Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 6, 2023 to Mar 12, 2023)

Last week, there were 60 vulnerabilities disclosed in 40 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 16 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	3
Patched	57

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	53
High Severity	6
Critical Severity	1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Cross-Site Request Forgery (CSRF)	24
Missing Authorization	17
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	9
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	2
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	1
Server-Side Request Forgery (SSRF)	1
Incorrect Privilege Assignment	1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)	1
Reliance on Untrusted Inputs in a Security Decision	1
Improper Authorization	1
Deserialization of Untrusted Data	1
Information Exposure	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Marco Wotschka (Wordfence Vulnerability Researcher)	15
Mika	5
Erwan LR	3
Rafshanzani Suhada	3
Rafie Muhammad	2
yuyudhn	2
Nguyen Xuan Chien	1
Nicholas Ferreira	1
Lana Codes	1
FearZzZz	1
Rio Darmawan	1
Omar Badran	1
thiennv	1
Daniel Ruf	1
Alex Sanford	1
Abdi Pranata	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

Vulnerability Details

LeadSnap <= 1.23 – Unauthenticated PHP Object Injection via AJAX

CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aefbebce-9433-455d-b27c-93088b0c8494

Multiple E-plugins (Various Versions) – Authenticated (Subscriber+) Privilege Escalation

CVE ID: CVE-2020-36666
CVSS Score: 8.8 (High)
Researcher/s: Omar Badran
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/629d4809-1dd2-4b67-8d8d-9c55f5240f94

WP Dark Mode <= 4.0.7 – Authenticated (Subscriber+) Local File Inclusion via ‘style’

CVE ID: CVE-2023-0467
CVSS Score: 8.8 (High)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d43234d0-5f44-4484-a8d6-16d43d1db51e

GiveWP <= 2.25.1 – Unauthenticated CSV Injection

CVE ID: CVE-2023-22719
CVSS Score: 8.3 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6368c397-0570-4304-a764-869bacc526c7

WP Statistics <= 13.2.16 – Authenticated (Admin+) SQL Injection

CVE ID: CVE-2023-0955
CVSS Score: 7.2 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0ffd60d2-ae8d-4738-a4f4-6df6e0ffa8c6

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘create_mollie_account’

CVE ID: CVE Unknown
CVSS Score: 7.1 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4491b89-2120-4edb-a396-e45ba09b3b99

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘create_mollie_profile’

Complianz – GDPR/CCPA Cookie Consent <= 6.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

CVE ID: CVE-2023-1069
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7397898c-8d43-4399-9c2b-22f9287aa12d

Weaver Xtreme Theme Support <= 5.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7431ee0f-f485-48a4-9cdd-8fb2ac43e216

Cookie Notice & Compliance for GDPR / CCPA <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘cookies_revoke_shortcode’ Shortcode

CVE ID: CVE-2023-0823
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/914de8f3-e052-4256-af14-4a08eaa464b8

Daily Prayer Time <= 2023.03.08 – Authenticated (Contributor+) Stored Cross-Site Scripting

CVE ID: CVE-2023-27631
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95691873-a16a-4e41-9456-41fa07efd6ce

GiveWP <= 2.25.1 – Authenticated (Author+) Stored Cross-Site Scripting

CVE ID: CVE-2022-40211
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b30261e0-1fa1-4794-98f6-851532b7615c

GiveWP <= 2.25.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via give_form_grid shortcode

CVE ID: CVE-2023-23668
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc5f7a07-8117-4305-a72c-6afed80b6bcf

W4 Post List <= 2.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘w4pl[no_items_text]’

CVE ID: CVE-2023-27413
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/feb9af10-7df2-4eb1-8546-debaa925df42

GiveWP <= 2.25.1 – Cross-Site Request Forgery to Cross-Site Scripting via render_dropdown

CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a0381b1-9b63-41cb-8125-d22274b98867

Webmention <= 4.0.8 – Reflected Cross-Site Scripting via ‘replytocom’

Real Estate 7 Theme <= 3.3.4 – Unauthenticated Arbitrary Email Sending

CVE ID: CVE Unknown
CVSS Score: 5.8 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5778ba3d-6670-47ad-ae65-50b6fb8e5db0

Popup box <= 3.4.4 – Reflected Cross-Site Scripting via ‘ays_pb_tab’ Parameter

CVE ID: CVE-2023-27414
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01f60df7-0602-4a00-9905-a91348811dfe

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘pt_cancel_subscription’

CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/060f31ab-cfa4-4ca8-846a-de76848b28fb

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘update_profile_preference’

HT Easy GA4 ( Google Analytics 4 ) <= 1.0.6 – Cross-Site Request Forgery via plugin_activation

CVE ID: CVE-2023-23802
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fa2fcda-69f4-4095-b23c-6e6f1613adb0

Updraft Plus <= 1.22.24 – Cross-Site Request Forgery via updraft_ajaxrestore

Daily Prayer Time <= 2023.03.08 – Cross-Site Request Forgery

CVE ID: CVE-2023-27632
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9060bb2a-b9d9-466d-bb8d-14173a51d145

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘paytium_sw_save_api_keys’

GiveWP <= 2.25.1 – Cross-Site Request Forgery via process_bulk_action

GiveWP <= 2.25.1 – Authenticated (Contributor+) Arbitrary Content Deletion

CVE ID: CVE-2023-23672
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9af1429-32c5-4907-acf4-83efc6727bb8

Mass Delete Unused Tags <= 2.0.0 – Cross-Site Request Forgery via plugin_mass_delete_unused_tags_init

CVE ID: CVE-2023-27430
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abf4cfb9-745a-4b4f-8862-54ef561904d6

Mass Delete Taxonomies <= 3.0.0 – Cross-Site Request Forgery via mp_plugin_mass_delete_tags_init

Auto Prune Posts <= 1.8.0 – Cross-Site Request Forgery via admin_menu

CVE ID: CVE-2023-27423
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f15af4eb-5752-4a85-babd-cee7e89c329d

Drag and Drop Multiple File Upload PRO <= 2.10.9 – Directory Traversal

CVE ID: CVE-2023-1112
CVSS Score: 5.3 (Medium)
Researcher/s: Nicholas Ferreira
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1add47ea-6a7b-443a-b31d-3bb6c0d5d72d

Formidable Forms <= 6.0.1 – IP Spoofing via HTTP header

CVE ID: CVE-2023-0816
CVSS Score: 5.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/909b5421-210d-427a-94a0-e1ea25880cec

CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.6 – Information Exposure

CVE ID: CVE-2023-1263
CVSS Score: 5.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e01b4259-ed8d-44a4-9771-470de45b14a8

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘attach_rule’

CVE ID: CVE-2023-1343
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11f74b86-a050-4247-b310-045bf48fd4bd

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘uucss_update_rule’

CVE ID: CVE-2023-1339
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19f126f8-1d59-44b5-8e0e-c37f1fbedf5a

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘attach_rule’

CVE ID: CVE-2023-1338
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1bb55b22-a0d0-424f-8e4f-57d3f239c149

301 Redirects – Easy Redirect Manager <= 2.72 – Cross-Site Request Forgery via dismiss_notice

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2253cb38-3688-4e4d-afd1-582c8743c89a

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘uucss_update_rule’

CVE ID: CVE-2023-1344
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/263153c9-61c5-4df4-803b-8d274e2a5e35

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘clear_page_cache’

CVE ID: CVE-2023-1333
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2cba74f7-7183-4297-8f04-4818c01358ef

Clone <= 2.3.7 – Cross-Site Request Forgery via wp_ajax_tifm_save_decision

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/314d3e0c-ba29-4795-a646-40e0acfc3405

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘clear_uucss_logs’

CVE ID: CVE-2023-1340
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/488e26e2-d4d7-4036-a672-53c2d4c9d39b

Popup Maker <= 1.18.0 – Cross-Site Request Forgery via init

Affiliate Super Assistent <= 1.5.1 – Cross-Site Request Forgery to Settings Update and Cache Clearing

CVE ID: CVE-2023-27417
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54dbd2f4-717c-4e01-afe4-c8cceca52650

cformsII <= 15.0.4 – Cross-Site Request Forgery leading to Settings Updates

CVE ID: CVE-2023-25449
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5798de72-b589-4474-82b2-df6ef26325a3

Side Menu Lite <= 4.0 – Cross-Site Request Forgery to Item Deletion

CVE ID: CVE-2023-27418
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/799b1f12-05f3-4b8b-9e1f-45c676e4f2a0

Clone <= 2.3.7 – Missing Authorization via wp_ajax_tifm_save_decision

CVE ID: CVE-2023-25486
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b6db928-f8ff-4e78-bfc7-51f1d1ccd1fa

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘ucss_connect’

CVE ID: CVE-2023-1342
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c66894a-8d0f-4946-ae4d-bffd35f3ffb7

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘clear_uucss_logs’

CVE ID: CVE-2023-1337
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a52325f9-51b5-469c-865e-73a22002d46f

External Links <= 2.57 – Cross-Site Request Forgery via action_admin_action_wpel_dismiss_notice

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘check_for_verified_profiles’

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘clear_page_cache’

CVE ID: CVE-2023-1346
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b228f8b1-dd68-41ee-bc49-6a62e5267233

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘ajax_deactivate’

CVE ID: CVE-2023-1336
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2296800-93d6-48fa-aa09-3d28fa6371d7

GiveWP <= 2.25.1 – Cross-Site Request Forgery via give_cache_flush

GiveWP <= 2.25.1 – Cross-Site Request Forgery via save

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘queue_posts’

CVE ID: CVE-2023-1345
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d16fa590-1409-4f04-b8b7-0cce17412a5f

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘ajax_deactivate’

CVE ID: CVE-2023-1341
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d95b01c3-5db4-40ac-8787-0db58a9cc3a6

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘paytium_notice_dismiss’

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘ucss_connect’

CVE ID: CVE-2023-1335
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eba48c51-87d9-4e7e-b4c1-0205cd96d033

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘check_mollie_account_details’

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘queue_posts’

CVE ID: CVE-2023-1334
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3108ef4-f889-4ae1-b86f-cedf46dcea19

GiveWP <= 2.25.1 – Authenticated (Admin+) Server-Side Request Forgery via give_get_content_by_ajax_handler

CVE ID: CVE-2022-40312
CVSS Score: 4.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2379a029-cc0d-4fa2-9aeb-47a4abd6b51a

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Comments

5 Comments

Pankaj

March 16, 2023
7:57 am

Thank you for putting this detailed info. Feel it would be very helpful if the list of plugins and theme names are also included in this so everyone would know if they are impacted or not with the vulnerabilities mentioned in the post.

Chloe Chamberland

March 17, 2023
3:05 am

Hi Pankaj,

Thank you for the feedback! We'll definitely take that into consideration for future reports.

H. John J

March 16, 2023
3:17 pm

Thanks for keeping our websites safe and us updated with the information and patches, and what we can do going forward to protect our sites.
Alan

March 16, 2023
6:05 pm

Would it be possible to include an alphabetical list of the plugins that have vulnerabilities? With the current layout, I have to scroll down the list looking for plugins I use on my sites. A simple list at the top would be easy to quickly scan and then I could scroll down for the details if necessary.