Wordfence Intelligence Weekly WordPress Vulnerability Report (July 3, 2023 to July 9, 2023)

Last week, there were 61 vulnerabilities disclosed in 54 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• Booking Package <= 1.5.98 – Authorization Bypass to Arbitrary Password Reset
• Atarim – Client Interface <= 3.9.1 – Missing Authorization via AJAX actions
• HT Mega – Absolute Addons for Elementor <= 2.2.0 – Missing Authorization to Privilege Escalation

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	29
Patched	32

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	49
High Severity	8
Critical Severity	4

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	24
Cross-Site Request Forgery (CSRF)	14
Missing Authorization	14
Authorization Bypass Through User-Controlled Key	4
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	2
Information Exposure	1
Uncontrolled Resource Consumption (‘Resource Exhaustion’)	1
Unrestricted Upload of File with Dangerous Type	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Alex Thomas (Wordfence Vulnerability Researcher)	9
LEE SE HYOUNG	6
Abdi Pranata	6
Lana Codes (Wordfence Vulnerability Researcher)	3
Rafie Muhammad	3
yuyudhn	3
Rio Darmawan	2
Muhammad Daffa	2
Elliot	1
Rafael B.	1
Bob Matyas	1
Kijam López	1
easyBug	1
Alex Sanford	1
Dipak Panchal	1
Yassir Sbai Fahim	1
Rafi Priatna Kasbiantoro	1
Pavitra Tiwari	1
Nguyen Anh Tien	1
Nithissh S	1
Friday	1
Dave Jong	1
PetiteMais	1
Yuki Haruma	1
Le Ngoc Anh	1
thiennv	1
TaeEun Lee	1
Paolo Elia	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup	armember-membership
All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements	mystickyelements
Animated Number Counters	animated-number-counters
Auto Location for WP Job Manager via Google	auto-location-for-wp-job-manager
BadgeOS	badgeos
Baidu Tongji generator	baidu-tongji-generator
Booking Package	booking-package
Bulk edit image alt tag, caption & description – WordPress Media Library Helper by Codexin	media-library-helper
Classified Listing – Classified ads & Business Directory Plugin	classified-listing
Coming Soon Page – Responsive Coming Soon & Maintenance Mode	responsive-coming-soon-page
Cryptocurrency Widgets – Price Ticker & Coins List	cryptocurrency-price-ticker-widget
FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin	fluent-smtp
Getnet Argentina para Woocommerce	integrar-getnet-con-woo
Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)	gift-voucher
HT Mega – Absolute Addons For Elementor	ht-mega-for-elementor
Header Footer Code Manager	header-footer-code-manager
Image Regenerate & Select Crop	image-regenerate-select-crop
Image Social Feed Plugin	add-instagram
Kingkong Board	kingkong-board
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course Builder	learning-management-system
LearnPress – WordPress LMS Plugin	learnpress
Livestream Notice	livestream-notice
Menubar	menubar
Mobile Call Now & Map Buttons	mobile-call-now-map-buttons
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress	ninja-forms
Product Category Tree	product-category-tree
Querlo Chatbot	querlo-chatbots
RSVPMaker	rsvpmaker
Reservation.Studio widget	reservation-studio-widget
SMTP Mail	smtp-mail
Secondary Title	secondary-title
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor)	woolentor-addons
Simple Giveaways – Grow your business, email lists and traffic with contests	giveasap
Simple Light Weight Social Share (Tweet, Like, Share and Linkedin)	only-tweet-like-share-and-google-1
Simple Site Verify	simple-site-verify
Social Share Boost	social-share-boost
SrbTransLatin – Serbian Latinisation	srbtranslatin
Sublanguage	sublanguage
User Registration – Custom Registration Form, Login Form And User Profile For WordPress	user-registration
Video Gallery – YouTube Playlist, Channel Gallery by YotuWP	yotuwp-easy-youtube-embed
Visibility Logic for Elementor	visibility-logic-elementor
Visual Website Collaboration, Feedback & Project Management – Atarim	atarim-visual-collaboration
WP Content Copy Protection & No Right Click	wp-content-copy-protector
WP Dummy Content Generator	wp-dummy-content-generator
WP Full Stripe Free	wp-full-stripe-free
WP Mail Log	wp-mail-log
WP RSS Images	wp-rss-images
WP Reroute Email	wp-reroute-email
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc	wp-sms
WP-Cirrus	wp-cirrus
WP-Optimize – Cache, Clean, Compress.	wp-optimize
WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps	wordpress-mobile-pack
oAuth Twitter Feed for Developers	oauth-twitter-feed-for-developers
wpForo Forum	wpforo

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
WPLMS Learning Management System for WordPress, WordPress LMS	wplms

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

User Registration <= 3.0.2 – Authenticated (Subscriber+) Arbitrary File Upload

---

HT Mega – Absolute Addons for Elementor <= 2.2.0 – Missing Authorization to Privilege Escalation

---

Booking Package <= 1.5.98 – Authorization Bypass to Arbitrary Password Reset

---

Atarim – Client Interface <= 3.9.1 – Missing Authorization via AJAX actions

---

Getnet Argentina para Woocommerce 0.0.1 – 0.0.4 – Authorization Bypass via webhook

---

LearnPress <= 4.2.3 – Missing Authorization to Information Exposure

---

WP Reroute Email <= 1.4.9 – Unauthenticated Stored Cross-Site Scripting via Email Subject

---

RSVPMarker <= 10.5.4 – Authenticated (Administrator+) SQL Injection via ‘resend’

---

WP Mail Log <= 1.1.1 – Unauthenticated Stored Cross-Site Scripting via Email

---

SMTP Mail <= 1.2.16 – Unauthenticated Stored Cross-Site Scripting via Email Subject

---

Coming Soon <= 1.5.8 – Authenticated (Administrator+) SQL Injection

---

FluentSMTP <= 2.2.4 – Unauthenticated Stored Cross-Site Scripting via Email Subject

---

ARMember <= 4.0.5 – Cross-Site Request Forgery

---

Masteriyo – LMS for WordPress <= 1.6.7 – Sensitive Information Exposure

---

Simple Giveaways <= 2.46.0 – Missing Authorization

---

BadgeOS <= 3.7.1.6 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion

---

Querlo Chatbot <= 1.2.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting

---

Secondary Title <= 2.0.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

WPLMS < 4.900 – Cross-Site Request Forgery

---

Kingkong Board <= 2.1.0.2 – Missing Authorization

---

wpForo Forum <= 2.1.8 – Reflected Cross-Site Scripting via ‘wpforo_debug’

---

WP-Optimize <= 3.2.12 & SrbTransLatin <= 2.4 – Stored/Reflected Cross-Site Scripting via Third Party Library

---

Animated Number Counters <= 1.6 – Authenticated (Editor+) Stored Cross-Site Scripting

---

WordPress Mobile Pack <= 3.4.1 – Cross-Site Request Forgery

---

LearnPress <= 4.2.3 – Missing Authorization

---

Sublanguage <= 2.9 – Missing Authorization

---

Header Footer Code Manager <= 1.1.34 – Cross-Site Request Forgery via process_bulk_action

---

BadgeOS <= 3.7.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Menubar <= 5.8.2 – Cross-Site Request Forgery in wpm-admin.php

---

Image Regenerate & Select Crop <= 7.1.0 – Missing Authorization

---

LearnPress <= 4.2.3 – Missing Authorization

---

Product Category Tree <= 2.5 – Missing Authorization

---

Ninja Forms <= 3.6.25 – Denial of Service via Large Form Submissions

---

Cryptocurrency Widgets – Price Ticker & Coins List <= 2.6.2 – Missing Authorization

---

WP Dummy Content Generator <= 2.3.0 – Missing Authorization

---

Auto Location for WP Job Manager via Google <= 1.0 – Authenticated (Administrator+) Stored Cross Site Scripting

---

WP Full Stripe Free <= 1.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Social Share Boost <= 4.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WP-Cirrus <= 0.6.11 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

All-in-one Floating Contact Form <= 2.1.1 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

---

Livestream Notice <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Reservation.Studio widget <= 1.0.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Video Gallery <= 1.3.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WP Content Copy Protection & No Right Click <= 3.5.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Mobile Call Now & Map Buttons <= 1.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Simple Site Verify <= 1.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Image Social Feed Plugin <= 1.7.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

oAuth Twitter Feed for Developers <= 2.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Gift Cards (Gift Vouchers and Packages) <= 4.3.5 – Cross-Site Request Forgery in new_voucher_template.php

---

WP Dummy Content Generator <= 2.3.0 – Cross-Site Request Forgery

---

Classified Listing <= 2.4.5 – Cross-Site Request Forgery via rtcl_ajax_thumbnail_delete

---

WooLentor <= 2.6.2 – Cross-Site Request Forgery via process_data

---

BadgeOS <= 3.7.1.6 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Title Overwrite

---

BadgeOS <= 3.7.1.6 – Missing Authorization in delete_badgeos_log_entries

---

Visibility Logic for Elementor <= 2.3.4 – Missing Authorization via admin_post ‘toggle_option’

---

WP SMS <= 6.1.5 – Cross-Site Request Forgery

---

Baidu Tongji generator <= 1.0.2 – Cross-Site Request Forgery

---

WP RSS Images <= 1.1 – Cross-Site Request Forgery

---

Visibility Logic for Elementor <= 2.3.4 – Cross-Site Request Forgery via toggle_option

---

Media Library Helper by Codexin <= 1.2.0 – Cross-Site Request Forgery via rate_the_plugin_action

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.