Vulnerability Advisories

Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence assigns CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.

Assigned CVE IDs and the vulnerability details are published below. For more information about submitting vulnerabilities to Wordfence for CVE ID assignment, please refer to our vulnerability disclosure policy.


GTranslate <= 2.8.64 – Reflected Cross-Site Scripting

Affected Plugin: GTranslate
Plugin Slug: gtranslate
Affected Versions: <= 2.8.64
CVE ID: CVE-2021-346310
CVSS Score: 5.0 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Researcher/s: N/A
Fully Patched Version: 2.8.65
Recommended Remediation: Update to the latest version available.
Publication Date: 2021-07-23

In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI']. Although this uses addslashes, and most modern browsers automatically URLencode requests, this plugin is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below, or in cases where an attacker is able to modify the request en route between the client and the server, or in cases where the user is using an atypical browsing solution.


NewsPlugin <= 1.0.18 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Plugin: NewsPlugin
Plugin Slug: newsplugin
Affected Versions: <= 1.0.18
CVE ID: CVE-2021-34631
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Taichi Ichimura, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Publication Date: 2021-07-21

The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handle_save_style function found in the ~/news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.18.


SendGrid <= 1.11.8 – Authorization Bypass

Affected Plugin: SendGrid
Plugin Slug: sendgrid-email-delivery-simplified
Affected Versions: <= 1.11.8
CVE ID: CVE-2021-34629
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Researcher/s: Prashant Baldha
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Publication Date: 2021-07-21

The SendGrid WordPress plugin is vulnerable to authorization bypass via the get_ajax_statistics function found in the ~/lib/class-sendgrid-statistics.php file which allows authenticated users to export statistics for a WordPress multi-site main site, in versions up to and including 1.11.8. This vulnerability only affects the main site of WordPress multi-site installations.


WP Upload Restriction <= 2.2.3 – Authenticated Stored Cross-Site Scripting

Affected Plugin: WP Upload Restriction
Plugin Slug: wp-upload-restriction
Affected Versions: <= 2.2.3
CVE ID: CVE-2021-34625
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Angelo Righi
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.

Missing Access Control in the saveCustomType function allows for authenticated users, such as subscribers, to add mime types and extensions through unsanitized parameters that makes it possible to inject malicious web scripts that later execute when an administrator visits the extensions page.


WP Upload Restriction <= 2.2.3 – Missing Access Control in deleteCustomType function

Affected Plugin: WP Upload Restriction
Plugin Slug: wp-upload-restriction
Affected Versions: <= 2.2.3
CVE ID: CVE-2021-34626
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Researcher/s: N/A
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.

Missing access control in deleteCustomType function allows authenticated users, such as subscribers, to delete custom extensions.


WP Upload Restriction <= 2.2.3 – Missing Access Control in getSelectedMimeTypesByRole function

Affected Plugin: WP Upload Restriction
Plugin Slug: wp-upload-restriction
Affected Versions: <= 2.2.3
CVE ID: CVE-2021-34627
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Researcher/s: N/A
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.

Missing access control in getSelectedMimeTypesByRole function allows authenticated users, such as subscribers, to retrieve approved mime types for any given role.


ProfilePress 3.0 – 3.1.3 – Unauthenticated Privilege Escalation

Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.0 – 3.1.3
CVE ID: CVE-2021-34621
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4
Recommended Remediation: Update to version 3.1.4 or newer

During user registration, users could supply arbitrary user meta data that would get updated during the registration process making it possible for anyone to register as an administrator. More details.


ProfilePress 3.0 – 3.1.3 – Authenticated Privilege Escalation

Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.0 – 3.1.3
CVE ID: CVE-2021-34622
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4
Recommended Remediation: Update to version 3.1.4 or newer

During user profile updates, users could supply arbitrary user meta data that would get updated making it possible for anyone to escalate their privileges to that of an administrator. More details.


ProfilePress 3.0 – 3.1.3 – Arbitrary File Upload in Image Uploader Component

Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.0 – 3.1.3
CVE ID: CVE-2021-34623
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4
Recommended Remediation: Update to version 3.1.4 or newer

The image uploader component used to upload profile photos and user cover photos was vulnerable to arbitrary file uploads due to insufficient file type validation. More details.


ProfilePress 3.0 – 3.1.3 – Arbitrary File Upload in File Uploader Component

Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.0- 3.1.3
CVE ID: CVE-2021-34624
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4
Recommended Remediation: Update to version 3.1.4 or newer

The file uploader component used to upload files during registration was vulnerable to arbitrary file uploads due to insufficient file type validation. More details.


WP Fluent Forms <= 3.6.65 – CSRF to Stored XSS

Affected Plugin: WP Fluent Forms
Plugin Slug: fluentform
Affected Versions: < 3.6.67
CVE ID: CVE-2021-34620
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 3.6.67
Recommended Remediation: Update to version 3.6.67 or newer.

This plugin is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions. More details.


Woocommerce Stock Manager <= 2.5.7 – CSRF to Arbitrary File Upload

Affected Plugin: WooCommerce Stock Manager
Plugin Slug: woocommerce-stock-manager
Affected Versions: <= 2.5.7
CVE ID: CVE-2021-34619
CVSS Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.6.0
Recommended Remediation: Update to version 2.6.0 or newer.

This plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file. More details.