Last week, there were 60 vulnerabilities disclosed in 40 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 16 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and [vulnerability API]() are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
* * *
### New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
* [Paytium <= 4.3.7 – Missing Authorization]()
* [Yoast SEO <= 20.2 – Authenticated (Contributor+) Stored Cross-Site Scripting]()
* [Slimstat Analytics <= 4.9.3.2 – Authenticated (Subscriber+) SQL Injection via Shortcode]()
* [Paid Memberships Pro <= 2.9.11 – Authenticated (Subscriber+) SQL Injection via Shortcodes]()
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
* * *
### Total Unpatched & Patched Vulnerabilities Last Week
**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 3
Patched | 57
* * *
### Total Vulnerabilities by CVSS Severity Last Week
**Severity Rating** | **Number of Vulnerabilities**
—|—
Low Severity | 0
Medium Severity | 53
High Severity | 6
Critical Severity | 1
* * *
### Total Vulnerabilities by CWE Type Last Week
**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Cross-Site Request Forgery (CSRF) | 24
Missing Authorization | 17
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 9
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 1
Server-Side Request Forgery (SSRF) | 1
Incorrect Privilege Assignment | 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1
Reliance on Untrusted Inputs in a Security Decision | 1
Improper Authorization | 1
Deserialization of Untrusted Data | 1
Information Exposure | 1
* * *
### Researchers That Contributed to WordPress Security Last Week
**Researcher Name** | **Number of Vulnerabilities**
—|—
[Marco Wotschka
(Wordfence Vulnerability Researcher)]() | 15
[Mika]() | 5
[Erwan LR]() | 3
[Rafshanzani Suhada]() | 3
[Rafie Muhammad]() | 2
[yuyudhn]() | 2
[Nguyen Xuan Chien]() | 1
[Nicholas Ferreira]() | 1
[Lana Codes]() | 1
[FearZzZz]() | 1
[Rio Darmawan]() | 1
[Omar Badran]() | 1
[thiennv]() | 1
[Daniel Ruf]() | 1
[Alex Sanford]() | 1
[Abdi Pranata]() | 1
_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.
* * *
### Vulnerability Details
#### [LeadSnap <= 1.23 – Unauthenticated PHP Object Injection via AJAX]()
**CVE ID**: CVE Unknown
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Multiple E-plugins (Various Versions) – Authenticated (Subscriber+) Privilege Escalation]()
**CVE ID**: CVE-2020-36666
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Omar Badran]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WP Dark Mode <= 4.0.7 – Authenticated (Subscriber+) Local File Inclusion via ‘style’]()
**CVE ID**: CVE-2023-0467
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Alex Sanford]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GiveWP <= 2.25.1 – Unauthenticated CSV Injection]()
**CVE ID**: CVE-2023-22719
**CVSS Score**: 8.3 (High)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WP Statistics <= 13.2.16 – Authenticated (Admin+) SQL Injection]()
**CVE ID**: CVE-2023-0955
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘create_mollie_account’]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.1 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘create_mollie_profile’]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.1 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Complianz – GDPR/CCPA Cookie Consent <= 6.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2023-1069
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Weaver Xtreme Theme Support <= 5.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Cookie Notice & Compliance for GDPR / CCPA <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘cookies_revoke_shortcode’ Shortcode]()
**CVE ID**: CVE-2023-0823
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Daily Prayer Time <= 2023.03.08 – Authenticated (Contributor+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2023-27631
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [GiveWP <= 2.25.1 – Authenticated (Author+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2022-40211
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GiveWP <= 2.25.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via give_form_grid shortcode]()
**CVE ID**: CVE-2023-23668
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [W4 Post List <= 2.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘w4pl[no_items_text]’]()
**CVE ID**: CVE-2023-27413
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [GiveWP <= 2.25.1 – Cross-Site Request Forgery to Cross-Site Scripting via render_dropdown]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Webmention <= 4.0.8 – Reflected Cross-Site Scripting via ‘replytocom’]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Real Estate 7 Theme <= 3.3.4 – Unauthenticated Arbitrary Email Sending]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.8 (Medium)
**Researcher/s**: [FearZzZz]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Popup box <= 3.4.4 – Reflected Cross-Site Scripting via ‘ays_pb_tab’ Parameter]()
**CVE ID**: CVE-2023-27414
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Nguyen Xuan Chien]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘pt_cancel_subscription’]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘update_profile_preference’]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [HT Easy GA4 ( Google Analytics 4 ) <= 1.0.6 – Cross-Site Request Forgery via plugin_activation]()
**CVE ID**: CVE-2023-23802
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Updraft Plus <= 1.22.24 – Cross-Site Request Forgery via updraft_ajaxrestore]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Daily Prayer Time <= 2023.03.08 – Cross-Site Request Forgery]()
**CVE ID**: CVE-2023-27632
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘paytium_sw_save_api_keys’]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GiveWP <= 2.25.1 – Cross-Site Request Forgery via process_bulk_action]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GiveWP <= 2.25.1 – Authenticated (Contributor+) Arbitrary Content Deletion]()
**CVE ID**: CVE-2023-23672
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Mass Delete Unused Tags <= 2.0.0 – Cross-Site Request Forgery via plugin_mass_delete_unused_tags_init]()
**CVE ID**: CVE-2023-27430
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Mass Delete Taxonomies <= 3.0.0 – Cross-Site Request Forgery via mp_plugin_mass_delete_tags_init]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Auto Prune Posts <= 1.8.0 – Cross-Site Request Forgery via admin_menu]()
**CVE ID**: CVE-2023-27423
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Drag and Drop Multiple File Upload PRO <= 2.10.9 – Directory Traversal]()
**CVE ID**: CVE-2023-1112
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Nicholas Ferreira]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Formidable Forms <= 6.0.1 – IP Spoofing via HTTP header]()
**CVE ID**: CVE-2023-0816
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Daniel Ruf]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [CMP â Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.6 – Information Exposure]()
**CVE ID**: CVE-2023-1263
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘attach_rule’]()
**CVE ID**: CVE-2023-1343
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘uucss_update_rule’]()
**CVE ID**: CVE-2023-1339
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘attach_rule’]()
**CVE ID**: CVE-2023-1338
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [301 Redirects – Easy Redirect Manager <= 2.72 – Cross-Site Request Forgery via dismiss_notice]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘uucss_update_rule’]()
**CVE ID**: CVE-2023-1344
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘clear_page_cache’]()
**CVE ID**: CVE-2023-1333
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Clone <= 2.3.7 – Cross-Site Request Forgery via wp_ajax_tifm_save_decision]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘clear_uucss_logs’]()
**CVE ID**: CVE-2023-1340
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Popup Maker <= 1.18.0 – Cross-Site Request Forgery via init]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Affiliate Super Assistent <= 1.5.1 – Cross-Site Request Forgery to Settings Update and Cache Clearing]()
**CVE ID**: CVE-2023-27417
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [cformsII <= 15.0.4 – Cross-Site Request Forgery leading to Settings Updates]()
**CVE ID**: CVE-2023-25449
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Side Menu Lite <= 4.0 – Cross-Site Request Forgery to Item Deletion]()
**CVE ID**: CVE-2023-27418
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [thiennv]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Clone <= 2.3.7 – Missing Authorization via wp_ajax_tifm_save_decision]()
**CVE ID**: CVE-2023-25486
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘ucss_connect’]()
**CVE ID**: CVE-2023-1342
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘clear_uucss_logs’]()
**CVE ID**: CVE-2023-1337
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [External Links <= 2.57 – Cross-Site Request Forgery via action_admin_action_wpel_dismiss_notice]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘check_for_verified_profiles’]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘clear_page_cache’]()
**CVE ID**: CVE-2023-1346
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘ajax_deactivate’]()
**CVE ID**: CVE-2023-1336
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GiveWP <= 2.25.1 – Cross-Site Request Forgery via give_cache_flush]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GiveWP <= 2.25.1 – Cross-Site Request Forgery via save]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘queue_posts’]()
**CVE ID**: CVE-2023-1345
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘ajax_deactivate’]()
**CVE ID**: CVE-2023-1341
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘paytium_notice_dismiss’]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘ucss_connect’]()
**CVE ID**: CVE-2023-1335
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘check_mollie_account_details’]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘queue_posts’]()
**CVE ID**: CVE-2023-1334
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GiveWP <= 2.25.1 – Authenticated (Admin+) Server-Side Request Forgery via give_get_content_by_ajax_handler]()
**CVE ID**: CVE-2022-40312
**CVSS Score**: 4.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
_As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as [Wordfence Intelligence]()._
_This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using [our CVE Request form](), and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can._
_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published._
The post [Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 6, 2023 to Mar 12, 2023)]() appeared first on [Wordfence]().Read More