Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)

Last week, there were 82 vulnerabilities disclosed in 59 WordPress Plugins and 11 WordPress themes, along with 6 in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 26 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• MStore API <= 3.9.2 – Multiple Authentication Bypass
• WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.10.7 – Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change
• TheGem < 5.8.1.1 – Missing Authorization
• BP Social Connect <= 1.5 – Authentication Bypass
• WAF-RULE-595 – Data redacted while we work with the developer to ensure this vulnerability gets patched.
• WAF-RULE-596 – Data redacted while we work with the developer to ensure this vulnerability gets patched.
• Woodmart Core <= 1.0.36 – Authentication Bypass to Privilege Escalation

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	15
Patched	67

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	3
Medium Severity	68
High Severity	8
Critical Severity	3

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	35
Cross-Site Request Forgery (CSRF)	17
Missing Authorization	15
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	3
Authentication Bypass Using an Alternate Path or Channel	3
Authorization Bypass Through User-Controlled Key	2
Acceptance of Extraneous Untrusted Data With Trusted Data	2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	1
Server-Side Request Forgery (SSRF)	1
Improper Authentication	1
Deserialization of Untrusted Data	1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafie Muhammad	16
Lana Codes (Wordfence Vulnerability Researcher)	12
Marco Wotschka (Wordfence Vulnerability Researcher)	10
Erwan LR	6
Mika	4
Dave Jong	3
Emili Castells	2
Liam Gladdy	2
Prasanna V Balaji	2
LEE SE HYOUNG	2
yuyudhn	2
Le Ngoc Anh	1
John Blackbourn	1
LOURCODE	1
Jonas Höbenreich	1
Rio Darmawan	1
WPScanTeam	1
Muhammad Daffa	1
Nguyen Xuan Chien	1
konagash	1
thiennv	1
Jakub Zoczek	1
Nithissh S	1
Ramuel Gall (Wordfence Vulnerability Researcher)	1
Matt Rusnak (Wordfence Vulnerability Researcher)	1
Pavitra Tiwari	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable	ai-engine
AutomateWoo	automatewoo
BP Social Connect	bp-social-connect
Baidu Tongji generator	baidu-tongji-generator
Contact Form by Supsystic	contact-form-by-supsystic
ConvertKit – Email Marketing, Newsletter, Subscribers and Landing Pages	convertkit
Cookie Monster	cookiemonster
Custom 404 Pro	custom-404-pro
Customize WordPress Emails and Alerts – Better Notifications for WP	bnfw
Drop Shadow Boxes	drop-shadow-boxes
Easing Slider	easing-slider
Easy Forms for Mailchimp	yikes-inc-easy-mailchimp-extender
Essential Addons for Elementor Pro	essential-addons-elementor
File Away	file-away
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty	chaty
Jazz Popups	jazz-popups
MStore API	mstore-api
Multiple Page Generator Plugin – MPG	multiple-pages-generator-by-porthas
OTP Login Woocommerce & Gravity Forms	mobile-login-woocommerce
Performance Lab	performance-lab
Photo Gallery by Ays – Responsive Image Gallery	gallery-photo-gallery
PixelYourSite Pro – Your smart PIXEL (TAG) Manager	pixelyoursite-pro
PixelYourSite – Your smart PIXEL (TAG) Manager	pixelyoursite
Predictive Search	predictive-search
Predictive Search for WooCommerce	woocommerce-predictive-search
Quiz Maker	quiz-maker
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login	custom-registration-form-builder-with-submission-manager
Ricerca – advanced search	ricerca-smart-search
SEO Change Monitor – Track Website Changes	seo-change-monitor
Scripts n Styles	scripts-n-styles
Simple Page Ordering	simple-page-ordering
Smart App Banner	smart-app-banner
Stop Referrer Spam	stop-referrer-spam
Stop Spammers Security | Block Spam Users, Comments, Forms	stop-spammer-registrations-plugin
Survey Maker – Best WordPress Survey Plugin	survey-maker
Ultimate Dashboard – Custom WordPress Dashboard	ultimate-dashboard
UpdraftPlus WordPress Backup Plugin	updraftplus
Video Gallery	video-slider-with-thumbnails
WP Activity Log	wp-security-audit-log
WP Activity Log Premium	wp-security-audit-log-premium
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc	wp-sms
WP htaccess Control	wp-htaccess-control
Waiting: One-click countdowns	waiting
WeSecur Security – Antivirus, Malware Scanner and Protection for your WordPress	wesecur-security
WishSuite – Wishlist for WooCommerce	wishsuite
WooCommerce Bookings	woocommerce-bookings
WooCommerce Brands	woocommerce-brands
WooCommerce Composite Products	woocommerce-composite-products
WooCommerce Pre-Orders	woocommerce-pre-orders
WooCommerce Product Add-ons	woocommerce-product-addons
WooCommerce Ship to Multiple Addresses	woocommerce-shipping-multiple-addresses
WooDiscuz – WooCommerce Comments	woodiscuz-woocommerce-comments
WordPress	wordpress
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg	groundhogg
Zotpress	zotpress
nuajik	nuajik-cdn
reCAPTCHA and Cloudflare Turnstile For All Pages, to Block Spam and Hackers Attack, Block Visitors from China	recaptcha-for-all
video carousel slider with lightbox	wp-responsive-video-gallery-with-lightbox
woocommerce-product-recommendations	woocommerce-product-recommendations

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Appzend	appzend
BuzzStore	buzzstore
Craft Blog	craft-blog
Fitness Park	fitness-park
Kathmag	kathmag
Kingcabs	kingcabs
Medical Heed	medical-heed
MetroStore	metrostore
Online eStore	online-estore
SparkleStore	sparklestore
SpiderMag	spidermag

---

Vulnerability Details

BP Social Connect <= 1.5 – Authentication Bypass

---

RegistrationMagic <= 5.2.1.0 – Authentication Bypass

---

MStore API <= 3.9.0 – Authentication Bypass

---

SEO Change Monitor <= 1.2 – Authenticated (Subscriber+) SQL Injection

---

OTP Login Woocommerce & Gravity Forms <= 2.2 – Authentication Bypass to Privilege Escalation

---

Groundhogg <= 2.7.9.8 – Cross-Site Request Forgery to Privilege Escalation

---

Waiting: One-click countdowns <= 0.6.2 – Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting

---

Essential Addons for Elementor Pro <= 5.4.8 – Unauthenticated Server-Side Request Forgery

---

Multiple Page Generator Plugin <= 3.3.17 – Authenticated (Administrator+) SQL Injection

---

WooCommerce Pre-Orders <= 1.9.0 – Unauthenticated Cross-Site Scripting

---

WooCommerce Product Add-ons <= 6.1.3 – Authenticated (Shop Manager+) PHP Object Injection

---

Predictive Search <= 1.2.2 – Missing Authorization

---

WordPress Core < 6.2.2 – Shortcode Execution in User Generated Content

---

WordPress Core < 6.2.1 – Shortcode Execution in User Generated Content

---

Predictive Search <= 1.2.2 – Missing Authorization

---

Predictive Search <= 1.2.2 – Missing Authorization

---

File Away <= 3.9.9.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Drop Shadow Boxes <= 1.7.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

WordPress Core < 6.2.1 – Insufficient Sanitization of Block Attributes

---

WooCommerce Brands <= 1.6.45 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

WordPress Core < 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Embed Discovery

---

WooCommerce Pre-Orders <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

WP SMS <= 6.1.4 – Reflected Cross-Site Scripting via ‘delete_mobile’

---

Survey Maker <= 3.4.6 – Reflected Cross-Site Scripting via ‘page’ parameter

---

WooCommerce Composite Products <= 8.7.5 – Reflected Cross-Site Scripting

---

Chaty <= 3.0.9 – Reflected Cross-Site Scripting

---

Easy Forms for Mailchimp <= 6.8.8 – Unauthenticated Cross-Site Scripting

---

UpdraftPlus <= 1.23.3 – Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage

---

Custom 404 Pro <= 3.8.1 – Reflected Cross-Site Scripting via ‘page’

---

Stop Spammers Security <= 2022.6 – Reflected Cross-Site Scripting

---

Video Gallery <= 1.0.10 – Reflected Cross-Site Scripting

---

Jazz Popups <= 1.8.7 – Reflected Cross-Site Scripting via ‘wpjazzpopup_switchonoff’

---

Photo Gallery by Ays <= 5.1.6 – Reflected Cross-Site Scripting

---

ConvertKit <= 2.2.0 – Reflected Cross-Site Scripting

---

video carousel slider with lightbox <= 1.0.22 – Reflected Cross-Site Scripting

---

Quiz Maker <= 6.4.2.6 – Reflected Cross-Site Scripting

---

Essential Addons for Elementor Pro <= 5.4.8 – Reflected Cross-Site Scripting

---

AutomateWoo <= 5.7.1 – Authenticated (Shop manager+) SQL Injection

---

Contact Form by Supsystic <= 1.7.24 – Cross-Site Request Forgery via AJAX action

---

Groundhogg <= 2.7.9.8 – Missing Authorization to Non-Arbitrary File Upload

---

Zotpress <= 7.3.3 – Reflected Cross-Site Scripting

---

Simple Page Ordering <= 2.5.0 – Missing Authorization to Information Disclosure

---

Stop Referrer Spam <= 1.3.0 – Cross-Site Request Forgery via processParameters

---

Groundhogg <= 2.7.9.8 – Cross-Site Request Forgery to Disable All Plugins

---

WordPress Core < 6.2.1 – Directory Traversal

---

Smart App Banner <= 1.1.2 – Cross-Site Request Forgery via wsl_smart_app_banner_options

---

Multiple sparklewpthemes Themes (Various versions) – Cross-Site Request Forgery to Arbitrary Plugin Activation

---

WooCommerce Predictive Search <= 5.8.0 – Missing Authorization via multiple AJAX actions

---

Easing Slider <= 3.0.8 – Missing Authorization to Unauthenticated Settings Reset

---

Multiple sparklewpthemes Themes (Various versions) – Missing Authorization to Arbitrary Plugin Activation

---

WooCommerce Predictive Search <= 5.8.0 – Cross-Site Request Forgery via multiple AJAX actions

---

Groundhogg <= 2.7.9.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

WooDiscuz – WooCommerce Comments <= 2.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Chaty <= 3.0.9 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Cookie Monster <= 1.51 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

PixelYourSite <= 9.3.6 and PixelYourSite Pro <= 9.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WP htaccess Control <= 3.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable <= 1.6.82 – Authenticated (Admin+) Stored Cross-Site Scripting

---

WishSuite <= 1.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Stop Spammers Security <= 2022.6 – Authenticated (Admin+) Stored Cross-Site Scripting

---

WeSecur Security <= 1.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Ultimate Dashboard <= 3.7.5 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

---

nuajik CDN <= 0.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WordPress Core < 6.2.1 – Cross-Site Request Forgery

---

WooCommerce Ship to Multiple Addresses <= 3.8.3 – Insecure Direct Object Reference

---

Groundhogg <= 2.7.9.8 – Missing Authorization to Admin Account and Ticket Creation

---

Groundhogg <= 2.7.9.8 – Missing Authorization to Update License

---

WooCommerce Bookings <= 1.15.78 – Insecure Direct Object Reference

---

Ricerca smart and advanced search <= 1.0.15 – Cross-Site Request Forgery

---

WP Activity Log Premium <= 4.5.0 – Cross-Site Request Forgery via ajax_switch_db

---

AutomateWoo <= 5.7.1 – Cross-Site Request Forgery

---

reCAPTCHA for all <= 1.22 – Missing Authorization via recaptcha_for_all_image_select

---

WP Activity Log Premium <= 4.5.0 – Missing Authorization via ajax_switch_db

---

Performance Lab <= 2.2.0 – Cross-Site Request Forgery via dismiss-wp-pointer

---

Better Notifications for WP <= 1.9.2 – Cross-Site Request Forgery via handle_actions

---

WooCommerce Product Recommendations < 2.3.0 – Cross-Site Request Forgery

---

WooCommerce Product Add-ons <= 6.1.3 – Cross-Site Request Forgery

---

WP Activity Log <= 4.5.0 – Cross-Site Request Forgery via ajax_run_cleanup

---

WP Activity Log <= 4.5.0 – Missing Capabilities Check to User Enumeration

---

Scripts n Styles <= 3.5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Baidu Tongji generator <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Multiple Page Generator Plugin <= 3.3.17 – Cross-Site Request Forgery to SQL Injection

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.