arbitrary File Upload

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Upload
Number of Installations: 300,000+
Affected Software: Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.1.10
Patched Versions: Gutenberg Blocks by Kadence Blocks – Page Builder Features 3.1.11

Mitigation steps: Update to Gutenberg Blocks by Kadence Blocks plugin version 3.1.11 or greater.

InfiniteWP Client – Sensitive Data Exposure

Security Risk: Low
Exploitation Level: Subscriber or higher level authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2023-2916
Number of Installations: 300,000+
Affected Software: InfiniteWP Client <= 1.12.0
Patched Versions: InfiniteWP Client 1.12.1

Mitigation steps: Update to InfiniteWP Client plugin version 1.12.1 or greater.

Hide My WP Ghost – Bypass Vulnerability

Security Risk: Medium
Exploitation Level:
Vulnerability: Bypass Vulnerability
CVE: CVE-2023-34001
Number of Installations: 200,000+
Affected Software: Hide My WP Ghost <= 5.0.25
Patched Versions: Hide My WP Ghost 5.0.26

Mitigation steps: Update to Hide My WP Ghost – Security Plugin version 5.0.26 or greater.

TI WooCommerce Wishlist – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
Number of Installations: 100,000+
Affected Software: TI WooCommerce Wishlist <= 2.7.3
Patched Versions: TI WooCommerce Wishlist 2.7.4

Mitigation steps: Update to TI WooCommerce Wishlist plugin version 2.7.4 or greater.

Slimstat Analytics – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Admin level authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-40676
Number of Installations: 100,000+
Affected Software: Slimstat Analytics <= 5.0.8
Patched Versions: Slimstat Analytics 5.0.9

Mitigation steps: Update to Slimstat Analytics plugin version 5.0.9 or greater.

Advanced File Manager – Sensitive Data Exposure

Security Risk: Low
Exploitation Level: Admin level authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2023-3814
Number of Installations: 100,000+
Affected Software: Advanced File Manager <= 5.1.0
Patched Versions: Advanced File Manager 5.1.1

Mitigation steps: Update to Advanced File Manager plugin version 5.1.1 or greater.

Change WP Admin Login – Bypass Vulnerability

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Security Misconfiguration
CVE: CVE-2023-3604
Number of Installations: 90,000+
Affected Software: Change WP Admin Login <= 1.1.3
Patched Versions: Change WP Admin Login 1.1.4

Mitigation steps: Update to Change WP Admin Login plugin version 1.1.4 or greater.

EmbedPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-4283
Number of Installations: 80,000+
Affected Software: EmbedPress <= 3.8.2
Patched Versions: EmbedPress 3.8.3

Mitigation steps: Update to EmbedPress plugin version 3.8.3 or greater.

Blog2Social – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-40554
Number of Installations: 70,000+
Affected Software: Blog2Social <= 7.2.0
Patched Versions: Blog2Social 7.2.1

Mitigation steps: Update to Blog2Social: Social Media Auto Post & Scheduler plugin version 7.2.1 or greater.

wpDataTables – PHP Object Injection

Security Risk: Low
Exploitation Level: Admin level authentication required.
Vulnerability: PHP Object Injection
CVE: N/A
Number of Installations: 70,000+
Affected Software: wpDataTables <= 2.1.65
Patched Versions: wpDataTables 2.1.66

Mitigation steps: Update to wpDataTables plugin version 2.1.66 or greater.

Booster for WooCommerce – Broken Access Control

Security Risk: Medium
Exploitation Level: Shop Manager authentication required.
Vulnerability: Broken Access Control
Number of Installations: 60,000+
Affected Software: Folders  <= 7.0.0
Patched Versions: Folders 7.1.0

Mitigation steps: Update to Booster for WooCommerce plugin version 7.1.0 or greater.

Folders – Arbitrary File Upload

Security Risk: Medium
Exploitation Level: Author or higher level authentication required.
Vulnerability: Arbitrary File Upload
CVE: CVE-2023-40204
Number of Installations: 60,000+
Affected Software: Folders  <= 2.9.2
Patched Versions: Folders 2.9.3

Mitigation steps: Update to Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin version 2.9.3 or greater.

Post Grid Combo – Sensitive Data Exposure

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2023-40211
Number of Installations: 50,000+
Affected Software: Post Grid Combo <= 2.2.50
Patched Versions: Post Grid Combo 2.2.51

Mitigation steps: Update to Post Grid Combo plugin version 2.2.51 or greater.

iThemes Sync – Broken Access Control

Security Risk: Medium
Exploitation Level: Subscriber or higher level authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-40001
Number of Installations: 50,000+
Affected Software: iThemes Sync <= 2.1.13
Patched Versions: iThemes Sync 2.1.14

Mitigation steps: Update to iThemes Sync plugin version 2.1.14 or greater.

Profile Builder – User Profile & User Registration Forms – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
Number of Installations: 50,000+
Affected Software: Profile Builder <= 3.9.7
Patched Versions: Profile Builder 3.9.8

Mitigation steps: Update to Profile Builder plugin version 3.9.8 or greater.

Cost Calculator Builder – Broken Access Control

Security Risk: Medium
Exploitation Level: Author or higher level authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-40011
Number of Installations: 30,000+
Affected Software: Cost Calculator Builder <= 3.1.42
Patched Versions: Cost Calculator Builder 3.1.43

Mitigation steps: Update to Cost Calculator Builder plugin version 3.1.43 or greater.

AI Engine: ChatGPT Chatbot – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Administrator level authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-4254
Number of Installations: 30,000+
Affected Software: AI Engine <= 4.7.7
Patched Versions: AI Engine 4.7.8

Mitigation steps: Update to AI Engine plugin version 4.7.8 or greater.

PostX – Gutenberg Post Grid Blocks – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-3992
Number of Installations: 30,000+
Affected Software: PostX – Gutenberg Post Grid Blocks <= 3.0.5
Patched Versions: PostX – Gutenberg Post Grid Blocks 3.0.6

Mitigation steps: Update to PostX – Gutenberg Post Grid Blocks plugin version 3.0.6 or greater.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.