Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
A new core update for WordPress has been released which features security and bug fixes in WordPress 6.3.2. This update includes 19 bug fixes for WordPress Core, 22 for the Block Editor, and 8 crucial security fixes.
The security updates in this release include fixes for vulnerabilities such as potential disclosure of user email addresses, RCE POP Chains vulnerability, XSS issues in post link navigation block and application password screen, leakage of comments on private posts, potential for logged-in users to execute any shortcode, XSS vulnerability in the footnotes block, and a cache poisoning DoS vulnerability.
We strongly encourage you to always keep your CMS patched with the latest core updates to mitigate risk and protect your site.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-4372 Number of Installations: 4,000,000+ Affected Software: LiteSpeed Cache <= 5.6 Patched Versions: LiteSpeed Cache 5.7
Mitigation steps: Update to LiteSpeed Cache plugin version 5.7 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Protection Bypass of Renamed Login Page via URL Encoding Number of Installations: 1,000,000 Affected Software: All In One WP Security <= 5.2.4 Patched Versions: All In One WP Security 5.2.5
Mitigation steps: Update to All In One WP Security plugin version 5.2.5 or greater.
Security Risk: Low Exploitation Level: Requires Administrator authentication. Vulnerability: SQL Injection Number of Installations: 300,000+ Affected Software: Post SMTP <= 2.6.0 Patched Versions: Post SMTP 2.6.1
Mitigation steps: Update to Post SMTP plugin version 2.6.1 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-39920 Number of Installations: 300,000+ Affected Software: Redirection for Contact Form 7 <= 2.9.2 Patched Versions: Redirection for Contact Form 7 3.0.0
Mitigation steps: Update to Redirection for Contact Form 7 plugin version 3.0.0 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Information Exposure CVE: CVE-2023-5576 Number of Installations: 300,000+ Affected Software: Migration, Backup, Staging – WPvivid <= 0.9.91 Patched Versions: Migration, Backup, Staging – WPvivid 9.9.92
Mitigation steps: Update to Migration, Backup, Staging – WPvivid plugin version 9.9.92 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-45607 Number of Installations: 200,000+ Affected Software: WordPress Popular Posts <= 6.3.2 Patched Versions: WordPress Popular Posts 6.3.3
Mitigation steps: Update to WordPress Popular Posts plugin version 6.3.3 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2023-44150 Number of Installations: 200,000+ Affected Software: ProfilePress <= 4.13.2 Patched Versions: ProfilePress 4.13.3
Mitigation steps: Update to ProfilePress plugin version 4.13.3 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-45607 Number of Installations: 200,000+ Affected Software: WordPress Popular Posts <= 6.3.2 Patched Versions: WordPress Popular Posts 6.3.3
Mitigation steps: Update to WordPress Popular Posts plugin version 6.3.3 or greater.
Security Risk: Medium CVE: CVE-2023-5454
Exploitation: No authentication required.
Vulnerability: Broken Access Control
Number of Installations: 200,000+
Affected Software: Templately <= 2.2.5
Patched Versions: Templately 2.2.6
Mitigation steps: Update to Templately plugin version 2.2.6 or greater.
Security Risk: Medium Exploitation Level: Requires Administrator authentication. Vulnerability: Injection CVE: CVE-2023-5414 Number of Installations: 100,000+ Affected Software: Icegram Express <= 5.6.23 Patched Versions: Icegram Express 5.6.24
Mitigation steps: Update to Icegram Express plugin version 5.6.24 or greater.
Security Risk: Medium Exploitation Level: Subscriber Vulnerability: Sensitive Data Exposure CVE: CVE-2023-5070 Number of Installations: 100,000+ Affected Software: Social Media & Share Icons <= 2.8.5 Patched Versions: Social Media & Share Icons 2.8.6
Mitigation steps: Update to Social Media & Share Icons plugin version 2.8.6 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-46153 Number of Installations: 100,000+ Affected Software: User Feedback <= 1.0.9 Patched Versions: User Feedback 1.0.10
Mitigation steps: Update to User Feedback plugin version 1.0.10 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2023-46309 Number of Installations: 80,000+ Affected Software: wpDiscuz <= 7.6.10 Patched Versions: wpDiscuz 7.6.11
Mitigation steps: Update to wpDiscuz plugin version 7.6.11 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2023-5706 Number of Installations: 80,000+ Affected Software: VK Blocks <= 1.63.0.1 Patched Versions: VK Blocks 1.64.0.0
Mitigation steps: Update to VK Blocks plugin version 1.64.0.0 or a newer patched version.
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-24385 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.11 Patched Versions: Media Library Assistant 3.12
Mitigation steps: Update to Media Library Assistant version 3.12 or greater.
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-45101 Number of Installations: 60,000+ Affected Software: Customer Reviews for WooCommerce <= 5.36.0 Patched Versions: Customer Reviews for WooCommerce 5.36.1
Mitigation steps: Update to Customer Reviews for WooCommerce plugin version 5.36.1 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-45070 Number of Installations: 60,000+ Affected Software: Form Maker by 10Web <= 1.15.18 Patched Versions: Form Maker by 10Web 1.15.19
Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.19 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2023-5638 Number of Installations: 60,000+ Affected Software: Booster for WooCommerce <= 7.1.2 Patched Versions: Booster for WooCommerce 7.1.3
Mitigation steps: Update to Booster for WooCommerce plugin version 7.1.3 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) Number of Installations: 50,000+ Affected Software: Master Addons for Elementor <= 2.0.3 Patched Versions: Master Addons for Elementor 2.0.4
Mitigation steps: Update to Master Addons for Elementor plugin version 2.0.4 or greater.
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Remote Code Execution CVE: CVE-2023-5815 Number of Installations: 30,000+ Affected Software: News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 Patched Versions: News & Blog Designer Pack – WordPress Blog Plugin 3.4.2
Mitigation steps: Update to News & Blog Designer Pack version 3.4.2 or greater.
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Stored Cross-Site Scripting via Shortcode CVE: CVE-2023-5049 Number of Installations: 20,000+ Affected Software: Giveaways and Contests by RafflePress <= 1.12.0 Patched Versions: Giveaways and Contests by RafflePress 1.12.2
Mitigation steps: Update to Giveaways and Contests by RafflePress plugin version 1.12.2 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting Number of Installations: 10,000+ Affected Software: Store Exporter for WooCommerce <= 2.7.2 Patched Versions: Store Exporter for WooCommerce 2.7.2.1
Mitigation steps: Update to Store Exporter for WooCommerce plugin version 2.7.2.1 or greater.
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control Number of Installations: 80,000+ Affected Software: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer <= 2.24.14 Patched Versions: 10Web Booster 2.24.18
Mitigation steps: Update to 10Web Booster plugin version 2.24.18 or greater.
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Missing Authorization CVE: CVE-2023-5311 Number of Installations: 10,000+ Affected Software: WP EXtra <= 6.2 Patched Versions: WP EXtra 6.3
Mitigation steps: Update to WP EXtra plugin version 6.3 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.