Discription

Last week, there were 92 vulnerabilities disclosed in 76 WordPress Plugins and 7 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

* * *

### New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

* [UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 – Privilege Escalation via updraft_central_ajax_handler]()
* WAF-RULE-565 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

* * *

### Total Unpatched & Patched Vulnerabilities Last Week

**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 44
Patched | 48

* * *

### Total Vulnerabilities by CVSS Severity Last Week

**Severity Rating** | **Number of Vulnerabilities**
—|—
Low Severity | 0
Medium Severity | 80
High Severity | 11
Critical Severity | 1

* * *

### Total Vulnerabilities by CWE Type Last Week

**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 37
Cross-Site Request Forgery (CSRF) | 34
Missing Authorization | 13
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3
Information Exposure | 3
Server-Side Request Forgery (SSRF) | 1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1

* * *

### Researchers That Contributed to WordPress Security Last Week

**Researcher Name** | **Number of Vulnerabilities**
—|—
[Lana Codes]() | 10
[Rio Darmawan]() | 7
[Dave Jong]() | 6
[rezaduty]() | 5
[Mika]() | 4
[minhtuanact]() | 3
[Rafie Muhammad]() | 3
[yuyudhn]() | 3
[Rafshanzani Suhada]() | 3
[Nithissh S]() | 3
[Aman Rawat]() | 2
[Marco Wotschka]() | 2
[Cat]() | 2
[TEAM WEBoB of BoB 11th]() | 2
[Prasanna V Balaji]() | 2
[Daniel Kelley]() | 2
[Ayoub Safa]() | 2
[Muhammad Daffa]() | 2
[FearZzZz]() | 1
[Bhuvanesh Jayaprakash]() | 1
[Erwan LR]() | 1
[Etan Imanol Castro Aldrete]() | 1
[Dimas Aprilianto]() | 1
[dc11]() | 1
[Shreya Pohekar]() | 1
[Justiice]() | 1
[Nguyen Anh Tien]() | 1
[Vinay Kumar]() | 1
[Abdi Pranata]() | 1
[Brandon James Roldan]() | 1
[Pavak Tiwari]() | 1
[n0paew]() | 1
[Fariq Fadillah Gusti Insani]() | 1
[Le Ngoc Anh]() | 1

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.

* * *

### WordPress Plugins with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
Admin side data storage for Contact Form 7 | [admin-side-data-storage-for-contact-form-7]()
Auto Rename Media On Upload | [auto-rename-media-on-upload]()
Backup Bank: WordPress Backup Plugin | [wp-backup-bank]()
Be POPIA Compliant | [be-popia-compliant]()
Branda – White Label WordPress, Custom Login Page Customizer | [branda-white-labeling]()
Bulk Resize Media | [bulk-resize-media]()
CF7 Invisible reCAPTCHA | [cf7-invisible-recaptcha]()
CMS Press | [cms-press]()
Calendar Event Multi View | [cp-multi-view-calendar]()
Chronoforms | [chronoforms]()
Contact Form 7 Redirect & Thank You Page | [cf7-redirect-thank-you-page]()
Contact Form 7 – PayPal & Stripe Add-on | [contact-form-7-paypal-add-on]()
Contact Form Email | [contact-form-to-email]()
Custom Options Plus | [custom-options-plus]()
Customify – Intuitive Website Styling | [customify]()
Data Tables Generator by Supsystic | [data-tables-generator-by-supsystic]()
Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard | [drag-n-drop-upload-cf7-pro]()
Dynamics 365 Integration | [integration-dynamics]()
Easy Event calendar | [easy-event-calendar]()
Ecwid Ecommerce Shopping Cart | [ecwid-shopping-cart]()
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files | [embed-any-document]()
Event Manager and Tickets Selling Plugin for WooCommerce | [mage-eventpress]()
Exxp | [exxp-wp]()
Fluid Checkout for WooCommerce – Lite | [fluid-checkout]()
Force First and Last Name as Display Name | [force-first-last]()
Google XML Sitemap for Images | [google-image-sitemap]()
Google XML Sitemap for Videos | [xml-sitemaps-for-videos]()
HT Feed | [ht-instagram]()
Hotel Booking Lite | [motopress-hotel-booking-lite]()
Import External Images | [import-external-images]()
Klaviyo | [klaviyo]()
LOGIN AND REGISTRATION ATTEMPTS LIMIT | [login-attempts-limit-wp]()
Modern Events Calendar Lite | [modern-events-calendar-lite]()
Modern Footnotes | [modern-footnotes]()
Open RDW kenteken voertuiginformatie | [open-rdw-kenteken-voertuiginformatie]()
PB SEO Friendly Images | [pb-seo-friendly-images]()
PhonePe Payment Solutions | [phonepe-payment-solutions]()
Photo Gallery, Images, Slider in Rbs Image Gallery | [robo-gallery]()
Popup Maker – Popup for opt-ins, lead gen, & more | [popup-maker]()
Print Invoice & Delivery Notes for WooCommerce | [woocommerce-delivery-notes]()
RapidLoad Power-Up for Autoptimize | [unusedcss]()
Redirection | [redirect-redirection]()
Return and Warranty Management System for WooCommerce | [wc-return-warrranty]()
Reusable Blocks Extended | [reusable-blocks-extended]()
SEO Plugin by Squirrly SEO | [squirrly-seo]()
SMTP2GO – Email Made Easy | [smtp2go]()
Shopping Cart & eCommerce Store | [wp-easycart]()
Site Reviews | [site-reviews]()
Slide Anything – Responsive Content / HTML Slider and Carousel | [slide-anything]()
Slideshow Gallery LITE | [slideshow-gallery]()
Solidres – Hotel booking plugin for WordPress | [solidres]()
Store Locator for WordPress with Google Maps – LotsOfLocales | [store-locator]()
Surbma | GDPR Proof Cookie Consent & Notice Bar | [surbma-gdpr-proof-google-analytics]()
Tags Cloud Manager | [tags-cloud-manager]()
UpdraftPlus WordPress Backup Plugin | [updraftplus]()
User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress | [user-role]()
WH Testimonials | [wh-testimonials]()
WP Basic Elements | [wp-basic-elements]()
WP Express Checkout (Accept PayPal Payments Easily) | [wp-express-checkout]()
WP Job Portal – A Complete Job Board | [wp-job-portal]()
WP Popup Banners | [wp-popup-banners]()
WP Shortcode by MyThemeShop | [wp-shortcode]()
WP Simple Events | [wp-simple-events]()
WSB Brands | [wsb-brands]()
Website Monetization by MageNet | [website-monetization-by-magenet]()
WooCommerce Weight Based Shipping | [weight-based-shipping-for-woocommerce]()
WordPress Console | [wordpress-console]()
WordPress Email Marketing Plugin – WP Email Capture | [wp-email-capture]()
WordPress Mortgage Calculator Estatik | [estatik-mortgage-calculator]()
WordPress Online Booking and Scheduling Plugin – Bookly | [bookly-responsive-appointment-booking-tool]()
WordPress Plugin for Google Maps – WP MAPS | [wp-google-map-plugin]()
WordPress Simple Shopping Cart | [wordpress-simple-paypal-shopping-cart]()
WordPress WP-Advanced-Search | [wp-advanced-search]()
Yandex.News Feed by Teplitsa | [yandexnews-feed-by-teplitsa]()
eCommerce Product Catalog Plugin for WordPress | [ecommerce-product-catalog]()
wpml | [wpml]()

* * *

### WordPress Themes with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
Brilliance | [brilliance]()
Chankhe | [chankhe]()
Mediciti Lite | [mediciti-lite]()
NewsMag | [newsmag]()
Real Estate Directory | [real-estate-directory]()
Regina Lite | [regina-lite]()
intrepidity | [intrepidity]()

* * *

### Vulnerability Details

#### [Be POPIA Compliant <= 1.2.0 – Unauthenticated SQL Injection]()

**Affected Software**: [Be POPIA Compliant]()
**CVE ID**: CVE-2022-47445
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [TEAM WEBoB of BoB 11th]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Intrepidity <= 1.5.1 – Cross-Site Request Forgery via mytheme_add_admin]()

**Affected Software**: [intrepidity]()
**CVE ID**: CVE-2023-27634
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 – Privilege Escalation via updraft_central_ajax_handler]()

**Affected Software**: [UpdraftPlus WordPress Backup Plugin]()
**CVE ID**: CVE Unknown
**CVSS Score**: 8.8 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Popup Banners <= 1.2.5 – Authenticated (Subscriber+) SQL Injection]()

**Affected Software**: [WP Popup Banners]()
**CVE ID**: CVE-2023-1471
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Etan Imanol Castro Aldrete]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [User Role by BestWebSoft <= 1.6.6 – Cross-Site Request Forgery to Privilege Escalation]()

**Affected Software**: [User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress]()
**CVE ID**: CVE-2023-0820
**CVSS Score**: 8.8 (High)
**Researcher/s**: [dc11]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WordPress Email Marketing Plugin – WP Email Capture <= 3.10 – Missing Authorization to Email Capture List Download]()

**Affected Software**: [WordPress Email Marketing Plugin – WP Email Capture]()
**CVE ID**: CVE Unknown
**CVSS Score**: 8.2 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Admin side data storage for Contact Form 7 <= 1.1.1 – Unauthenticated Stored Cross-Site Scripting]()

**Affected Software**: [Admin side data storage for Contact Form 7]()
**CVE ID**: CVE-2023-24420
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Bhuvanesh Jayaprakash]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Tags Cloud Manager <= 1.0.0 – Unauthenticated Stored Cross-Site Scripting]()

**Affected Software**: [Tags Cloud Manager]()
**CVE ID**: CVE-2023-28166
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Nithissh S]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Shopping Cart & eCommerce Store <= 5.4.2 – Authenticated (Admin+) Local File Inclusion via import_file_url]()

**Affected Software**: [Shopping Cart & eCommerce Store]()
**CVE ID**: CVE-2023-1124
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Shreya Pohekar]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WH Testimonials <= 3.0.0 – Unauthenticated Stored Cross-Site Scripting]()

**Affected Software**: [WH Testimonials]()
**CVE ID**: CVE-2023-1372
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Daniel Kelley]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Bookly <= 21.5 – Unauthenticated Stored Cross-Site Scripting via Name]()

**Affected Software**: [WordPress Online Booking and Scheduling Plugin – Bookly]()
**CVE ID**: CVE-2023-1172
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Vinay Kumar]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Return and Warranty Management System for WooCommerce <= 1.2.3 – Unauthenticated Stored Cross-Site Scripting]()

**Affected Software**: [Return and Warranty Management System for WooCommerce]()
**CVE ID**: CVE-2023-22710
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Le Ngoc Anh]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Slideshow Gallery LITE <= 1.7.6 – Authenticated(Admin+) SQL Injection]()

**Affected Software**: [Slideshow Gallery LITE]()
**CVE ID**: CVE-2023-28491
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Exxp <= 2.6.8 – Authenticated (Subscriber+) Stored Cross-Site Scripting]()

**Affected Software**: [Exxp]()
**CVE ID**: CVE-2022-45812
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Aman Rawat]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Slide Anything <= 2.4.7 – Authenticated (Author+) Stored Cross-Site Scripting]()

**Affected Software**: [Slide Anything – Responsive Content / HTML Slider and Carousel]()
**CVE ID**: CVE-2023-28499
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [FearZzZz]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Surbma | GDPR Proof Cookie Consent & Notice Bar <= 17.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**Affected Software**: [Surbma | GDPR Proof Cookie Consent & Notice Bar]()
**CVE ID**: CVE-2023-23894
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Robo Gallery <= 3.2.12 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes]()

**Affected Software**: [Photo Gallery, Images, Slider in Rbs Image Gallery]()
**CVE ID**: CVE-2023-27620
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Ecwid Shopping Cart <= 6.11.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [Ecwid Ecommerce Shopping Cart]()
**CVE ID**: CVE-2023-24408
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files <= 2.7.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG files]()

**Affected Software**: [Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files]()
**CVE ID**: CVE-2023-23707
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [n0paew]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Job Portal <= 1.1.9 – Authenticated (Subscriber+) Stored Cross-Site Scripting]()

**Affected Software**: [WP Job Portal – A Complete Job Board]()
**CVE ID**: CVE-2023-28534
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Fariq Fadillah Gusti Insani]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery]()

**Affected Software**: [RapidLoad Power-Up for Autoptimize]()
**CVE ID**: CVE-2023-1472
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [SEO Plugin by Squirrly SEO <= 12.1.20 – Missing Authorization]()

**Affected Software**: [SEO Plugin by Squirrly SEO]()
**CVE ID**: CVE-2022-44626
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Data Tables Generator by Supsystic <= 1.10.25 – Missing Authorization]()

**Affected Software**: [Data Tables Generator by Supsystic]()
**CVE ID**: CVE-2023-25043
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Open RDW kenteken voertuiginformatie <= 2.0.14 – Reflected Cross-Site Scripting via open_data_rdw_kenteken]()

**Affected Software**: [Open RDW kenteken voertuiginformatie]()
**CVE ID**: CVE-2022-47431
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Solidres <= 0.9.4 – Reflected Cross-Site Scripting]()

**Affected Software**: [Solidres – Hotel booking plugin for WordPress]()
**CVE ID**: CVE-2023-1377
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [SEO Plugin by Squirrly SEO <= 12.1.20 – Reflected Cross-Site Scripting via ‘page’ and ‘tab’]()

**Affected Software**: [SEO Plugin by Squirrly SEO]()
**CVE ID**: CVE-2022-45065
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WordPress Mortgage Calculator Estatik <= 2.0.7 – Reflected Cross-Site Scripting]()

**Affected Software**: [WordPress Mortgage Calculator Estatik]()
**CVE ID**: CVE-2023-28490
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard <= 2.11.0 – Reflected Cross-Site Scripting]()

**Affected Software**: [Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WPML <= 4.6.1 – Cross-Site Scripting]()

**Affected Software**: [wpml]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Brilliance <= 1.3.1 – Reflected Cross-Site Scripting]()

**Affected Software**: [Brilliance]()
**CVE ID**: CVE-2023-28171
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Mediciti Lite <= 1.3.0 – Reflected Cross-Site Scripting]()

**Affected Software**: [Mediciti Lite]()
**CVE ID**: CVE-2023-28418
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Dynamics 365 Integration <= 1.3.12 – Missing Authorization via wp_ajax_wpcrm_log & wp_ajax_wpcrm_log_verbosity]()

**Affected Software**: [Dynamics 365 Integration]()
**CVE ID**: CVE-2023-28417
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Force First and Last Name as Display Name <= 1.2 – Cross-Site Request Forgery]()

**Affected Software**: [Force First and Last Name as Display Name]()
**CVE ID**: CVE-2023-28419
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Google Map Plugin <= 4.4.2 – Cross-Site Request Forgery via delete()]()

**Affected Software**: [WordPress Plugin for Google Maps – WP MAPS]()
**CVE ID**: CVE-2023-28172
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Redirect Redirection <= 1.1.4 – Cross-Site Request Forgery to Plugin De-Installation]()

**Affected Software**: [Redirection]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Regina Lite <= 2.0.7 – Reflected Cross-Site Scripting]()

**Affected Software**: [Regina Lite](Read More

Twitter

Facebook