WordPress Vulnerability & Patch Roundup September 2023
2023-9-29 00:29:58 Author: blog.sucuri.net(查看原文) 阅读量:25 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.


WooCommerce – Sensitive Information Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Security Misconfiguration
Number of Installations: 5,000,000+
Affected Software: WooCommerce <= 7.8.2
Patched Versions: WooCommerce 7.9.0

Mitigation steps: Update to WooCommerce plugin version 7.9.0 or greater.


EWWW Image Optimizer – Sensitive Information Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Security Misconfiguration
Number of Installations: 1,000,000+
Affected Software: EWWW Image Optimizer < 7.2.1
Patched Versions: EWWW Image Optimizer 7.2.1

Mitigation steps: Update to EWWW Image Optimizer plugin version 7.2.1 or greater.


Essential Addons for Elementor – Privilege Escalation

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2023-41955
Number of Installations: 1,000,000+
Affected Software: Essential Addons for Elementor <= 5.8.8
Patched Versions: Essential Addons for Elementor 5.8.9

Mitigation steps: Update to Essential Addons for Elementor plugin version 5.8.9 or greater.


Enable Media Replace – PHP Object Injection

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Injection
Number of Installations: 600,000+
Affected Software: Enable Media Replace <= 4.1.2
Patched Versions: Enable Media Replace 4.1.3

Mitigation steps: Update to Enable Media Replace plugin version 4.1.3 or greater.


GTranslate – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Admin level authentication.
Vulnerability: Cross Site Scripting (XSS)
Number of Installations: 500,000+
Affected Software: GTranslate <= 3.0.3
Patched Versions: GTranslate 3.0.4

Mitigation steps: Update to GTranslate plugin version 3.0.4 or greater.


ShortPixel Image Optimizer – PHP Object Injection

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Injection
Number of Installations: 300,000+
Affected Software: ShortPixel Image Optimizer <= 5.4.1
Patched Versions: ShortPixel Image Optimizer 5.4.2

Mitigation steps: Update to ShortPixel Image Optimizer plugin version 5.4.2 or greater.


FluentForm – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-41952
Number of Installations: 300,000+
Affected Software: FluentForm <= 5.0.8
Patched Versions: FluentForm 5.0.9

Mitigation steps: Update to FluentForm plugin version 5.0.9 or greater.


Ad Inserter – Sensitive Information Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Security Misconfiguration
CVE: CVE-2023-4645
Number of Installations: 300,000+
Affected Software: Ad Inserter <= 2.7.30
Patched Versions: Ad Inserter 2.7.31

Mitigation steps: Update to Ad Inserter plugin version 2.7.31 or greater.


WPvivid Backup and Migration – Arbitrary File Deletion

Security Risk: Low
Exploitation Level: Requires Admin authentication.
Vulnerability: Security Misconfiguration
CVE: CVE-2023-4274
Number of Installations: 300,000+
Affected Software: WPvivid Backup and Migration <= 0.9.89
Patched Versions: WPvivid Backup and Migration 0.9.90

Mitigation steps: Update to WPvivid Backup and Migration plugin version 0.9.90 or greater.


ProfilePress – Privilege Escalation

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Privilege Escalation
CVE: CVE-2023-41954
Number of Installations: 200,000+
Affected Software: ProfilePress <= 4.13.1
Patched Versions: ProfilePress 4.13.2

Mitigation steps: Update to ProfilePress plugin version 4.13.2 or greater.


Metform Elementor Contact Form Builder – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires subscriber or higher level authentication.
Vulnerability: Security Misconfiguration
CVE: CVE-2023-0689
Number of Installations: 200,000+
Affected Software: Metform Elementor Contact Form Builder <= 3.3.1
Patched Versions: Metform Elementor Contact Form Builder 3.3.2

Mitigation steps: Update to Metform Elementor Contact Form Builder plugin version 3.3.2 or greater.


PageLayer – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
Number of Installations: 200,000+
Affected Software: PageLayer <= 1.7.6
Patched Versions: PageLayer 1.7.7

Mitigation steps: Update to PageLayer plugin version 1.7.7 or greater.


Slimstat Analytics – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2023-4598
Number of Installations: 100,000+
Affected Software: Slimstat Analytics <= 5.0.9
Patched Versions: Slimstat Analytics 5.0.10

Mitigation steps: Update to Slimstat Analytics plugin version 5.0.10 or greater.


GiveWP – Privilege Escalation

Security Risk: Medium
Exploitation Level: Requires
Vulnerability: Identification and Authentication Failures
CVE: CVE-2023-41665
Number of Installations: 100,000+
Affected Software: GiveWP <= 2.33.0
Patched Versions: GiveWP 2.33.1

Mitigation steps: Update to GiveWP plugin version 2.33.1 or greater.


User Feedback – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication level required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-39308
Number of Installations: 100,000+
Affected Software: User Feedback plugin <= 1.0.7
Patched Versions: User Feedback 1.0.8

Mitigation steps: Update to User Feedback plugin version 1.0.8 or greater.


FileOrganizer – Arbitrary File Download

Security Risk: Low
Exploitation Level: Requires Admin or higher level authentication.
Vulnerability: Arbitrary File Download
CVE: CVE-2023-3664
Number of Installations: 100,000+
Affected Software: FileOrganizer <= 1.0.2
Patched Versions: FileOrganizer 1.0.3

Mitigation steps: Update to FileOrganizer plugin version 1.0.3 or greater.


wpDiscuz – SQL Injection

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Injection
Number of Installations: 100,000+
Affected Software: wpDiscuz < 7.6.6
Patched Versions: wpDiscuz 7.6.6

Mitigation steps: Update to wpDiscuz plugin version 7.6.6 or greater.


Media Library Assistant – Remote Code Execution

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Injection
CVE: CVE-2023-4634
Number of Installations: 70,000+
Affected Software: Media Library Assistant <= 3.09
Patched Versions: Media Library Assistant 3.10

Mitigation steps: Update to Media Library Assistant plugin version 3.10 or greater.


Booking Calendar – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-4620
Number of Installations: 60,000+
Affected Software: Booking Calendar <= 9.7.3
Patched Versions: Booking Calendar 9.7.3.1

Mitigation steps: Update to Booking Calendar plugin version 9.7.3.1 or greater.


Booster for WooCommerce – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-4945
Number of Installations: 60,000+
Affected Software: Booster for WooCommerce <= 7.1.0
Patched Versions: Booster for WooCommerce 7.1.1

Mitigation steps: Update to Booster for WooCommerce/ plugin version 7.1.1 or greater.


Feeds for YouTube – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-4841
Number of Installations: 60,000+
Affected Software: Feeds for YouTube <= 2.1
Patched Versions: Feeds for YouTube 2.1.2

Mitigation steps: Update to Feeds for YouTube plugin version 2.1.2 or greater.


Form Maker by 10Web – Arbitrary File Upload

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Injection
Number of Installations: 60,000+
Affected Software: Form Maker by 10Web < 1.15.20
Patched Versions: Form Maker by 10Web 1.15.20

Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.20 or greater.


Connect Matomo (WP-Matomo, WP-Piwik) – Stored Cross Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-4774
Number of Installations: 60,000+
Affected Software: Connect Matomo (WP-Matomo, WP-Piwik) <= 1.0.28
Patched Versions: Connect Matomo (WP-Matomo, WP-Piwik) 1.0.29

Mitigation steps: Update to Connect Matomo (WP-Matomo, WP-Piwik) plugin version 1.0.29 or greater.


MapPress Maps for WordPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2023-4840
Number of Installations: 50,000+
Affected Software: MapPress Maps for WordPress <= 2.88.4
Patched Versions: MapPress Maps for WordPress 2.88.5

Mitigation steps: Update to MapPress Maps for WordPress plugin version 2.88.5 or greater.


Super Socializer – Broken Access Control

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2023-41802
Number of Installations: 40,000+
Affected Software: Super Socializer <= 7.13.54
Patched Versions: Super Socializer 7.13.55

Mitigation steps: Update to Super Socializer plugin version 7.13.55 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.


文章来源: https://blog.sucuri.net/2023/09/wordpress-vulnerability-patch-roundup-september-2023.html
如有侵权请联系:admin#unsafe.sh