Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023)

Last week, there were 60 vulnerabilities disclosed in 52 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 25 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	20
Patched	40

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	53
High Severity	6
Critical Severity	0

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	26
Cross-Site Request Forgery (CSRF)	21
Missing Authorization	8
Information Exposure	1
Authorization Bypass Through User-Controlled Key	1
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)	1
Unrestricted Upload of File with Dangerous Type	1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Truoc Phan	6
LEE SE HYOUNG	5
Erwan LR	5
Marco Wotschka (Wordfence Vulnerability Reasearcher)	4
Abdi Pranata	3
Mika	3
Lana Codes (Wordfence Vulnerability Reasearcher)	3
yuyudhn	3
Nguyen Xuan Chien	3
Rafshanzani Suhada	2
konagash	2
NeginNrb	2
Rafie Muhammad	2
A. S. M. Muhiminul Hasan	1
Theodoros Malachias	1
Rio Darmawan	1
Le Ngoc Anh	1
emad	1
Alex Thomas (Wordfence Vulnerability Reasearcher)	1
Daniel Ruf	1
Amirmohammad vakili	1
thiennv	1
Chloe Chamberland (Wordfence Vulnerability Reasearcher)	1
Phd	1
killr00t	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup	armember-membership
All Bootstrap Blocks	all-bootstrap-blocks
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress and all Kinds of Equipment	booking-and-rental-manager-for-woocommerce
CF7 Google Sheets Connector	cf7-google-sheets-connector
CF7 Google Sheets Connector Pro	cf7-google-sheets-connector-pro
CHP Ads Block Detector	chp-ads-block-detector
Church Admin	church-admin
Constant Contact Forms	constant-contact-forms
Contact Form by WD – responsive drag & drop contact form builder tool	contact-form-maker
Elementor Forms Google Sheet Connector	gsheetconnector-for-elementor-forms
Elementor Forms Google Sheet Connector Pro	gsheetconnector-for-elementor-forms-pro
Flo Forms – Easy Drag & Drop Form Builder	flo-forms
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder	form-maker
Forminator – Contact Form, Payment Form & Custom Form Builder	forminator
Galleria	galleria
Google Map Shortcode	google-map-shortcode
Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor	front-editor
LWS Cleaner	lws-cleaner
LWS Tools	lws-tools
Login Configurator	login-configurator
MStore API	mstore-api
MasterStudy LMS WordPress Plugin – for Online Courses and Education	masterstudy-lms-learning-management-system
ND Shortcodes	nd-shortcodes
Ninja Forms Google Sheet Connector	gsheetconnector-ninja-forms
Ninja Forms Google Sheet Connector Pro	gsheetconnector-ninja-forms-pro
Password Protected	password-protected
Protect WP Admin	protect-wp-admin
Recent Posts Slider	recent-posts-slider
Recipe Maker For Your Food Blog from Zip Recipes	zip-recipes
Securimage-WP	securimage-wp
Seed Fonts	seed-fonts
Sermon’e – Sermons Online	UNKNOWN-CVE-2023-35776-1
Stock Manager for WooCommerce	woocommerce-stock-manager
Template Debugger	quick-edit-template-link
Tutor LMS – eLearning and online course solution	tutor
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)	unlimited-elements-for-elementor
WP Affiliate Links	wp-affiliate-links
WP Backup Manager	wp-backup-manager
WP Directory Kit	wpdirectorykit
WP Matterport Shortcode	shortcode-gallery-for-matterport-showcase
WP PDF Generator	wp-pdf-generator
WPForms Google Sheet Connector	gsheetconnector-wpforms
WPForms Google Sheet Connector Pro	gsheetconnector-wpforms-pro
Who Hit The Page – Hit Counter	who-hit-the-page-hit-counter
WooCommerce Stripe Payment Gateway	woocommerce-gateway-stripe
WordPress Contact Forms by Cimatti	contact-forms
WordPress NextGen GalleryView	wordpress-nextgen-galleryview
YaySMTP – Simple WP SMTP Mail	yaysmtp
Zephyr Project Manager	zephyr-project-manager
breadcrumb simple	breadcrumb-simple
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin	mycred
胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件	fat-rat-collect

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.66 – Authenticated (Contributor+) Arbitrary File Upload

---

Tutor LMS <= 2.2.0 – Missing Authorization via REST API

---

WooCommerce Stripe Payment Gateway <= 7.4.0 – Unauthenticated Insecure Direct Object Reference to Sensitive Information Disclosure

---

Ninja Forms Google Sheet Connector <= 1.2.6 – Reflected Cross-Site Scripting

---

YaySMTP <= 2.4.5 – Unauthenticated Stored Cross-Site Scripting via Email

---

Who Hit The Page – Hit Counter <= 1.4.14.3 – Unauthenticated Cross-Site Scripting

---

Contact Form Maker <= 1.13.23 – Authenticated (Administrator+) SQL Injection

---

All Bootstrap Blocks <= 1.3.6 – Cross-Site Request Forgery to Plugin Settings Reset

---

WP Directory Kit <= 1.2.3 – Missing Authorization to Plugin Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_admin_action

---

MStore API <= 3.9.5 – Missing Authorization

---

Sermon’e <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

MasterStudy LMS <= 3.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

ND Shortcodes <= 6.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

WP Matterport Shortcode <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

ND Shortcodes <= 6.9 – Authenticated (Subscriber+) Local File Inclusion

---

Front User Submit | Front Editor <= 3.7.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting

---

NextGen GalleryView <= 0.5.5 – Reflected Cross-Site Scripting

---

CF7 Google Sheets Connector <= 5.0.1 – Reflected Cross-Site Scripting via ‘code’

---

Elementor Forms Google Sheet Connector <= 1.0.6 – Reflected Cross-Site Scripting via ‘code’

---

WP Backup Manager <= 1.13.1 – Reflected Cross-Site Scripting

---

WPForms Google Sheet Connector <= 3.4.5 – Reflected Cross-Site Scripting

---

Recent Posts Slider <= 1.1 – Reflected Cross-Site Scripting

---

WP Affiliate Links <= 0.1.1 – Reflected Cross-Site Scripting

---

Google Map Shortcode <= 3.1.2 – Reflected Cross-Site Scripting

---

Church Admin <= 3.7.29 – Reflected Cross-Site Scripting

---

LWS Tools <= 2.4.1 – Cross-Site Request Forgery

---

LWS Cleaner <= 2.3.0 – Cross-Site Request Forgery

---

Fat Rat Collect <= 2.6.1 – Missing Authorization

---

Protect WP Admin <= 3.8 – Unauthenticated Information Disclosure to Protection Bypass

---

Forminator <= 1.23.3 – Race Condition to Multiple Poll Voting

---

CHP Ads Block Detector <= 3.9.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting

---

Seed Fonts 2.3.1 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

ARMember <= 4.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Booking and Rental Manager <= 1.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Login Configurator <= 2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Password Protected <= 2.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Flo Forms <= 1.0.40 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Recent Posts Slider <= 1.1 – Cross-Site Request Forgery

---

MStore API <= 3.9.6 – Cross-Site Request Forgery to Product Limit Update

---

Zephyr Project Manager <= 3.3.93 – Cross-Site Request Forgery

---

WP PDF Generator <= 1.2.2 – Cross-Site Request Forgery to PDF Settings Update

---

Securimage-WP <= 3.6.16 – Cross-Site Request Forgery

---

MasterStudy LMS <= 3.0.7 – Missing Authorization to Course Category Creation

---

CHP Ads Block Detector <= 3.9.4 – Missing Authorization to Plugin Settings Update

---

Zip Recipes <= 8.0.7 – Cross-Site Request Forgery

---

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Message Update

---

Form Maker <= 1.15.16 – Missing Authorization in check_score

---

Template Debugger <= 3.1.2 – Cross-Site Request Forgery

---

Stock Manager for WooCommerce <= 2.10.0 – Cross-Site Request Forgery

---

myCred <= 2.5 – Cross-Site Request Forgery

---

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Title Update

---

Constant Contact Forms <= 2.0.2 – Missing Authorization via constant_contact_privacy_ajax_handler

---

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Status Update

---

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Title Update

---

MStore API <= 3.9.6 – Cross-Site Request Forgery to Firebase Server Key Update

---

CHP Ads Block Detector <= 3.9.4 – Cross-Site Request Forgery via chp_abd_action

---

Galleria <= 1.0.3 – Cross-Site Request Forgery via showOptionsPage

---

Recipe Maker For Your Food Blog from Zip Recipes <= 8.0.7 – Cross-Site Request Forgery

---

WordPress Contact Forms by Cimatti <= 1.5.7 – Cross-Site Request Forgery via _accua_forms_form_edit_action

---

breadcrumb simple <= 1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.