Wordfence Intelligence Weekly WordPress Vulnerability Report (January 15, 2024 to January 21, 2024)

---

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000,  for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!

---

Last week, there were 84 vulnerabilities disclosed in 67 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 42 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• Popup Builder <= 4.2.2 – Unauthenticated Stored Cross-Site Scripting
• ColorMag <= 3.1.2 – Missing Authorization to Arbitrary Plugin Installation

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	28
Patched	56

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	64
High Severity	13
Critical Severity	7

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	35
Missing Authorization	12
Cross-Site Request Forgery (CSRF)	8
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	6
Information Exposure	4
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	4
Unrestricted Upload of File with Dangerous Type	3
Authorization Bypass Through User-Controlled Key	2
Deserialization of Untrusted Data	2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	2
Improper Access Control	1
Authentication Bypass Using an Alternate Path or Channel	1
Exposure of Private Information (‘Privacy Violation’)	1
URL Redirection to Untrusted Site (‘Open Redirect’)	1
Guessable CAPTCHA	1
Improper Control of Generation of Code (‘Code Injection’)	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Ngô Thiên An (ancorn_)	8
Dimas Maulana	8
wesley (wcraft)	7
Francesco Carlucci	6
emad	5
Le Ngoc Anh	3
Webbernaut	3
Dave Jong	3
Revan Arifio	2
Mika	2
Daniel Ruf	2
kodaichodai	2
Abdi Pranata	2
Asif Nawaz Minhas	2
Sergen Koç	2
Lucio Sá	2
Yudistira Arya	2
Bryan Satyamulya	1
Akbar Kustirama	1
rootxsudip	1
thiennv	1
Skalucy	1
Kang SeoHee	1
drop	1
Muhammad Daffa	1
Bence Szalai	1
Thomas Sanzey	1
Krzysztof Zając	1
Majed Refaea	1
Dmitrii Ignatyev	1
István Márton	1
Joshua Chan	1
vollkorntomate	1
Rafie Muhammad	1
Dateoljo of BoB 12th	1
Dhabaleshwar Das	1
Myungju Kim	1
LVT-tholv2k	1
Ivan Spiridonov (xbz0n)	1
Sean Murphy	1
Nguyen Xuan Chien	1
Bikram Kharal	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
12 Step Meeting List	12-step-meeting-list
AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!	ai-engine
Advanced Custom Fields (ACF)	advanced-custom-fields
Advanced Custom Fields Pro	advanced-custom-fields-pro
Albo Pretorio On line	albo-pretorio-on-line
Asgaros Forum	asgaros-forum
Author Box, Guest Author and Co-Authors for Your Posts – Molongui	molongui-authorship
BA Plus – Before & After Image Slider FREE	ba-plus-before-after-image-slider-free
BP Profile Search	bp-profile-search
Better Anchor Links	better-anchor-links
Booking for Appointments and Events Calendar – Amelia	ameliabooking
Browser Theme Color	browser-theme-color
Burst Statistics – Privacy-Friendly Analytics for WordPress	burst-statistics
CBX Map for Google Map & OpenStreetMap	cbxgooglemap
ChatBot with AI	chatbot
Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms	fluentform
Contact Form builder with drag & drop for WordPress – Kali Forms	kali-forms
Cryptocurrency Widgets – Price Ticker & Coins List	cryptocurrency-price-ticker-widget
Custom Dashboard Widgets	custom-dashboard-widgets
Delhivery Logistics Courier	delhivery-logistics-courier
Display custom fields in the frontend – Post and User Profile Fields	shortcode-to-display-post-and-user-data
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders	essential-addons-for-elementor-lite
FastDup – Fastest WordPress Migration & Duplicator	fastdup
FileBird – WordPress Media Library Folders & File Manager	filebird
Formzu WP	formzu-wp
FreshMail For WordPress	freshmail-integration
Frontpage Manager	frontpage-manager
GeneratePress Premium	generatepress-premium
Getwid – Gutenberg Blocks	getwid
GiveWP – Donation Plugin and Fundraising Platform	give
HD Quiz	hd-quiz
IP2Location Country Blocker	ip2location-country-blocker
Image Tag Manager	image-tag-manager
Import and export users and customers	import-users-from-csv-with-meta
InstaWP Connect – 1-click WP Staging & Migration	instawp-connect
Migration, Backup, Staging – WPvivid	wpvivid-backuprestore
Ninja Tables – Best Data Table Plugin for WordPress	ninja-tables
Orbit Fox by ThemeIsle	themeisle-companion
PDF Viewer & 3D PDF Flipbook – DearPDF	dearpdf-lite
Photo Gallery by 10Web – Mobile-Friendly Image Gallery	photo-gallery
Photo Gallery, Images, Slider in Rbs Image Gallery	robo-gallery
Portfolio & Image Gallery for WordPress | PowerFolio	portfolio-elementor
Post views Stats	post-views-stats
Posts List Designer by Category – List Category Posts Or Recent Posts	post-list-designer
Product Import Export for WooCommerce	product-import-export-for-woo
Shield Security – Smart Bot Blocking & Intrusion Prevention Security	wp-simple-firewall
Simple Membership	simple-membership
SimpleMap Store Locator	simplemap
Slider by Supsystic	slider-by-supsystic
Splashscreen	splashscreen
Stock Locations for WooCommerce	stock-locations-for-woocommerce
Stripe Payment Plugin for WooCommerce	payment-gateway-stripe-and-woocommerce-integration
Unlimited Addons for WPBakery Page Builder	unlimited-addons-for-wpbakery-page-builder
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor	profile-builder
VK Block Patterns	vk-block-patterns
WOLF – WordPress Posts Bulk Editor and Manager Professional	bulk-editor
WP Recipe Maker	wp-recipe-maker
WP To Do	wp-todo
WP-Lister Lite for eBay	wp-lister-for-ebay
WPForms Pro	wpforms
WPZOOM Shortcodes	wpzoom-shortcodes
WooCommerce Subscription	woocommerce-subscriptions
cformsII	cforms2
enigma-chartjs	enigma-chartjs
lasTunes	lastunes
peepso-photos	peepso-photos
salesking	salesking

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
ColorMag	colormag

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Asgaros Forum <= 2.7.2 – Unauthenticated PHP Object Injection in prepare_unread_status

---

Stripe Payment Plugin for WooCommerce <= 3.7.9 – Unauthenticated SQL Injection

---

SalesKing <= 1.6.15 – Unauthenticated Privilege Escalation

---

ChatBot <= 5.1.0 – Unauthenticated PHP Object Injection

---

FastDup <= 2.1.9 – Sensitive Information Exposure via Directory Listing

---

Cryptocurrency Widgets – Price Ticker & Coins List 2.0 – 2.6.5 – Unauthenticated SQL Injection

---

Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.19 – Directory Traversal to Arbitrary File Rename

---

InstaWP Connect <= 0.1.0.8 – Missing Authorization to Arbitrary Options Update

---

Delhivery Logistics Courier <= 1.0.107 – Authenticated (Subscriber+) SQL Injection

---

Display custom fields in the frontend – Post and User Profile Fields <= 1.2.1 – Authenticated (Contributor+) Code Injection

---

User Profile Builder <= 3.10.8 – Missing Authorization to Plugin Settings Change via wppb_two_factor_authentication_settings_update

---

Custom Dashboard Widgets <= 1.3.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting via cdw_DashboardWidgets

---

SalesKing <= 1.6.15 – Unauthenticated Sensitive Information Exposure

---

CformsII <= 15.0.5 – Unauthenticated stored Cross-Site Scripting

---

WPForms Pro <= 1.8.5.3 – Unauthenticated Stored Cross-Site Scripting via Form Submission

---

SimpleMap Store Locator <= 2.6.1 – Unauthenticated Stored Cross-Site Scripting

---

Unlimited Addons for WPBakery Page Builder <= 1.0.42 – Authenticated (Editor+) Arbitrary File Upload

---

Product Import Export for WooCommerce <= 2.3.7 – Authenticated(Shop Manager+) Arbitrary File Upload via upload_import_file

---

Burst Statistics Really Simple Plugins <= 1.5.3 – Authenticated (Editor+) SQL Injection

---

Shield Security <= 18.5.7 – Unauthenticated Stored Cross-Site Scripting via getColumnContent_Page

---

AI Engine <= 2.1.4 – Authenticated(Editor+) Arbitrary File Upload via add_image_from_url

---

Contact Form builder with drag & drop – Kali Forms <= 2.3.38 – Insecure Direct Object Reference

---

Splashscreen <= 0.20 – Cross-Site Request Forgery

---

Amelia <= 1.0.96 – Missing Authorization

---

lasTunes <= 3.6.1 – Cross-Site Request Forgery

---

Better Anchor Links <= 1.7.5 – Cross-Site Request Forgery via admin/options.php

---

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.4 – Authenticated (Contributor+) Stored Cross-Site Scritping

---

SalesKing <= 1.6.15 – Missing Authorization to Settings Change

---

ColorMag <= 3.1.2 – Missing Authorization to Arbitrary Plugin Installation

---

Browser Theme Color <= 1.3 – Cross-Site Request Forgery via btc_settings_page

---

Robo Gallery <= 3.2.17 – Authenticated (Author+) Stored Cross-Site Scripting

---

WP To Do <= 1.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

WP Recipe Maker <= 9.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag

---

CBX Map for Google Map & OpenStreetMap <= 1.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Display custom fields in the frontend – Post and User Profile Fields <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via vg_display_data

---

PDF Viewer & 3D PDF Flipbook – DearPDF <= 2.0.38 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Posts List Designer by Category – List Category Posts Or Recent Posts <= 3.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Formzu WP <= 1.6.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

PDF Viewer & 3D PDF Flipbook – DearPDF <= 2.0.38 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

WP Recipe Maker <= 9.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via icon_color

---

WP Recipe Maker <= 9.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Recipe Notes

---

Post Grid, Image Gallery & Portfolio for Elementor | PowerFolio <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

---

Albo Pretorio Online <= 4.6.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

GeneratePress Premium <= 2.3.2 – Authenticated(Contributor+) Stored Cross-Site Scripting via Custom Meta

---

WP Recipe Maker <= 9.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘tag’

---

Booking for Appointments and Events Calendar – Amelia <= 1.0.93 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

---

GiveWP <= 3.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Advanced Custom Fields <= 6.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

---

WP Recipe Maker <= 9.1.0 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

---

Orbit Fox by ThemeIsle <= 2.10.27 – Authenticated(Contributor+) Stored Cross-site Scripting via Pricing Table Elementor Widget

---

PeepSo Core: Photos < 6.3.1.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting

---

WOLF <= 1.0.8 – Unauthenticated Stored Cross-Site Scripting via profile_title

---

WP Recipe Maker <= 9.1.0 – Reflected Cross-Site Scripting via Referer

---

BA Plus <= 1.0.3 – Reflected Cross-Site Scripting

---

Post views Stats <= 1.3 – Reflected Cross-Site Scripting via from and to

---

WP-Lister Lite for eBay <= 3.5.7 – Reflected Cross-Site Scripting via ‘s’

---

BP Profile Search <= 5.5 – Reflected Cross-Site Scripting via BPS_FORM

---

Simple Membership <= 4.4.1 – Open Redirect

---

WPZOOM Shortcodes <= 1.0.1 – Reflected Cross-Site Scripting

---

Image Tag Manager <= 1.5 – Reflected Cross-Site Scripting via default_class

---

FileBird <= 5.6.0 – Authenticated(Administrator+) Stored Cross-Site Scripting via Folder Import

---

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Image URl

---

WP Recipe Maker <= 9.1.0 – Directory Traversal

---

IP2Location Country Blocker <= 2.33.3 – Unauthenticated Sensitive Information Exposure via Debug Log File

---

Albo Pretorio Online <= 4.6.6 – Unauthenticated Sensitive Information Disclosure

---

Import and export users and customers <= 1.24.6 – Missing Authorization via fire_cron REST endpoint

---

Author Box, Guest Author and Co-Authors for Your Posts – Molongui <= 4.7.4 – Information Exposure via ma_debug

---

12 Step Meeting List <= 3.14.26 – Missing Authorization

---

Ninja Tables <= 5.0.5 – Missing Authorization

---

Ninja Tables <= 5.0.5 – Missing Authorization

---

Getwid – Gutenberg Blocks <= 2.0.4 – Captcha Bypass

---

Fluent Forms <= 5.1.5 – Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title

---

Chartjs <= 2023.2 – Authenticated(Editor+) Stored Cross-Site Scripting

---

Chartjs <= 2023.2 – Authenticated(Editor+) Stored Cross-Site Scripting via chart

---

HD Quiz <= 1.8.11 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

---

Stock Locations for WooCommerce <= 2.5.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

---

Display custom fields in the frontend – Post and User Profile Fields <= 1.2.1 – Insecure Direct Object Reference to Authenticated (Contributor+) Post Meta Disclosure

---

FreshMail For WordPress <= 2.3.2 – Cross-Site Request Forgery

---

Slider by Supsystic <= 1.8.6 – Missing Authorization

---

Getwid – Gutenberg Blocks <= 2.0.4 – Missing Authorization to Recaptcha API Key Modification

---

Frontpage Manager <= 1.3 – Cross-Site Request Forgery via admin_page

---

VK Block Patterns <= 1.31.1.1 – Cross-Site Request Forgery

---

WPvivid <= 0.9.94 – Missing Authorization

---

WooCommerce Subscriptions < 5.8.0 – Missing Authorization

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.