Wordfence Intelligence Weekly WordPress Vulnerability Report (July 24, 2023 to July 30, 2023)

Last week, there were 64 vulnerabilities disclosed in 66 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates via API

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	34
Patched	30

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	2
Medium Severity	54
High Severity	6
Critical Severity	2

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Missing Authorization	18
Cross-Site Request Forgery (CSRF)	18
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	16
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	3
Server-Side Request Forgery (SSRF)	2
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)	1
Authorization Bypass Through User-Controlled Key	1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)	1
Improper Authorization	1
Protection Mechanism Failure	1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Use of Hard-coded Cryptographic Key	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Abdi Pranata	7
Mika	7
Rafie Muhammad	5
Skalucy	3
Lana Codes (Wordfence Vulnerability Researcher)	3
longxi	3
Nguyen Xuan Chien	2
yuyudhn	2
Dipak Panchal	2
Chloe Chamberland (Wordfence Vulnerability Researcher)	2
Junsu Yeo	1
Cat	1
TaeEun Lee	1
Emili Castells	1
Truoc Phan	1
konagash	1
Dmitriy	1
Christiaan Swiers	1
Stephen	1
Muhammad Daffa	1
LOURCODE	1
Bob Matyas	1
Yuchen Ji	1
Phd	1
Muhamad Arsyad	1
Marco Wotschka (Wordfence Vulnerability Researcher)	1
Jonas Höbenreich	1
Marc-Alexandre Montpas	1
Rio Darmawan	1
PetiteMais	1
LEE SE HYOUNG	1
thiennv	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
ACF Photo Gallery Field	navz-photo-gallery
AGP Font Awesome Collection	agp-font-awesome-collection
APIExperts Square for WooCommerce	woosquare
Assistant – Every Day Productivity Apps	assistant
Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors – Molongui	molongui-authorship
Backup Migration	backup-backup
Banner Management For WooCommerce	banner-management-for-woocommerce
Blog2Social: Social Media Auto Post & Scheduler	blog2social
Booster Elementor Addons	booster-for-elementor
Change WP Admin Login	change-wp-admin-login
Chat Button: WhatsApp Chat, Facebook Messenger, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget	bit-assist
Church Admin	church-admin
Clone	wp-clone-by-wp-academy
CodeBard’s Patron Button and Widgets for Patreon	patron-button-and-widgets-by-codebard
Contact Form Builder by Bit Form – Easiest Contact Form, Payment Form, Order Form, Calculator Form Builder Plugin for WordPress	bit-form
Custom Field For WP Job Manager	custom-field-for-wp-job-manager
Custom Field Template	custom-field-template
Discussion Board – WordPress Forum Plugin	wp-discussion-board
Donations Made Easy – Smart Donations	smart-donations
Duplicate Post	copy-delete-posts
Enhanced Text Widget	enhanced-text-widget
Fraud Prevention For Woocommerce	woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers
Google Map Shortcode	google-map-shortcode
HTTP Auth	http-auth
InstaWP Connect – 1-click WP Staging & Migration (beta)	instawp-connect
Instant CSS	instant-css
LWS Affiliation	lws-affiliation
Local Development	local-development
Meks Smart Social Widget	meks-smart-social-widget
Mobile Address Bar Changer	mobile-address-bar-changer
MultiParcels Shipping For WooCommerce	multiparcels-shipping-for-woocommerce
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress	ninja-forms
Optimize Database after Deleting Revisions	rvg-optimize-database
Perelink Pro	perelink
Pop-up	pop-up-pop-up
Post to Google My Business (Google Business Profile)	post-to-google-my-business
QR code MeCard/vCard generator	wp-qrcode-me-v-card
Quasar form free – Contact Form Builder for WordPress	quasar-form
RSS Redirect & Feedburner Alternative	feedburner-alternative-and-rss-redirect
Redirection	redirect-redirection
Remove Duplicate Posts	remove-duplicate-posts
SSL Mixed Content Fix	http-https-remover
Saphali Woocommerce Lite	saphali-woocommerce-lite
Schema Pro	wp-schema-pro
Simple Author Box	simple-author-box
Simple Googlebot Visit	simple-googlebot-visit
Simple Wp Sitemap	simple-wp-sitemap
Slider Carousel – Responsive Image Slider	slider-images
Social Media Share Buttons & Social Sharing Icons	ultimate-social-media-icons
Social Share Icons & Social Share Buttons	ultimate-social-media-plus
Taboola	taboola
The Events Calendar	the-events-calendar
Ultimate Posts Widget	ultimate-posts-widget
Update Theme and Plugins from Zip File	update-theme-and-plugins-from-zip-file
User Activity Log	user-activity-log
User Email Verification for WooCommerce	woo-confirmation-email
Video Conferencing with Zoom	video-conferencing-with-zoom-api
WP Clone Menu	clone-menu
WP Quick Post Duplicator	wp-quick-post-duplicator
WPS Limit Login	wps-limit-login
Web Accessibility By accessiBe	accessibe
WordPress Database Administrator	wp-database-admin
cartflows-pro	cartflows-pro
tagDiv Composer	td-composer
wp tell a friend popup form	wp-tell-a-friend-popup-form
wpml-string-translation	wpml-string-translation

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
nsc	nsc
winters	winters
yourjourney	yourjourney

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

InstaWP Connect <= 0.0.9.18 – Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver

---

LWS Affiliation <= 2.2.6 – Unauthenticated Remote/Local File Inclusion

---

Quasar form <= 6.1 – Authenticated (Subscriber+) SQL Injection via ‘id’

---

User Activity Log <= 1.6.4 – Unauthenticated SQL Injection

---

WordPress Database Administrator <= 1.0.3 – Authenticated (Administrator+) SQL Injection

---

WPML String Translation <= 3.2.5 – Authenticated (Administrator+) SQL Injection via ‘context’

---

MultiParcels Shipping For WooCommerce <= 1.15.4 – Unauthenticated Stored Cross-Site Scripting

---

Molongui <= 4.6.19 – Unauthenticated Stored Cross-Site Scripting

---

Booster Elementor Addons <= 1.4.9 – Missing Authorization

---

Ninja Forms <= 3.6.25 – Reflected Cross-Site Scripting via ‘data’

---

tagDiv Composer <= 4.1 – Cross-Site Request Forgery to Cross-Site Scripting

---

User Email Verification for WooCommerce <= 3.5.0 – Reflected Cross-Site Scripting

---

CodeBard’s Patron Button and Widgets for Patreon <= 2.1.8 – Reflected Cross-Site Scripting via ‘site_account’

---

nsc <= 1.0 – Prototype Pollution to Reflected Cross-Site Scripting

---

Winters <= 1.4.3 – Prototype Pollution to Reflected Cross-Site Scripting

---

Custom Field Template <= 2.5.9 – Reflected Cross-Site Scripting

---

Blog2Social: Social Media Auto Post & Scheduler <= 7.2.0 – Reflected Cross-Site Scripting

---

AGP Font Awesome Collection <= 3.2.4 – Reflected Cross-Site Scripting

---

Your Journey <= 1.9.8 – Prototype Pollution to Reflected Cross-Site Scripting

---

Church Admin <= 3.7.56 – Server-Side Request Forgery via church_admin_import_csv

---

Assistant <= 1.4.3 – Authenticated (Editor+) Server Side Request Forgery

---

WP Quick Post Duplicator <= 1.0 – Missing Authorization

---

Discussion Board <= 2.4.8 – Authenticated (Subscriber+) Content Injection

---

wp tell a friend popup form <= 7.1 – Cross-Site Request Forgery via ‘TellAFriend_admin’

---

HTTP Auth <= 0.3.2 – Cross-Site Request Forgery

---

Schema Pro <= 2.7.8 – Authenticated(Contributor+) Missing Authorization

---

Saphali Woocommerce Lite <= 1.8.13 – Cross-Site Request Forgery via ‘woocommerce_saphali_page_s_l’

---

WP Clone Menu <= 1.0.1 – Missing Authorization to Menu Clone

---

APIExperts Square for WooCommerce <= 4.2.8 – Missing Authorization

---

Ninja Forms <= 3.6.25 – Missing Authorization to Contributor+ Form Submission Export

---

Change WP Admin Login <= 1.1.3 – Protection Mechanism Failure to Login Page Disclosure

---

Instant CSS <= 1.1.4 – Missing Authorization via AJAX Actions

---

Slider Carousel – Responsive Image Slider <= 1.5.0 – Missing Authorization

---

Meks Smart Social Widget <= 1.6 – Missing Authorization to notice dimissal

---

Custom Field For WP Job Manager <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Contact Form Builder by Bit Form <= 2.1.0 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Web Accessibility By accessiBe <= 1.15 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

wp tell a friend popup form <= 7.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Bit Assist <= 1.1.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Remove Duplicate Posts <= 1.3.4 – Missing Authorization to Post Deletion

---

Donations Made Easy – Smart Donations <= 4.0.12 – Missing Authorization

---

Woocommerce Category Banner Management <= 2.4.1 – Cross-Site Request Forgery

---

Simple Author Box <= 2.51 – Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary User Sensitive Information Exposure

---

Mobile Address Bar Changer <= 3.0 – Cross-Site Request Forgery to Settings Update

---

Meks Smart Social Widget <= 1.6 – Cross-Site Request Forgery via meks_remove_notification

---

Simple Wp Sitemap <= 1.2.1 – Cross-Site Request Forgery

---

Optimize Database after Deleting Revisions <= 5.0.110 – Cross-Site Request Forgery via ‘odb_start_manually’

---

Perelink Pro <= 2.1.4 – Cross-Site Request Forgery to Settings Update

---

ACF Photo Gallery Field <= 1.9 – Authenticated (Subscriber+) Arbitrary Usermeta Update

---

QR code MeCard/vCard generator <= 1.6.0 – Missing Authorization via wqm_make_url_permanent

---

Taboola <= 2.0.1 – Cross-Site Request Forgery to Plugin Settings Update

---

Inisev Plugins (Various Versions) – Cross-Site Request Forgery on handle_installation function

---

Simple Googlebot Visit <= 1.2.4 – Missing Authorization to Settings Update

---

Post to Google My Business <= 3.1.14 – Cross-Site Request Forgery to Dismiss Notification

---

The Events Calendar <= 6.1.2.2 – Missing Authorization

---

Inisev Plugins (Various Versions) – Missing Authorization on handle_installation function

---

CartFlows Pro <= 1.11.12 – Cross-Site Request Forgery

---

Ninja Forms <= 3.6.25 – Missing Authorization to Form Submission Export

---

Google Map Shortcode <= 3.1.2 – Cross-Site Request Forgery to Plugin Setting Update

---

Update Theme and Plugins from Zip File <= 2.0.0 – Cross-Site Request Forgery

---

Woocommerce Blocker Lite <= 2.1.4.1 – Cross-Site Request Forgery

---

Local Development <=2.8.2 – Cross-Site Request Forgery to Settings Update

---

WPS Limit Login <= 1.5.6 – Race Condition

---

Video Conferencing with Zoom <= 4.2.1 – Sensitive Information Exposure

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.