Wordfence Intelligence Weekly WordPress Vulnerability Report (June 5, 2023 to June 11, 2023)

Last week, there were 45 vulnerabilities disclosed in 30 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 17 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• Abandoned Cart Lite for WooCommerce <= 5.14.2 – Authentication Bypass
• WAF-RULE-607 – title redacted while we work with the developer to ensure this gets patched.
• WAF-RULE-608 – title redacted while we work with the developer to ensure this gets patched.
• WAF-RULE-609 – title redacted while we work with the developer to ensure this gets patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	5
Patched	40

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	34
High Severity	10
Critical Severity	1

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	18
Authorization Bypass Through User-Controlled Key	5
Missing Authorization	5
Cross-Site Request Forgery (CSRF)	5
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	5
Deserialization of Untrusted Data	1
Information Exposure	1
Unrestricted Upload of File with Dangerous Type	1
Authentication Bypass Using an Alternate Path or Channel	1
Improper Authorization	1
Improper Neutralization of Formula Elements in a CSV File	1
Server-Side Request Forgery (SSRF)	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Ramuel Gall (Wordfence Vulnerability Researcher)	12
Alex Thomas (Wordfence Vulnerability Researcher)	7
Erwan LR	4
Ilyase Dehy	2
Chien Vuong	2
Taurus Omar	2
Le Ngoc Anh	1
Juampa Rodríguez	1
Aymane Mazguiti	1
Mohamed Selim	1
Lana Codes (Wordfence Vulnerability Researcher)	1
Etan Imanol Castro Aldrete	1
Ivan Kuzymchak (Wordfence Vulnerability Researcher)	1
Marco Wotschka (Wordfence Vulnerability Researcher)	1
NGO VAN TU	1
Shreya Pohekar	1
iohex	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Aajoda Testimonials	aajoda-testimonials
Abandoned Cart Lite for WooCommerce	woocommerce-abandoned-cart
Catalyst Connect Zoho CRM Client Portal	catalyst-connect-client-portal
CodeColorer	codecolorer
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy	dokan-lite
Download Monitor	download-monitor
Easy Digital Downloads – Simple eCommerce for Selling Digital Files	easy-digital-downloads
Editorial Calendar	editorial-calendar
Elementor Addons, Widgets and Enhancements – Stax	stax-addons-for-elementor
FiboSearch – Ajax Search for WooCommerce	ajax-search-for-woocommerce
FormCraft – Contact Form Builder for WordPress	formcraft-form-builder
GD Mail Queue	gd-mail-queue
Getwid – Gutenberg Blocks	getwid
Gravity Forms Google Sheet Connector	gsheetconnector-gravity-forms
KiviCare – Clinic & Patient Management System (EHR)	kivicare-clinic-management-system
Lana Email Logger	lana-email-logger
Mail logging – WP Mail Catcher	wp-mail-catcher
Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress	metform
PowerPress Podcasting plugin by Blubrry	powerpress
Responsive CSS EDITOR	responsive-css-editor
Shopping Cart & eCommerce Store	wp-easycart
Social Media Share Buttons & Social Sharing Icons	ultimate-social-media-icons
Ultimate Addons for Contact Form 7	ultimate-addons-for-contact-form-7
Ultimate Product Catalog	ultimate-product-catalogue
Visitor Traffic Real Time Statistics	visitors-traffic-real-time-statistics
WP Brutal AI	wpbrutalai
WP Inventory Manager	wp-inventory-manager
WP Mail Logging	wp-mail-logging
WP-Members Membership Plugin	wp-members
WordPress Tables	wptables

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Abandoned Cart Lite for WooCommerce <= 5.14.2 – Authentication Bypass

---

Download Monitor <= 4.8.3 – Authenticated(Subscriber+) Arbitrary File Upload via upload_file

---

Ultimate Addons for Contact Form 7 <= 3.1.23 – Authenticated(Subscriber+) SQL Injection

---

WP Brutal AI < 2.0.0 – Cross-Site Request Forgery to SQL Injection

---

Getwid – Gutenberg Blocks <= 1.8.3 – Authenticated(Subscriber+) Server Side Request Forgery

---

Metform Elementor Contact Form Builder <= 3.3.0 – Unauthenticated CSV Injection

---

GD Mail Queue <= 3.9.3 – Unauthenticated Stored Cross-Site Scripting via Email

---

WP Mail Catcher <= 2.1.2 – Unauthenticated Stored Cross-Site Scripting via Email Subject

---

WP EasyCart <= 5.4.10 – Authenticated (Administrator+) SQL Injection via ‘orderby’

---

Lana Email Logger <= 1.0.2 – Unauthenticated Stored Cross-Site Scripting via Email Subject

---

WP Mail Logging <= 1.11.1 – Unauthenticated Stored Cross-Site Scripting via Email

---

Dokan <=3.7.19 – Authenticated(Shop Manager+) PHP Object Injection via create_dummy_vendor

---

Responsive CSS EDITOR <= 1.0 – Authenticated(Administrator+) SQL Injection

---

FormCraft Premium <= 3.9.6 – Authenticated(Administrator+) SQL Injection

---

Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via mf shortcode

---

Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via ‘mf_transaction_id’ shortcode

---

KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 – Sensitive Information Exposure

---

KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 – Cross-Site Request Forgery

---

Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode

---

Editorial Calendar <= 3.7.12 – Authenticated(Contributor+) Stored Cross-Site Scripting via edcal_saveoptions AJAX action

---

WordPress Tables <= 1.3.9 – Reflected Cross-Site Scripting via error_msg

---

WP Brutal AI < 2.0.1 – Reflected Cross-Site Scripting

---

Catalyst Connect Zoho CRM Client Portal <= 2.0.0 – Reflected Cross-Site Scripting

---

Metform Elementor Contact Form Builder <= 3.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode

---

Metform Elementor Contact Form Builder <= 3.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode

---

KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 – Missing Authorization

---

Metform Elementor Contact Form Builder <= 3.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via mf_first_name shortcode

---

Gravity Forms Google Sheet Connector <= 1.3.4 – Cross-Site Request Forgery via verify_code_integation_new

---

Metform Elementor Contact Form Builder <= 3.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via mf_thankyou shortcode

---

Aajoda Testimonials <= 2.2.1 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

Ultimate Product Catalog <= 5.2.5 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

Social Media Share Buttons & Social Sharing Icons <= 2.8.1 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

PowerPress <= 10.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘Feed[title]’

---

FiboSearch – AJAX Search for WooCommerce <= 1.23.0 – Authenticated (Admin+) Stored Cross-Site Scripting

---

CodeColorer <= 0.10.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Download Monitor <= 4.7.60 – Missing Authorization to Authenticated Data Export

---

Getwid – Gutenberg Blocks <= 1.8.3 – Improper Authorization via get_remote_templates REST endpoint

---

Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode

---

Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 – Missing Authorization in toggle_widget

---

WP-Members Membership <= 3.4.7.3 – Missing Authorization to Settings Update

---

Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 – Cross-Site Request Forgery via toggle_widget

---

Visitor Traffic Real Time Statistics <= 6.7 – Missing Authorization to Information Disclosure

---

WP Inventory Manager <= 2.1.0.13 – Cross-Site Request Forgery via delete_item

---

Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via ‘mf_payment_status’ shortcode

---

Easy Digital Downloads <= 3.1.1.4.2 – Cross-Site Request Forgery via edd_trigger_upgrades

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.