Vulnerability & Patch Roundup January 2024
2024-1-31 00:24:43 Author: blog.sucuri.net(查看原文) 阅读量:15 收藏

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.


WooCommerce – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting
Number of Installations: 5,000,000+
Affected Software: WooCommerce < 8.4.0
Patched Versions: WooCommerce 8.4.0

Mitigation steps: Update to WooCommerce plugin version 8.4.0 or greater.


Essential Addons for Elementor – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-7044
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 5.9.4
Patched Versions: Essential Addons for Elementor 5.9.5

Mitigation steps: Update to Essential Addons for Elementor version 5.9.5 or greater.


Hostinger – Unauthorized Plugin Settings Update

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Missing Authorization
CVE: CVE-2023-6751
Number of Installations: 2,000,000+
Affected Software: Hostinger <= 1.9.7
Patched Versions: Hostinger 1.9.8

Mitigation steps: Update to Hostinger plugin version 1.9.8 or greater.


Complianz GDPR/CCPA Cookie Consent – Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-6498
Number of Installations: 800,000+
Affected Software: Complianz GDPR/CCPA Cookie Consent <= 6.5.5
Patched Versions: Complianz GDPR/CCPA Cookie Consent 6.5.6

Mitigation steps: Update to Complianz GDPR/CCPA Cookie Consent plugin version 6.5.6 or greater.


LightStart – Missing Authorization

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Missing Authorization
CVE: CVE-2023-7019
Number of Installations: 700,000+
Affected Software: LightStart <= 2.6.8
Patched Versions: LightStart 2.6.9

Mitigation steps: Update to LightStart plugin version 2.6.9 or greater.


Happy Elementor Addons – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
Number of Installations: 400,000+
Affected Software: Happy Elementor Addons <= 3.10.0
Patched Versions: Happy Elementor Addons 3.10.1

Mitigation steps: Update to Happy Elementor Addons plugin version 3.10.1 or greater.


FluentForm – Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Administrator authentication required.
Vulnerability: Cross-Site Scripting
CVE: CVE-2024-0618
Number of Installations: 400,000+
Affected Software: FluentForm <= 5.1.5
Patched Versions: FluentForm 5.1.7

Mitigation steps: Update to FluentForm plugin version 5.1.7 or greater.


WP Google Maps – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-6697
Number of Installations: 400,000+
Affected Software: WP Google Maps <= 9.0.28
Patched Versions: WP Google Maps 9.0.29

Mitigation steps: Update to WP Google Maps plugin version 9.0.29 or greater.


OMGF GDPR/DSGVO Compliant, Faster Google Fonts – Cross-Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Missing Authorization & Cross-Site Scripting
CVE: CVE-2023-6600
Number of Installations: 300,000+
Affected Software: OMGF <= 5.7.9
Patched Versions: OMGF 5.7.10

Mitigation steps: Update to OMGF GDPR/DSGVO Compliant, Faster Google Fonts plugin version 5.7.10 or greater.


POST SMTP Mailer – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-7027
Number of Installations: 300,000+
Affected Software: POST SMTP Mailer <= 2.8.7
Patched Versions: POST SMTP Mailer 2.8.8

Mitigation steps: Update to POST SMTP Mailer plugin version 2.8.8 or greater.


PDF Invoices & Packing Slips for WooCommerce – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Shop Manager or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2024-22147
Number of Installations: 300,000+
Affected Software: PDF Invoices & Packing Slips for WooCommerce <= 3.7.5
Patched Versions: PDF Invoices & Packing Slips for WooCommerce 3.7.6

Mitigation steps: Update to PDF Invoices & Packing Slips for WooCommerce plugin version 3.7.6 or greater.


Orbit Fox Companion – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2024-0508
Number of Installations: 200,000+
Affected Software: Orbit Fox Companion <= 2.10.27
Patched Versions: Orbit Fox Companion 2.10.28

Mitigation steps: Update to Orbit Fox Companion plugin version 2.10.28 or greater.


PageLayer – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-6738
Number of Installations: 200,000+
Affected Software: PageLayer <= 1.7.8
Patched Versions: PageLayer 1.7.9

Mitigation steps: Update to PageLayer plugin version 1.7.9 or greater.


GiveWP – Cross-Site Scripting (XSS)

Security Risk: High
Exploitation Level: Contributor authentication required
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-51415
Number of Installations: 100,000+
Affected Software: GiveWP <= 3.2.2
Patched Versions: GiveWP 3.3.0

Mitigation steps: Update to GiveWP plugin version 3.3.0 or greater.


AMP for WP – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross-Site Scripting
CVE: CVE-2024-0587
Number of Installations: 100,000+
Affected Software: AMP for WP <= 1.0.92.1
Patched Versions: AMP for WP 1.0.93

Mitigation steps: Update to AMP for WP plugin version 1.0.93 or greater.


Filebird – Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Administrator authentication required
Vulnerability: Cross-Site Scripting
CVE: CVE-2024-0691
Number of Installations: N/A
Affected Software: Filebird <= 5.6.0
Patched Versions: Filebird 5.6.1

Mitigation steps: Update to Filebird plugin version 5.6.1 or greater.


Essential Blocks – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-7071
Number of Installations: 100,000+
Affected Software: Essential Blocks <= 4.4.6
Patched Versions: Essential Blocks 4.4.7

Mitigation steps: Update to Essential Blocks plugin version 4.4.7 or greater.


Schema & Structured Data for WP & AMP – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2024-22146
Number of Installations: 100,000+
Affected Software: Schema & Structured Data for WP & AMP <= 1.25
Patched Versions: Schema & Structured Data for WP & AMP 1.26

Mitigation steps: Update to Schema & Structured Data for WP & AMP plugin version 1.26 or greater.


WordPress Button Plugin MaxButtons – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-6594
Number of Installations: 100,000+
Affected Software: WordPress Button Plugin MaxButtons <= 9.7.4
Patched Versions: WordPress Button Plugin MaxButtons 9.7.6

Mitigation steps: Update to WordPress Button Plugin MaxButtons plugin version 9.7.6 or greater.


List category posts – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-6994
Number of Installations: 100,000+
Affected Software: List category posts <= 0.89.3
Patched Versions: List category posts 0.89.4

Mitigation steps: Update to List category posts plugin version 0.89.4 or greater.


Plugin for Google Reviews – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-6884
Number of Installations: 100,000+
Affected Software: Plugin for Google Reviews <= 3.1
Patched Versions: Plugin for Google Reviews 3.2

Mitigation steps: Update to Plugin for Google Reviews plugin version 3.2 or greater.


LearnPress – SQL Injection (SQLi)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2023-6634
Number of Installations: 90,000+
Affected Software: LearnPress <= 4.2.5.7
Patched Versions: LearnPress 4.2.5.8

Mitigation steps: Update to LearnPress plugin version 4.2.5.8 or greater.


EmbedPress – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-6986
Number of Installations: 80,000+
Affected Software: EmbedPress < 3.9.5
Patched Versions: EmbedPress 3.9.6

Mitigation steps: Update to EmbedPress plugin version 3.9.6 or greater.


3D Flipbook – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-6776
Number of Installations: 70,000+
Affected Software: 3D Flipbook <= 1.15.2
Patched Versions: 3D Flipbook 1.15.3

Mitigation steps: Update to 3D Flipbook plugin version 1.15.3 or greater.


WP RSS Aggregator – Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Admin level authentication required.
Vulnerability: Cross-Site Scripting
CVE: CVE-2024-0630
Number of Installations: 60,000+
Affected Software: WP RSS Aggregator <= 4.23.4
Patched Versions: WP RSS Aggregator 4.23.5

Mitigation steps: Update to WP RSS Aggregator plugin version 4.23.5 or greater.


Amelia – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-6808
Number of Installations: 60,000+
Affected Software: Amelia <= 1.0.93
Patched Versions: Amelia 1.0.94

Mitigation steps: Update to Amelia plugin version 1.0.94 or greater.


MapPress Maps for WordPress – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-6524
Number of Installations: 50,000+
Affected Software: MapPress Maps for WordPress <= 2.88.16
Patched Versions: MapPress Maps for WordPress 2.88.17

Mitigation steps: Update to MapPress Maps for WordPress plugin version 2.88.17 or greater.


WP Recipe Maker – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2023-6958
Number of Installations: 50,000+
Affected Software: WP Recipe Maker <= 9.1.0
Patched Versions: WP Recipe Maker 9.1.1

Mitigation steps: Update to WP Recipe Maker plugin version 9.1.1 or greater.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a website firewall to help virtually patch known vulnerabilities and protect their site.

Chat with us about website security.


文章来源: https://blog.sucuri.net/2024/01/vulnerability-patch-roundup-january-2024.html
如有侵权请联系:admin#unsafe.sh