Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 6, 2023 to Mar 12, 2023)
Last week, there were 60 vulnerabilities disclosed in 40 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 16 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Paytium <= 4.3.7 – Missing Authorization
- Yoast SEO <= 20.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
- Slimstat Analytics <= 4.9.3.2 – Authenticated (Subscriber+) SQL Injection via Shortcode
- Paid Memberships Pro <= 2.9.11 – Authenticated (Subscriber+) SQL Injection via Shortcodes
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 3 |
Patched | 57 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 53 |
High Severity | 6 |
Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Cross-Site Request Forgery (CSRF) | 24 |
Missing Authorization | 17 |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 9 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 1 |
Server-Side Request Forgery (SSRF) | 1 |
Incorrect Privilege Assignment | 1 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Reliance on Untrusted Inputs in a Security Decision | 1 |
Improper Authorization | 1 |
Deserialization of Untrusted Data | 1 |
Information Exposure | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Marco Wotschka (Wordfence Vulnerability Researcher) |
15 |
Mika | 5 |
Erwan LR | 3 |
Rafshanzani Suhada | 3 |
Rafie Muhammad | 2 |
yuyudhn | 2 |
Nguyen Xuan Chien | 1 |
Nicholas Ferreira | 1 |
Lana Codes | 1 |
FearZzZz | 1 |
Rio Darmawan | 1 |
Omar Badran | 1 |
thiennv | 1 |
Daniel Ruf | 1 |
Alex Sanford | 1 |
Abdi Pranata | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
Vulnerability Details
LeadSnap <= 1.23 – Unauthenticated PHP Object Injection via AJAX
CVSS Score: 9.8 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aefbebce-9433-455d-b27c-93088b0c8494
Multiple E-plugins (Various Versions) – Authenticated (Subscriber+) Privilege Escalation
CVSS Score: 8.8 (High)
Researcher/s: Omar Badran
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/629d4809-1dd2-4b67-8d8d-9c55f5240f94
WP Dark Mode <= 4.0.7 – Authenticated (Subscriber+) Local File Inclusion via ‘style’
CVSS Score: 8.8 (High)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d43234d0-5f44-4484-a8d6-16d43d1db51e
GiveWP <= 2.25.1 – Unauthenticated CSV Injection
CVSS Score: 8.3 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6368c397-0570-4304-a764-869bacc526c7
WP Statistics <= 13.2.16 – Authenticated (Admin+) SQL Injection
CVSS Score: 7.2 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0ffd60d2-ae8d-4738-a4f4-6df6e0ffa8c6
Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘create_mollie_account’
CVSS Score: 7.1 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4491b89-2120-4edb-a396-e45ba09b3b99
Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘create_mollie_profile’
CVSS Score: 7.1 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fbbd3209-7ed6-4409-a24e-9f6225cf10f5
Complianz – GDPR/CCPA Cookie Consent <= 6.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7397898c-8d43-4399-9c2b-22f9287aa12d
Weaver Xtreme Theme Support <= 5.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7431ee0f-f485-48a4-9cdd-8fb2ac43e216
Cookie Notice & Compliance for GDPR / CCPA <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘cookies_revoke_shortcode’ Shortcode
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/914de8f3-e052-4256-af14-4a08eaa464b8
Daily Prayer Time <= 2023.03.08 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95691873-a16a-4e41-9456-41fa07efd6ce
GiveWP <= 2.25.1 – Authenticated (Author+) Stored Cross-Site Scripting
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b30261e0-1fa1-4794-98f6-851532b7615c
GiveWP <= 2.25.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via give_form_grid shortcode
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc5f7a07-8117-4305-a72c-6afed80b6bcf
W4 Post List <= 2.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘w4pl[no_items_text]’
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/feb9af10-7df2-4eb1-8546-debaa925df42
GiveWP <= 2.25.1 – Cross-Site Request Forgery to Cross-Site Scripting via render_dropdown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a0381b1-9b63-41cb-8125-d22274b98867
Webmention <= 4.0.8 – Reflected Cross-Site Scripting via ‘replytocom’
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d12d692-231b-4e15-a119-80fd74566af4
Real Estate 7 Theme <= 3.3.4 – Unauthenticated Arbitrary Email Sending
CVSS Score: 5.8 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5778ba3d-6670-47ad-ae65-50b6fb8e5db0
Popup box <= 3.4.4 – Reflected Cross-Site Scripting via ‘ays_pb_tab’ Parameter
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01f60df7-0602-4a00-9905-a91348811dfe
Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘pt_cancel_subscription’
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/060f31ab-cfa4-4ca8-846a-de76848b28fb
Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘update_profile_preference’
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e9bee86-f491-4f68-b10b-051e0fb1a67b
HT Easy GA4 ( Google Analytics 4 ) <= 1.0.6 – Cross-Site Request Forgery via plugin_activation
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fa2fcda-69f4-4095-b23c-6e6f1613adb0
Updraft Plus <= 1.22.24 – Cross-Site Request Forgery via updraft_ajaxrestore
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/343cbdda-2ec5-437f-b563-96c61663314d
Daily Prayer Time <= 2023.03.08 – Cross-Site Request Forgery
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9060bb2a-b9d9-466d-bb8d-14173a51d145
Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘paytium_sw_save_api_keys’
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a92beff1-3bc6-459e-aeca-5cbdf2152388
GiveWP <= 2.25.1 – Cross-Site Request Forgery via process_bulk_action
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9939ffe-a5d5-45cb-b673-665acf1ff09d
GiveWP <= 2.25.1 – Authenticated (Contributor+) Arbitrary Content Deletion
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9af1429-32c5-4907-acf4-83efc6727bb8
Mass Delete Unused Tags <= 2.0.0 – Cross-Site Request Forgery via plugin_mass_delete_unused_tags_init
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abf4cfb9-745a-4b4f-8862-54ef561904d6
Mass Delete Taxonomies <= 3.0.0 – Cross-Site Request Forgery via mp_plugin_mass_delete_tags_init
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce060989-ce70-49ac-921c-a687bc944090
Auto Prune Posts <= 1.8.0 – Cross-Site Request Forgery via admin_menu
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f15af4eb-5752-4a85-babd-cee7e89c329d
Drag and Drop Multiple File Upload PRO <= 2.10.9 – Directory Traversal
CVSS Score: 5.3 (Medium)
Researcher/s: Nicholas Ferreira
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1add47ea-6a7b-443a-b31d-3bb6c0d5d72d
Formidable Forms <= 6.0.1 – IP Spoofing via HTTP header
CVSS Score: 5.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/909b5421-210d-427a-94a0-e1ea25880cec
CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.6 – Information Exposure
CVSS Score: 5.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e01b4259-ed8d-44a4-9771-470de45b14a8
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘attach_rule’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11f74b86-a050-4247-b310-045bf48fd4bd
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘uucss_update_rule’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19f126f8-1d59-44b5-8e0e-c37f1fbedf5a
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘attach_rule’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1bb55b22-a0d0-424f-8e4f-57d3f239c149
301 Redirects – Easy Redirect Manager <= 2.72 – Cross-Site Request Forgery via dismiss_notice
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2253cb38-3688-4e4d-afd1-582c8743c89a
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘uucss_update_rule’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/263153c9-61c5-4df4-803b-8d274e2a5e35
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘clear_page_cache’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2cba74f7-7183-4297-8f04-4818c01358ef
Clone <= 2.3.7 – Cross-Site Request Forgery via wp_ajax_tifm_save_decision
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/314d3e0c-ba29-4795-a646-40e0acfc3405
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘clear_uucss_logs’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/488e26e2-d4d7-4036-a672-53c2d4c9d39b
Popup Maker <= 1.18.0 – Cross-Site Request Forgery via init
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/533f71d5-823d-45eb-8ecf-76afafd2a5d3
Affiliate Super Assistent <= 1.5.1 – Cross-Site Request Forgery to Settings Update and Cache Clearing
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54dbd2f4-717c-4e01-afe4-c8cceca52650
cformsII <= 15.0.4 – Cross-Site Request Forgery leading to Settings Updates
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5798de72-b589-4474-82b2-df6ef26325a3
Side Menu Lite <= 4.0 – Cross-Site Request Forgery to Item Deletion
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/799b1f12-05f3-4b8b-9e1f-45c676e4f2a0
Clone <= 2.3.7 – Missing Authorization via wp_ajax_tifm_save_decision
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b6db928-f8ff-4e78-bfc7-51f1d1ccd1fa
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘ucss_connect’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c66894a-8d0f-4946-ae4d-bffd35f3ffb7
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘clear_uucss_logs’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a52325f9-51b5-469c-865e-73a22002d46f
External Links <= 2.57 – Cross-Site Request Forgery via action_admin_action_wpel_dismiss_notice
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae7d54a5-3952-4206-a5f4-be60aac27767
Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘check_for_verified_profiles’
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af55c470-b94d-49ee-8b72-44652dcccd73
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘clear_page_cache’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b228f8b1-dd68-41ee-bc49-6a62e5267233
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘ajax_deactivate’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2296800-93d6-48fa-aa09-3d28fa6371d7
GiveWP <= 2.25.1 – Cross-Site Request Forgery via give_cache_flush
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c820003b-8f30-4557-a282-e3ad7e403062
GiveWP <= 2.25.1 – Cross-Site Request Forgery via save
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb7ec7ad-797b-4a5c-9b1c-31284083faef
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘queue_posts’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d16fa590-1409-4f04-b8b7-0cce17412a5f
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘ajax_deactivate’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d95b01c3-5db4-40ac-8787-0db58a9cc3a6
Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘paytium_notice_dismiss’
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eb6642c0-9011-419b-bef6-5aa594993c01
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘ucss_connect’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eba48c51-87d9-4e7e-b4c1-0205cd96d033
Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘check_mollie_account_details’
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f065648a-436a-459c-8ab1-c948c78b43c9
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘queue_posts’
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3108ef4-f889-4ae1-b86f-cedf46dcea19
GiveWP <= 2.25.1 – Authenticated (Admin+) Server-Side Request Forgery via give_get_content_by_ajax_handler
CVSS Score: 4.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2379a029-cc0d-4fa2-9aeb-47a4abd6b51a
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments
7:57 am
Thank you for putting this detailed info. Feel it would be very helpful if the list of plugins and theme names are also included in this so everyone would know if they are impacted or not with the vulnerabilities mentioned in the post.
3:05 am
Hi Pankaj,
Thank you for the feedback! We'll definitely take that into consideration for future reports.
3:17 pm
Thanks for keeping our websites safe and us updated with the information and patches, and what we can do going forward to protect our sites.
6:05 pm
Would it be possible to include an alphabetical list of the plugins that have vulnerabilities? With the current layout, I have to scroll down the list looking for plugins I use on my sites. A simple list at the top would be easy to quickly scan and then I could scroll down for the details if necessary.
3:06 am
Hi Alan,
We'll look into adding that into future reports. Thanks!