Wordfence Intelligence Weekly WordPress Vulnerability Report (August 7, 2023 to August 13, 2023)

Last week, there were 86 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WAF-RULE-622, data redacted while we work with the developer to ensure this vulnerability gets patched.
• WAF-RULE-623, data redacted while we work with the developer to ensure this vulnerability gets patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	25
Patched	61

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	63
High Severity	19
Critical Severity	4

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	25
Missing Authorization	21
Cross-Site Request Forgery (CSRF)	20
Unrestricted Upload of File with Dangerous Type	4
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	4
Improper Privilege Management	3
Authorization Bypass Through User-Controlled Key	2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	2
Server-Side Request Forgery (SSRF)	1
Improper Authorization	1
Improper Authentication	1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	1
Deserialization of Untrusted Data	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafie Muhammad	13
Lana Codes (Wordfence Vulnerability Researcher)	11
Mika	5
Marco Wotschka (Wordfence Vulnerability Researcher)	4
Abdi Pranata	4
Cat	3
Rio Darmawan	2
Aman Rawat	2
thiennv	2
Skalucy	2
Jonas Höbenreich	2
Erwan LR	2
OZ1NG (TOOR, LISA)	2
Ramuel Gall (Wordfence Vulnerability Researcher)	2
Phd	2
minhtuanact	2
LEE SE HYOUNG	2
Ivy	1
Bob Matyas	1
Rafshanzani Suhada	1
deokhunKim	1
Nguyen Hoang Nam	1
Dmitrii Ignatyev	1
Taihei Shimamine	1
Satoo Nakano	1
Ryotaro Imamura	1
Mesh3l_911	1
Dmitrii	1
Nguyen Xuan Chien	1
Alexander Concha	1
Daniel Ruf	1
Robert DeVore	1
Sayandeep Dutta	1
Truoc Phan	1
Robert Rowley	1
tnt24	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
AI ChatBot	chatbot
ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup	armember
Absolute Privacy	absolute-privacy
Accordion and Accordion Slider	accordion-and-accordion-slider
Advanced Custom Fields Pro	advanced-custom-fields-pro
All Users Messenger	all-users-messenger
BigBlueButton	bigbluebutton
Biometric Login For WooCommerce	biometric-login-for-woocommerce
Booking Package	booking-package
Canto	canto
Donations Made Easy – Smart Donations	smart-donations
Easy Cookie Law	easy-cookie-law
Easy!Appointments	easyappointments
Email Template Designer – WP HTML Mail	wp-html-mail
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor	embedpress
FULL – Customer	full-customer
Fusion Builder	fusion-builder
Futurio Extra	futurio-extra
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent)	gdpr-cookie-compliance
Gutenberg Blocks by Kadence Blocks – Page Builder Features	kadence-blocks
Highcompress Image Compressor	high-compress
ImageRecycle pdf & image compression	imagerecycle-pdf-image-compression
JCH Optimize	jch-optimize
Jupiter X Core	jupiterx-core
Justified Gallery	justified-gallery
Kangu para WooCommerce	kangu
Leyka	leyka
MailChimp Forms by MailMunch	mailchimp-forms-by-mailmunch
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress	ninja-forms
Online Booking & Scheduling Calendar for WordPress by vcita	meeting-scheduler-by-vcita
POEditor	poeditor
Photo Gallery by Ays – Responsive Image Gallery	gallery-photo-gallery
PixTypes	pixtypes
Popup by Supsystic	popup-by-supsystic
Portfolio and Projects	portfolio-and-projects
Post Grid Combo – 36+ Blocks for Gutenberg	post-grid
Post Timeline	post-timeline
Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS	pmpro-courses
Premium Packages – Sell Digital Products Securely	wpdm-premium-packages
Printful Integration for WooCommerce	printful-shipping-for-woocommerce
Product Attachment for WooCommerce	woo-product-attachment
Profile Builder – User Profile & User Registration Forms	profile-builder
Rate my Post – WP Rating System	rate-my-post
Real Estate Manager – Property Listing and Agent Management	real-estate-manager
Realia	realia
Responsive WordPress Slider – Avartan Slider Lite	avartan-slider-lite
SB Child List	sb-child-list
SendPress Newsletters	sendpress
Sign-up Sheets	sign-up-sheets
Stock Ticker	stock-ticker
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid	the-post-grid
Theme Demo Import	theme-demo-import
Themesflat Addons For Elementor	themesflat-addons-for-elementor
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin	ultimate-member
User Activity Log	user-activity-log
User Activity Tracking and Log	user-activity-tracking-and-log
Visual Website Collaboration, Feedback & Project Management – Atarim	atarim-visual-collaboration
WP 404 Auto Redirect to Similar Post	wp-404-auto-redirect-to-similar-post
WP Categories Widget	wp-categories-widget
WP Like Button	wp-like-button
WP Pipes	wp-pipes
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more	woo-pdf-invoice-builder
WxSync-标准云微信公众号文章免费采集-任意公众号自动采集付费购买	wxsync
YITH WooCommerce Waitlist	yith-woocommerce-waiting-list
demon image annotation	demon-image-annotation
flowpaper	flowpaper-lite-pdf-flipbook
wSecure Lite	wsecure
woocommerce-one-page-checkout	woocommerce-one-page-checkout

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Avada | Website Builder For WordPress & WooCommerce	Avada
Betheme	betheme
Business Pro	business-pro

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Kadence Blocks <= 3.1.10 – Unauthenticated Arbitrary File Upload

---

Canto <= 3.0.4 – Unauthenticated Remote File Inclusion

---

Biometric Login for WooCommerce <= 1.0.3 – Unauthenticated Privilege Escalation

---

Themesflat Addons For Elementor <= 2.0.0 – Unauthenticated PHP Object Injection

---

Realia <= 1.4.0 – Cross-Site Request Forgery to User Email Change

---

WooCommerce PDF Invoice Builder <= 1.2.89 – Authenticated (Subscriber+) SQL Injection via Export

---

Fusion Builder <= 3.11.1 – Authenticated (Subscriber+) SQL Injection

---

Premium Packages – Sell Digital Products Securely <= 5.7.4 – Arbitrary User Meta Update to Authenticated (Subscriber+) Privilege Escalation

---

FULL – Customer <= 2.2.3 – Authenticated(Subscriber+) Improper Authorization to Arbitrary Plugin Installation

---

Avada <= 7.11.1 – Authenticated(Author+) Arbitrary File Upload via Zip Extraction

---

Real Estate Manager <= 6.7.1 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation

---

Absolute Privacy <= 2.1 – Cross-Site Request Forgery to User Email/Password Change

---

WooCommerce One Page Checkout <= 2.3.0 – Authenticated (Contributor+) Local File Inclusion via `woocommerce_one_page_checkout`

---

Avada <= 7.11.1 – Authenticated(Contributor+) Server Side Request Forgery via ‘ajax_import_options’

---

JupiterX Core 3.0.0 – 3.3.0 – Missing Authorization

---

Easy!Appointments <= 1.3.1 – Authenticated(Subscriber+) Arbitrary File Deletion via ‘disconnect’

---

Post Grid <= 2.2.50 – Missing Authorization to Sensitive Information Exposure via REST API

---

Avada <= 7.11.1 – Authenticated(Contributor+) Arbitrary File Upload via ‘ajax_import_options’

---

User Activity Log <= 1.6.5 – Unauthenticated Data Export to Sensitive Information Disclosure

---

Theme Demo Import <= 1.1.1 – Authenticated (Administrator+) Arbitrary File Upload

---

WP 404 Auto Redirect to Similar Post <= 1.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Donations Made Easy – Smart Donations <= 4.0.12 – Authenticated (Administrator+) SQL Injection

---

Demon image annotation <= 5.1 – Authenticated (Administrator+) SQL Injection

---

Fusion Builder <= 3.11.1 – Cross-Site Request Forgery

---

Accordion and Accordion Slider <= 1.2.4 – Missing Authorization via ‘wp_aas_get_attachment_edit_form’ and ‘wp_aas_save_attachment_data’

---

Betheme <= 27.1.1 – Missing Authorization via ‘_tool_history_delete’

---

Highcompress Image Compressor <= 4.0.0 – Missing Authorization via multiple AJAX actions

---

EmbedPress <= 3.8.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

WxSync <= 2.7.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

flowpaper <= 1.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Popup by Supsystic <= 1.10.19 – Cross-Site Request Forgery

---

Stock Ticker <= 3.23.3 – Reflected Cross-Site Scripting in ajax_stockticker_load

---

BigBlueButton <= 3.0.0-beta.4 – Reflected Cross-Site Scripting

---

ImageRecycle pdf & image compression <= 3.1.11 – Reflected Cross-Site Scripting

---

Stock Ticker <= 3.23.2 – Reflected Cross-Site Scripting in ajax_stockticker_symbol_search_test

---

ImageRecycle pdf & image compression <= 3.1.10 – Reflected Cross-Site Scripting

---

Business Pro <= 1.10.4 – Reflected Cross-Site Scripting

---

WP Categories Widget <= 2.2 – Reflected Cross-Site Scripting

---

Fusion Builder <= 3.11.1 – Reflected Cross-Site Scripting via User Register Element

---

Kangu para WooCommerce <= 2.2.9 – Reflected Cross-Site Scripting

---

Atarim <= 3.9.3 – Reflected Cross-Site Scripting

---

PixTypes <= 1.4.15 – Reflected Cross-Site Scripting

---

Leyka <= 3.30.2 – Reflected Cross-Site Scripting

---

Booking Package <= 1.6.01 – Reflected Cross-Site Scripting via ‘mode’

---

Avartan Slider Lite <= 1.5.3 – Reflected Cross-Site Scripting via ‘asview-nouce’

---

Post Timeline <= 2.2.5 – Reflected Cross-Site Scripting

---

MailChimp Forms by MailMunch <= 3.1.4 – Missing Authorization via multiple AJAX actions

---

All Users Messenger <= 1.24 – Authenticated (Subscriber+) Insecure Direct Object Reference to Message Deletion

---

EmbedPress <= 3.8.2 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data

---

Profile Builder <= 3.9.7 – Missing Authorization to Initial Page Creation

---

ARMember Premium <= 5.9.2 – Missing Authorization

---

SendPress Newsletters <= 1.22.3.31 – Missing Authorization

---

wSecure Lite <= 2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

---

ChatBot 4.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting in Language Settings

---

ChatBot 4.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder

---

Paid Memberships Pro – Courses for Membership Add On <= 1.2.4 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Advanced Custom Fields PRO 6.1 – 6.1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Ninja Forms <= 3.6.25 – Authenticated (Administrator+) Stored HTML Injection

---

WP Pipes <= 1.4.0 – Cross-Site Request Forgery to Settings Update

---

YITH WooCommerce Waiting List <= 2.6.0 – Cross-Site Request forgery via ‘save_mail_status’

---

Paid Memberships Pro – Courses for Membership Add On <= 1.2.3 – Cross-Site Request Forgery to Course Modifications

---

JCH Optimize <= 4.0.0 – Missing Authorization to Authenticated (Subscriber+) Settings Modification

---

Photo Gallery by Ays <= 5.2.6 – Cross-Site Request Forgery

---

Fusion Builder <= 3.11.1 – Missing Authorization

---

Easy Cookie Law <= 3.1 – Cross-Site Request Forgery via ‘ecl_options’

---

User Activity Tracking and Log <= 4.0.8 – Cross-Site Request Forgery

---

JupiterX Core 3.0.0 – 3.3.0 – Missing Authorization

---

Rate my Post – WP Rating System <= 3.4.1 – Insecure Direct Object Reference

---

The Post Grid <= 7.2.7 – Cross-Site Request Forgery

---

POEditor <= 0.9.7 – Cross-Site Request Forgery

---

GDPR Cookie Compliance <= 4.12.4 – Cross-Site Request Forgery to License Modification

---

Portfolio and Projects <= 1.3.7 – Cross-Site Request Forgery via ‘wpos_anylc_admin_init_process’

---

WP Like Button <= 1.6.11 – Cross-Site Request Forgery via ‘saveData’

---

Sign-up Sheets <= 2.2.8 – Cross-Site Request Forgery

---

FULL – Customer <= 2.2.3 – Authenticated(Subscriber+) Information Disclosure via Health Check

---

WooCommerce Product Attachment <= 2.1.8 – Cross-Site Request Forgery

---

Paid Memberships Pro – Courses for Membership Add On <= 1.2.3 – Missing Authorization to Authenticated (Subscriber+) Course Modifications

---

Avada <= 7.11.1 – Missing Authorization

---

Justified Gallery <= 1.7.3 – Missing Authorization via ‘dismiss_how_to_use_notice’ and ‘dismiss_notice’

---

Printful Integration for WooCommerce <= 2.2.2 – Cross-Site Request Forgery

---

WP HTML Mail <= 3.4.0 – Cross-Site Request Forgery via ‘send_test’

---

WooCommerce PDF Invoice Builder <= 1.2.90 – Cross-Site Request Forgery via Save

---

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.6.8 – Cross-Site Request Forgery

---

Futurio Extra <= 1.8.2 – Cross-Site Request Forgery via ‘futurio_extra_reset_mod’

---

SB Child List <= 4.5 – Cross-Site Request Forgery via ‘sb_cl_update_settings’

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.