Wordfence Intelligence Weekly WordPress Vulnerability Report (October 23, 2023 to October 29, 2023)

Last week, there were 109 vulnerabilities disclosed in 102 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WP EXtra <= 6.2 – Missing Authorization to .htaccess File Modification

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	59
Patched	50

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	92
High Severity	14
Critical Severity	3

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	42
Missing Authorization	24
Cross-Site Request Forgery (CSRF)	22
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	7
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	3
URL Redirection to Untrusted Site (‘Open Redirect’)	3
Deserialization of Untrusted Data	2
Improper Authentication	1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	1
Guessable CAPTCHA	1
Improper Access Control	1
Protection Mechanism Failure	1
Authorization Bypass Through User-Controlled Key	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Lana Codes (Wordfence Vulnerability Researcher)	25
Nguyen Xuan Chien	10
Mika	8
Abdi Pranata	7
Skalucy	3
Dmitrii Ignatyev	3
qilin_99	3
Abu Hurayra	2
Muhammad Daffa	2
thiennv	2
Jonas Höbenreich	2
LEE SE HYOUNG	2
Ala Arfaoui	2
Francesco Carlucci	2
Revan Arifio	1
Le Ngoc Anh	1
Rio Darmawan	1
Enrico Marcolini	1
Claudio Marchesini	1
Florian Hauser	1
emad	1
Vaishnav Rajeevan	1
Tien from VNPT-VCI	1
Nithissh S	1
Abhijith A	1
Nicolas Surribas	1
konagash	1
Elliot	1
GiongfNef	1
TP Cyber Security	1
Erwan LR	1
Krzysztof Zając	1
Emili Castells	1
SeungYongLee	1
NGÔ THIÊN AN	1
Hamoud Al Helmani	1
Jerome Bruandet	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
10Web Booster – Website speed optimization, Cache & Page Speed optimizer	tenweb-speed-optimizer
404 Solution	404-solution
Accordion	accordions-wp
Admin and Site Enhancements (ASE)	admin-site-enhancements
Advanced Menu Widget	advanced-menu-widget
All-In-One Security (AIOS) – Security and Firewall	all-in-one-wp-security-and-firewall
Alter	alter
Animated Counters	animated-counters
Article analytics	article-analytics
Auto Excerpt everywhere	auto-excerpt-everywhere
Auto Limit Posts Reloaded	auto-limit-posts-reloaded
Autolinks Manager	daext-autolinks-manager
BSK PDF Manager	bsk-pdf-manager
Bellows Accordion Menu	bellows-accordion-menu
Bonus for Woo	bonus-for-woo
Booking calendar, Appointment Booking System	booking-calendar
Buzzsprout Podcasting	buzzsprout-podcasting
CallRail Phone Call Tracking	callrail-phone-call-tracking
Category SEO Meta Tags	category-seo-meta-tags
CloudNet360	cloudnet-sync
Convertful – Your Ultimate On-Site Conversion Tool	convertful
Cookie Bar	cookie-bar
Current Menu Item for Custom Post Types	current-menu-item-for-custom-post-types
Custom Header Images	custom-header-images
Custom Login Page | Temporary Users | Rebrand Login | Login Captcha	feather-login-page
Custom My Account for Woocommerce	custom-my-account-for-woocommerce
DeepL API translation plugin	wpdeepl
Deeper Comments	deeper-comments
Delete Me	delete-me
DoLogin Security	dologin
EasyRecipe	easyrecipe
Export WP Page to Static HTML/CSS	export-wp-page-to-static-html
FLOWFACT WP Connector	flowfact-wp-connector
FareHarbor for WordPress	fareharbor
Fathom Analytics for WP	fathom-analytics
FeedFocal	feedfocal
GD Security Headers	gd-security-headers
Generate Dummy Posts	generate-dummy-posts
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers	rafflepress
Google Maps made Simple	wp-gmappity-easy-google-maps
Grid Plus – Unlimited grid layout	grid-plus
Group Chat & Video Chat by AtomChat	atomchat
ICS Calendar	ics-calendar
ImageLinks Interactive Image Builder for WordPress	imagelinks-interactive-image-builder-lite
Interactive Image Map Plugin – Draw Attention	draw-attention
KD Coming Soon	kd-coming-soon
LiteSpeed Cache	litespeed-cache
Live Chat with Facebook Messenger	wp-facebook-messenger
Magic Embeds	wp-embed-facebook
Mail logging – WP Mail Catcher	wp-mail-catcher
Mediabay – Media Library Folders	mediabay-lite
Medialist	media-list
MomentoPress for Momento360	cmyee-momentopress
My Shortcodes	my-shortcodes
Neon text	neon-text
News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry)	blog-designer-pack
Ni WooCommerce Sales Report	ni-woocommerce-sales-report
Original texts Yandex WebMaster	original-texts-yandex-webmaster
PHP to Page	php-to-page
Parcel Pro	woo-parcel-pro
Post Meta Data Manager	post-meta-data-manager
Pre-Orders for WooCommerce	pre-orders-for-woocommerce
Product Recommendation Quiz for eCommerce	product-recommendation-quiz-for-ecommerce
PubyDoc – Data Tables and Charts	pubydoc-data-tables-and-charts
Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress	quillforms
Related Products for WooCommerce	woo-related-products-refresh-on-reload
Remove Add to Cart WooCommerce	remove-add-to-cart-woocommerce
Reusable Text Blocks	reusable-text-blocks
SAHU TikTok Pixel for E-Commerce	sahu-tiktok-pixel
Seraphinite Accelerator	seraphinite-accelerator
Shortcode Menu	shortcode-menu
Simple Shortcodes	smpl-shortcodes
Simple User Listing	simple-user-listing
Slick Popup: Contact Form 7 Popup Plugin	slick-popup
Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More	woocommerce-exporter
TK Google Fonts GDPR Compliant	tk-google-fonts
Thumbnail Slider With Lightbox	wp-responsive-slider-with-lightbox
Thumbnail carousel slider	wp-responsive-thumbnail-slider
User Avatar	user-avatar
VK Blocks	vk-blocks
VK Filter Search	vk-filter-search
Very Simple Google Maps	very-simple-google-maps
WCP OpenWeather	wcp-openweather
WDContactFormBuilder	contact-form-builder
WDSocialWidgets	spider-facebook
WP EXtra	wp-extra
WP Font Awesome	wp-font-awesome
WP Glossary	wp-glossary
WP Helper Premium	wp-helper-lite
WP Post Popup	wp-post-modal
WP Simple Galleries	wp-simple-galleries
WP Word Count	wp-word-count
WP iCal Availability	wp-ical-availability
WPPizza – A Restaurant Plugin	wppizza
Weather Atlas Widget	weather-atlas
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg	groundhogg
WordPress CTA – WordPress Call To Action, Sticky CTA, Floating Buttons, Floating Tab Plugin	easy-sticky-sidebar
WordPress Knowledge base & Documentation Plugin – WP Knowledgebase	wp-knowledgebase
WordPress Simple HTML Sitemap	wp-simple-html-sitemap
YITH WooCommerce Product Add-Ons	yith-woocommerce-product-add-ons
YOP Poll	yop-poll
kk Star Ratings	kk-star-ratings

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

PHP to Page <= 0.3 – Authenticated (Subscriber+) Local File Inclusion to Remote Code Execution via Shortcode

---

Article Analytics <= 1.0 – Unauthenticated SQL Injection

---

Thumbnail Slider With Lightbox <= 1.0 – Cross-Site Request Forgery to Arbitrary File Upload

---

WP Simple Galleries <= 1.34 – Authenticated (Contributor+) PHP Object Injection

---

Google Maps made Simple <= 0.6 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

WP EXtra <= 6.2 – Missing Authorization to .htaccess File Modification

---

Post Meta Data Manager <=1.2.0 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

---

Deeper Comments <= 2.1.1 – Missing Authorization to Authenticated(Subscriber+) Arbitrary Options Update

---

KD Coming Soon <= 1.7 – Unauthenticated PHP Object Injection via cetitle

---

News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 – Unauthenticated Remote Code Execution via Local File Inclusion

---

Admin and Site Enhancements (ASE) <= 5.7.1 – Password Protection Mode Security Feature Bypass

---

Post Meta Data Manager <=1.2.0 – Missing Authorization to User, Term, and Post Meta Deletion

---

404 Solution <= 2.33.2 – Authenticated (Administrator+) SQL Injection via orderby

---

ImageLinks <= 1.5.4 – Authenticated (Admin+) SQL Injection

---

GD Security Headers <= 1.7 – Authenticated (Admin+) SQL Injection

---

Booking Calendar WpDevArt <= 3.2.11 – Authenticated (Admin+) SQL Injection

---

Mail logging – WP Mail Catcher <= 2.1.3 – Authenticated (Admin+) SQL Injection

---

ICS Calendar <= 10.12.0.1 – Authenticated(Contributor+) Directory Traversal via _url_get_contents

---

WordPress CTA <= 1.5.6 – Missing Authorization via Multiple AJAX Actions

---

DoLogin Security <= 3.7.1 – Missing Authorization via REST Endpoints

---

10Web Booster <= 2.24.14 – Unauthenticated Arbitrary Option Deletion

---

Product Recommendation Quiz for eCommerce <= 2.1.0 – Missing Authorization in prq_set_token

---

VK Filter Search <= 2.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

VK Blocks <= 1.63.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Block

---

LiteSpeed Cache <= 5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Animated Counters <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

CallRail Phone Call Tracking <= 0.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

FareHarbor for WordPress <= 3.6.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Shortcode Menu <= 3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Medialist <= 1.3.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

---

Bellows Accordion Menu <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

WP Font Awesome <= 1.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Advanced Menu Widget <= 0.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

BSK PDF Manager <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

WDContactFormBuilder <= 1.0.72 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Magic Embeds <= 3.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Simple Shortcodes <= 1.0.20 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Grid Plus <= 1.3.2 – Authenticated (Subscriber+) Local File Inclusion via Shortcode

---

Giveaways and Contests by RafflePress <= 1.12.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Accordion <= 2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Related Products for WooCommerce <= 3.3.15 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Live Chat with Facebook Messenger <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Buzzsprout Podcasting <= 1.8.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Weather Atlas Widget <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

MomentoPress for Momento360 <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Pre-Orders for WooCommerce <= 1.2.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Neon text <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Very Simple Google Maps <= 2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Draw Attention <= 2.0.15 – Improper Access Control via register_cpt

---

WP Simple HTML Sitemap <= 2.1 – Reflected Cross-Site Scripting via id

---

Bonus for Woo <= 5.8.2 – Reflected Cross-Site Scripting

---

Download CloudNet360 <= 3.2.0 – Reflected Cross-Site Scripting

---

User Avatar <= 1.4.11 – Unauthenticated Cross-Site Scripting

---

WooCommerce – Store Exporter <= 2.7.2 – Reflected Cross-Site Scripting via ‘filter’

---

Seraphinite Accelerator <= 2.20.28 – Reflected Cross-Site Scripting via ‘rt’

---

FLOWFACT WP Connector <= 2.1.7 – Reflected Cross-Site Scripting

---

Simple User Listing <= 1.9.2 – Reflected Cross-Site Scripting via as

---

WPPizza <= 3.18.2 – Reflected Cross-Site Scripting

---

Reusable Text Blocks <= 1.5.3 – Authenticated (Author+) Stored Cross-Site Scripting via Shortcode

---

My Shortcodes <= 2.3 – Missing Authorization via Multiple AJAX Actions

---

Quill Forms <= 3.3.0 – Cross-Site Request Forgery

---

Seraphinite Accelerator <= 2.20.28 – Arbitrary Redirect via ‘redir’

---

Spider Facebook <= 1.0.15 – Cross-Site Request Forgery

---

Quill Forms <= 3.3.0 – Missing Authorization

---

Grid Plus <= 1.3.2 – Missing Authorization to Authenticated (Subscriber+) Grid Layout Add/Update/Delete

---

Alter <= 1.0 – Cross-Site Request Forgery

---

kk Star Ratings <= 5.4.5 – Missing Authorization

---

AtomChat <= 1.1.4 – Missing Authorization via credits REST API Endpoint

---

YOP Poll <= 6.5.28 – Reusable Captcha via validateImage

---

FeedFocal <= 1.2.1 – Missing Authorization via feedfocal_api_setup REST function

---

Convertful – Your Ultimate On-Site Conversion Tool <= 2.5 – Missing Authorization via add_woo_coupon

---

All In One WP Security <= 5.2.4 – Protection Bypass of Renamed Login Page via URL Encoding

---

Generate Dummy Posts <= 1.0.0 – Missing Authorization

---

YITH WooCommerce Product Add-Ons <= 4.2.0 – Missing Authorization

---

Glossary <= 3.1.2 – Missing Authorization

---

Delete Me <= 3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Parcel Pro <= 1.6.8 – Open Redirect via ‘redirect’

---

SAHU TikTok Pixel for E-Commerce <= 1.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

PubyDoc <= 2.0.6 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Slick Popup: Contact Form 7 Popup Plugin <= 1.7.14 – Authenticated (Admin+) Stored Cross-Site Scripting

---

WP Post Popup <= 3.7.3 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Cookie Bar <= 2.0 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

Fathom Analytics <= 3.0.7 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

Groundhogg <= 2.7.11.10 – Authenticated (Administrator+) Stored Cross-Site Scripting via Task Data

---

TK Google Fonts GDPR Compliant <= 2.2.11 – Missing Authorization to Font Deletion

---

Custom Header Images <= 1.2.1 – Cross-Site Request Forgery

---

Autolinks Manager <= 1.10.04 – Cross-Site Request Forgery

---

Auto Excerpt everywhere <= 1.5 – Cross-Site Request Forgery

---

EasyRecipe <= 3.5.3251 – Cross-Site Request Forgery

---

Mediabay <= 1.6 – Missing Authorization via AJAC actions

---

Remove Add to Cart WooCommerce <= 1.4.4 – Cross-Site Request Forgery to Settings Modification

---

WP Word Count <= 3.2.4 – Missing Authorization via calculate_statistics

---

WP Helper Premium <= 4.5.1 – Cross-Site Request Forgery via whp_fields

---

TK Google Fonts GDPR Compliant <= 2.2.11 – Missing Authorization to Font Addition

---

Export WP Page to Static HTML/CSS <= 2.1.9 – Cross-Site Request Forgery via Multiple AJAX Actions

---

Ni WooCommerce Sales Report <= 3.7.2 – Missing Authorization via ajax_sales_order

---

WP EXtra <= 6.2 – Missing Authorization to Arbitrary Email Sending

---

Original texts Yandex WebMaster <= 1.18 – Cross-Site Request Forgery

---

WP Knowledgebase <= 1.3.4 – Cross-Site Request Forgery

---

Feather Login Page <= 1.1.3 – Cross-Site Request Forgery

---

DeepL Pro API translation <= 2.3.7.1 – Cross-Site Request Forgery via wpdeepl_prune_logs

---

Thumbnail carousel slider <= 1.0 – Cross-Site Request Forgery to Mass Slider Deletion

---

WP iCal Availability <= 1.0.3 – Missing Authorization

---

Seraphinite Accelerator (Base, cache only) <= 2.20.31 – Cross-Site Request Forgery

---

WCP OpenWeather <= 2.5.0 – Cross-Site Request Forgery

---

Current Menu Item for Custom Post Types <= 1.5 – Cross-Site Request Forgery

---

Category SEO Meta Tags <= 2.5 – Cross-Site Request Forgery via csmt_admin_options

---

Custom My Account for Woocommerce <= 2.1 – Cross-Site Request Forgery

---

Auto Limit Posts Reloaded <= 2.5 – Cross-Site Request Forgery

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.