Wordfence Intelligence Weekly WordPress Vulnerability Report (October 30, 2023 to November 5, 2023)

🎉Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Last week, there were 79 vulnerabilities disclosed in 64 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 22 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• 10Web Booster <= 2.24.14 – Unauthenticated Arbitrary Option Deletion
• WooODT Lite <= 2.4.6 – Missing Authorization to Arbitrary Options Update
• MStore API <= 4.10.7 – Unauthorized Account Access and Privilege Escalation

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	15
Patched	64

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	54
High Severity	23
Critical Severity	2

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	23
Missing Authorization	19
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	16
Cross-Site Request Forgery (CSRF)	13
Unrestricted Upload of File with Dangerous Type	2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	2
Protection Mechanism Failure	2
Improper Control of Generation of Code (‘Code Injection’)	1
Authorization Bypass Through User-Controlled Key	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Lana Codes (Wordfence Vulnerability Researcher)	22
Alex Thomas (Wordfence Vulnerability Researcher)	14
Abdi Pranata	7
Marco Wotschka (Wordfence Vulnerability Researcher)	4
yuyudhn	4
Duc Manh	4
Naveen Muthusamy	2
Mika	2
Ala Arfaoui	2
Vladislav Pokrovsky	1
DoYeon Park (p6rkdoye0n)	1
Emili Castells	1
Rachit Arora	1
Revan Arifio	1
dc11	1
NGÔ THIÊN AN (ancorn_)	1
Rafie Muhammad	1
Brandon James Roldan	1
lttn	1
thiennv	1
Cat	1
Huynh Tien Si	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
AI ChatBot	chatbot
Admin Bar & Dashboard Access Control	admin-bar-dashboard-control
Ads by datafeedr.com	ads-by-datafeedrcom
Advance Menu Manager	advance-menu-manager
Animated Rotating Words (Interchanging Random Words in a Sentence)	css3-rotating-words
Apollo13 Framework Extensions	apollo13-framework-extensions
Auto Publish for Google My Business	wp-google-my-business-auto-publish
Basic Interactive World Map	basic-interactive-world-map
Comments Ratings	comments-ratings
Comments – wpDiscuz	wpdiscuz
Decorator – WooCommerce Email Customizer	decorator-woocommerce-email-customizer
Defender Security – Malware Scanner, Login Security & Firewall	defender-security
Digirisk	digirisk
Drag and Drop Multiple File Upload – Contact Form 7	drag-and-drop-multiple-file-upload-contact-form-7
Easy PayPal Shopping Cart	easy-paypal-shopping-cart
Email Templates Customizer and Designer for WordPress and WooCommerce	email-templates
Finale Lite – Sales Countdown Timer & Discount for WooCommerce	finale-woocommerce-sales-countdown-timer-discount
Gift Up Gift Cards for WordPress and WooCommerce	gift-up
GiveWP – Donation Plugin and Fundraising Platform	give
HTML filter and csv-file search	hk-filter-and-search
Icons Font Loader	icons-font-loader
IdeaPush	ideapush
Image horizontal reel scroll slideshow	image-horizontal-reel-scroll-slideshow
Image vertical reel scroll slideshow	image-vertical-reel-scroll-slideshow
Information Reel	information-reel
Interact: Embed A Quiz On Your Site	interact-quiz-embed
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free	funnelforms-free
Jquery accordion slideshow	jquery-accordion-slideshow
Jquery news ticker	jquery-news-ticker
Kadence WooCommerce Email Designer	kadence-woocommerce-email-designer
Layer Slider	slider-slideshow
Left right image slideshow gallery	left-right-image-slideshow-gallery
Linker	linker
Live updates from Excel	ipushpull
Message ticker	message-ticker
Popup with fancybox	popup-with-fancybox
Post Sliders & Post Grids	post-slider-carousel
Product Catalog Mode For Woocommerce	woocommerce-catalog-enquiry
SEO Slider	seo-slider
Short URL	shorten-url
ShortCodes UI	shortcodes-ui
Social Feed | All social media in one place	add-facebook
Solid Security – Password, Two Factor Authentication, and Brute Force Protection	better-wp-security
Superb slideshow gallery	superb-slideshow-gallery
The Plus Addons for Elementor Page Builder	theplus_elementor_addon
Top 10 – WordPress Popular posts by WebberZone	top-10
Top 25 Social Icons	top-25-social-icons
Up down image slideshow gallery	up-down-image-slideshow-gallery
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress	userswp
Vertical marquee plugin	vertical-marquee-plugin
WP Affiliate Disclosure	wp-affiliate-disclosure
WP Customer Reviews	wp-customer-reviews
WP Meta and Date Remover	wp-meta-and-date-remover
WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine	wp-travel
WP fade in text news	wp-fade-in-text-news
WooODT Lite – WooCommerce Order Delivery or Pickup with Date Time Location	byconsole-woo-order-delivery-time
Wp anything slider	wp-anything-slider
Wp photo text slider 50	wp-photo-text-slider-50
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress	youzify
iPages Flipbook For WordPress	ipages-flipbook
idbbee	idbbee
iframe forms	iframe-forms
video carousel slider with lightbox	wp-responsive-video-gallery-with-lightbox
wp image slideshow	wp-image-slideshow

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

The Plus Addons for Elementor Pro <= 5.2.8 – Unauthenticated Local File Inclusion

---

Ads by datafeedr.com <= 1.1.3 – Unauthenticated (Limited) Remote Code Execution

---

Image vertical reel scroll slideshow <= 9.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Jquery accordion slideshow <= 8.1 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Image horizontal reel scroll slideshow <= 13.2 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Up down image slideshow gallery <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Superb slideshow gallery <= 13.1 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Jquery news ticker <= 3.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Wp photo text slider 50 <= 8.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Wp anything slider <= 9.1 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Information Reel <= 10.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Left right image slideshow gallery <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

wp image slideshow <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

WooODT Lite <= 2.4.6 – Missing Authorization to Arbitrary Options Update

---

WP fade in text news <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Popup with fancybox <= 3.5 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Vertical marquee plugin <= 7.1 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

Message ticker <= 9.2 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

HTML filter and csv-file search <= 2.7 – Authenticated (Contributor+) Local File Inclusion via Shortcode

---

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.7.3 – Unauthenticated Arbitrary File Upload

---

Finale Lite <= 2.16.0 – Missing Authorization to Content Deletion

---

WP Travel <= 7.5.0 – Missing Authorization via Multiple AJAX Actions

---

wpDiscuz <= 7.6.11 – Unauthenticated Stored Cross-Site Scripting via Comment Uploaded Image Filename

---

Icons Font Loader <= 1.1.2 – Authenticated (Administrator+) Arbitrary File Upload

---

iPages Flipbook < 1.5.0 – Authenticated (Administrator+) SQL Injection

---

Funnelforms Free <= 3.4 – Missing Authorization to Arbitrary Post Deletion

---

Funnelforms Free <= 3.4 – Cross-Site Request Forgery to Arbitrary Post Deletion

---

Youzify <= 1.2.2 – Insecure Direct Object Reference

---

Short URL <= 1.6.8 – Missing Authorization via multiple AJAX functions

---

HTML filter and csv-file search <= 2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

SEO Slider <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

WP Meta and Date Remover < 2.2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting via settings

---

Linker <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Apollo13 Framework Extensions <= 1.9.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Gift Up Gift Cards for WordPress and WooCommerce <= 2.20.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Interact: Embed A Quiz On Your Site <= 3.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

iframe forms <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via iframe Shortcode

---

Live updates from Excel <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Download Top 25 Social Icons <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Easy PayPal Shopping Cart <= 1.1.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

ShortCodes UI <= 1.9.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Digirisk 6.0.0.0 – Reflected Cross-Site Scripting

---

GiveWP <= 2.33.3 – Cross-Site Request Forgery to Stripe Integration Deletion

---

Auto Publish for Google My Business <= 3.7 – Cross-Site Request Forgery

---

idbbee <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

GiveWP <= 2.33.3 – Cross-Site Request Forgery to plugin deactivation

---

GiveWP <= 2.33.1 – Missing Authorization via handleBeforeGateway

---

Defender Security <= 4.2.0 – Masked Login Area Security Feature Bypass

---

Solid Security Basic <= 9.0.0 – Unauthenticated Login Page Disclosure

---

Post Sliders & Post Grids <= 1.0.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Basic Interactive World Map <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

IdeaPush <= 8.46 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Admin Bar & Dashboard Control <= 1.2.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Social Feed | All social media in one place <= 1.5.4.6 – Authenticated (Administrator+) Stored Cross-Site Scripting]

---

Comments Ratings <= 1.1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Layer Slider <= 1.1.9.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

ChatBot 4.8.6 – 4.9.6 – Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder

---

Advance Menu Manager <= 3.0.6 – Missing Authorization

---

WP Affiliate Disclosure <= 1.2.6 – Cross-Site Request Forgery via check_capability

---

Funnelforms Free <= 3.4 – Missing Authorization to Category Update

---

Animated Rotating Words <= 5.4 – Cross-Site Request Forgery via save_admin_options

---

WP Customer Reviews <= 3.6.6 – Authenticated (Subscriber+) Sensitive Information Exposure

---

UsersWP <= 1.2.3.22 – Cross-Site Request Forgery

---

Animated Rotating Words <= 5.4 – Missing Authorization via save_admin_options

---

Funnelforms Free <= 3.4 – Missing Authorization to Test Email Sending

---

Funnelforms Free <= 3.4 – Missing Authorization to New Category Creation

---

Kadence WooCommerce Email Designer <= 1.5.11 – Cross-Site Request Forgery

---

Top 10 <= 3.3.2 – Cross-Site Request Forgery via edit_count_ajax

---

Funnelforms Free <= 3.4 – Missing Authorization to Post Modification

---

Funnelforms Free <= 3.4 – Missing Authorization to Category Deletion

---

Funnelforms Free <= 3.4 – Missing Authorization to Enable/Disable Dark Mode

---

Advance Menu Manager <= 3.0.6 – Cross-Site Request Forgery

---

Funnelforms Free <= 3.4 – Cross-Site Request Forgery to Arbitrary Post Duplication

---

Decorator – WooCommerce Email Customizer <= 1.2.7 – Cross-Site Request Forgery

---

video carousel slider with lightbox 1.0 – Cross-Site Request Forgery

---

GiveWP <= 2.33.3 – Cross-Site Request Forgery to plugin installation

---

Funnelforms Free <= 3.4 – Missing Authorization to Arbitrary Post Duplication

---

Product Catalog Enquiry <= 5.0.2

---

Email Templates <= 1.4.2 – Cross-Site Request Forgery via send_test_email

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.