WordPress Vulnerability & Patch Roundup November 2023
2023-11-25 01:46:37 Author: blog.sucuri.net(查看原文) 阅读量:26 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.


Elementor Website Builder – Stored Cross-Site Scripting

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-47505
Number of Installations: 5,000,000+
Affected Software: Elementor Website Builder <= 3.16.4
Patched Versions: Elementor Website Builder 3.16.5

Mitigation Steps: Update to Elementor Website Builder plugin version 3.16.5 or greater.


WooCommerce Checkout Manager – Missing Authorization

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-47681
Number of Installations: 100,000+
Affected Software: WooCommerce Checkout Manager <= 7.3.0
Patched Versions: WooCommerce Checkout Manager 7.3.1

Mitigation Steps: Update to WooCommerce Checkout Manager version 7.3.1 or greater.


NitroPack – Missing Authorization

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Missing Authorization
Number of Installations: 100,000+
Affected Software: NitroPack <= 1.9.2
Patched Versions: NitroPack 1.10.0

Mitigation Steps: Update to NitroPack plugin version 1.10.0 or greater.


Cloud Templates & Patterns Collection – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2023-47529
Number of Installations: 100,000+
Affected Software: Cloud Templates & Patterns collection <= 1.2.2
Patched Versions: Cloud Templates & Patterns collection 1.2.3

Mitigation Steps: Update to Cloud Templates & Patterns Collection plugin version 1.2.3 or greater.


LearnPress – Reflected Cross-Site Scripting

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting (XSS)
Number of Installations: 90,000+
Affected Software: LearnPress – WordPress LMS Plugin <= 4.2.5.3
Patched Versions: LearnPress – WordPress LMS Plugin 4.2.5.4

Mitigation Steps: Update to LearnPress – WordPress LMS Plugin version 4.2.5.4 or greater.


Advanced iFrame – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-4775
Number of Installations: 60,000+
Affected Software: Advanced iFrame <= 2023.8
Patched Versions: Advanced iFrame 2023.9Mitigation Steps: Update to Advanced iFrame plugin version 2023.9 or greater.

Ultimate Dashboard – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Admin authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-4726
Number of Installations: 60,000+
Affected Software: Ultimate Dashboard <= 3.7.7
Patched Versions: Ultimate Dashboard 3.7.8

Mitigation Steps: Update to Ultimate Dashboard plugin version 3.7.8 or greater.


Solid Central – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting (XSS)
Number of Installations: 50,000+
Affected Software: Solid Central <= 3.0.0
Patched Versions: Solid Central 3.0.1

Mitigation Steps: Update to Solid Central plugin version 3.0.1 or greater.


Easy Social Icons – Missing Authorization

Security Risk: Low
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2023-33998
Number of Installations: 30,000+
Affected Software: Easy Social Icons <= 3.2.4
Patched Versions: Easy Social Icons 3.2.5

Mitigation Steps: Update to Easy Social Icons plugin version 3.2.5 or greater.


OneClick Chat to Order – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Admin authentication and a multi-site installation where unfiltered_html has been disabled.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-47546
Number of Installations: 30,000+
Affected Software: OneClick Chat to Order <= 1.0.4.2
Patched Versions: OneClick Chat to Order 1.0.5

Mitigation Steps: Update to OneClick Chat to Order plugin version 1.0.5 or greater.


Social Sharing Plugin – Social Warfare – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-4842
Number of Installations: 30,000+
Affected Software: Social Sharing Plugin - Social Warfare <= 4.4.3
Patched Versions: Social Sharing Plugin - Social Warfare 4.4.4

Mitigation Steps: Update to Social Sharing Plugin – Social Warfare plugin version 4.4.4 or greater.


Ultimate Addons for Contact Form 7 – Missing Authorization

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2023-47693
Number of Installations: 30,000+
Affected Software: Ultimate Addons for Contact Form 7 <= 3.2.10
Patched Versions: Ultimate Addons for Contact Form 7 3.2.11

Mitigation Steps: Update to Ultimate Addons for Contact Form 7 plugin version 3.2.11 or greater.


Simple Like Page Plugin – Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-4888
Number of Installations: 20,000+
Affected Software: Simple Like Page Plugin <= 1.5.1
Patched Versions: Simple Like Page Plugin 1.5.2

Mitigation Steps: Update to Simple Like Page Plugin version 1.5.2 or greater.


Delete Duplicate Posts – Missing Authorization

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2023-47754
Number of Installations: 20,000+
Affected Software: Delete Duplicate Posts < 4.9
Patched Versions: Delete Duplicate Posts 4.9

Mitigation Steps: Update to Delete Duplicate Posts plugin version 4.9 or greater.


Ecwid Ecommerce Shopping Cart – Missing Authorization

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
Number of Installations: 20,000+
Affected Software: Ecwid Ecommerce Shopping Cart <= 6.12.3
Patched Versions: Ecwid Ecommerce Shopping Cart 6.12.4

Mitigation Steps: Update to Ecwid Ecommerce Shopping Cart plugin version 6.12.4 or greater.


Responsive Pricing Table – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Admin level authentication and multi-site installations where unfiltered_html has been disabled.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-4810
Number of Installations: 20,000+
Affected Software: Responsive Pricing Table < 5.1.8
Patched Versions: Responsive Pricing Table 5.1.8

Mitigation Steps: Update to Responsive Pricing Table plugin version 5.1.8 or greater.


Popup Box – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Admin level authentication and multi-site installations where unfiltered_html has been disabled.
Vulnerability: Cross-Site Scripting (XSS)
Number of Installations: 20,000+
Affected Software: Popup Box – Best WordPress Popup Plugin < 3.8.7
Patched Versions: Popup Box – Best WordPress Popup Plugin 3.8.7

Mitigation Steps: Update to Popup Box plugin version 3.8.7 or greater.


Redirect 404 Error Page to Homepage or Custom Page with Logs – SQL Injection

Security Risk: Low
Exploitation Level: Requires Admin level authentication.
Vulnerability: SQL Injection
CVE: CVE-2023-47530
Number of Installations: 20,000+
Affected Software: Redirect 404 Error Page to Homepage or Custom Page with Logs <= 1.8.7
Patched Versions: Redirect 404 Error Page to Homepage or Custom Page with Logs 1.8.8

Mitigation Steps: Update to Redirect 404 Error Page to Homepage or Custom Page with Logs plugin version 1.8.8 or greater.


URL Shortify – Stored Cross-Site Scripting

Security Risk: Low
Exploitation Level: Requires Admin level authentication and multi-site installations where unfiltered_html has been disabled.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2023-5605
Number of Installations: 20,000+
Affected Software: URL Shortify <= 1.7.9
Patched Versions: URL Shortify 1.7.9.1

Mitigation Steps: Update to URL Shortify plugin version 1.7.9.1 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.

We are a group of website security professionals who are passionate about discovering emerging web-based malware and software vulnerabilities. Not only do we create tools and detection rules for our customers, we also bring awareness to the website security community. Our mission is to help make the internet a safer place.


文章来源: https://blog.sucuri.net/2023/11/wordpress-vulnerability-patch-roundup-november-2023.html
如有侵权请联系:admin#unsafe.sh