Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 17, 2023 to Apr 23, 2023)

Main / Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 17, 2023 to Apr 23, 2023)

Discription

Last week, there were 152 vulnerabilities disclosed in 134 WordPress Plugins and 0 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. There were more unpatched vulnerabilities than patched last week, so it’s more important than ever to **review those vulnerabilities in this report now to ensure your site is not affected and make the appropriate adjustments if your site is.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and [vulnerability API]() are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published._

* * *

### Total Unpatched & Patched Vulnerabilities Last Week

**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 81
Patched | 71

* * *

### Total Vulnerabilities by CVSS Severity Last Week

* * *

### Total Vulnerabilities by CWE Type Last Week

**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 93
Cross-Site Request Forgery (CSRF) | 30
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 11
Missing Authorization | 10
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2
Deserialization of Untrusted Data | 2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1
Information Exposure | 1
Improper Access Control | 1
URL Redirection to Untrusted Site (‘Open Redirect’) | 1

* * *

### Researchers That Contributed to WordPress Security Last Week

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.

* * *

### WordPress Plugins with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
AI ChatBot | [chatbot]()
ARMember â Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | [armember-membership]()
Accessibility Suite by Online ADA | [online-accessibility]()
Accordion & FAQ â Helpie WordPress Frequently Asked Questions plugin | [helpie-faq]()
Active Directory Integration / LDAP Integration | [ldap-login-for-intranet-sites]()
ActiveCampaign â Forms, Site Tracking, Live Chat | [activecampaign-subscription-forms]()
Ad Inserter â Ad Manager & AdSense Ads | [ad-inserter]()
Album Gallery â WordPress Gallery | [new-album-gallery]()
ApexChat | [apexchat]()
Avirato hotels online booking engine | [avirato-calendar]()
BBSpoiler | [bbspoiler]()
BadgeOS | [badgeos]()
Best Travel Booking WordPress Plugin, Tour Booking System, Trip Booking WordPress Plugin â Yatra | [yatra]()
Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop | [woo-altcoin-payment-gateway]()
BizLibrary | [bizlibrary]()
Booking calendar, Appointment Booking System | [booking-calendar]()
Button Builder â Buttons X | [buttons-x]()
CMP â Coming Soon & Maintenance Plugin by NiteoThemes | [cmp-coming-soon-maintenance]()
CMS Tree Page View | [cms-tree-page-view]()
Cab Grid | [cab-grid]()
Captcha Them All | [captcha-them-all]()
Category Specific RSS feed Subscription | [category-specific-rss-feed-menu]()
Church Admin | [church-admin]()
Clock In Portal- Staff & Attendance Management | [clock-in-portal]()
Contact Form to DB by BestWebSoft â Messages Database Plugin For WordPress | [contact-form-to-db]()
Continuous announcement scroller | [continuous-announcement-scroller]()
Custom Post Type List Shortcode | [custom-post-type-list-shortcode]()
Customer Support Software, Live Chat, & Marketing Automation | [formilla-chat-and-marketing]()
Dave’s WordPress Live Search | [daves-wordpress-live-search]()
Donation Forms by Charitable â Donations Plugin & Fundraising Platform for WordPress | [charitable]()
EZP Maintenance Mode | [easy-pie-maintenance-mode]()
Easy Ad Manager | [easy-ad-manager]()
Easy Slider Revolution | [easy-slider-revolution]()
Ebook Store | [ebook-store]()
Email posts to subscribers | [email-posts-to-subscribers]()
Enable/Disable Auto Login when Register | [auto-login-when-resister]()
Essential Blocks â Page Builder Gutenberg Blocks, Patterns & Templates | [essential-blocks]()
File Gallery | [file-gallery]()
Flyzoo Chat | [flyzoo]()
Form Block | [form-block]()
FormCraft â Contact Form Builder for WordPress | [formcraft-form-builder]()
Formilla Edge Targeted Messaging Platform for Sales and Marketing | [formilla-edge]()
Freshdesk (official) | [freshdesk-support]()
GDPR Compliance & Cookie Consent | [gdpr-compliance-cookie-consent]()
Gallery Metabox | [gallery-metabox]()
Google Analytics Top Content Widget | [google-analytics-top-posts-widget]()
Gps Plotter | [gps-plotter]()
Help Desk WP | [helpdeskwp]()
Image Optimizer by 10web â Image Optimizer and Compression plugin | [image-optimizer-wd]()
Japanized For WooCommerce | [woocommerce-for-japan]()
Jetpack CRM â Clients, Leads, Invoices, Billing, Email Marketing, & Automation | [zero-bs-crm]()
Kaya QR Code Generator | [kaya-qr-code-generator]()
Kiwiz – Certification de facturation – Woocommerce | [woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz]()
Kodex Posts likes | [kodex-posts-likes]()
LIQUID SPEECH BALLOON | [liquid-speech-balloon]()
Layer Slider | [slider-slideshow]()
LearnPress Export Import â WordPress extension for LearnPress | [learnpress-import-export]()
Live Chat by Formilla â Real-time Chat & Chatbots Plugin | [formilla-live-chat]()
Locatoraid Store Locator | [locatoraid]()
Login Page Styler | Custom Login | Custom WP Admin Login Page | Admin Security | Admin Protection | Login Page Customizer | Admin Login | Login Security | Login Redirect | Theme Login | Login Menu | Login Form | Admin Dashboard | Change Login Logo | Login | [login-page-styler]()
Mail Subscribe List | [mail-subscribe-list]()
Mega Addons For WPBakery Page Builder | [mega-addons-for-visual-composer]()
Membership Database | [member-database]()
Modal Dialog | [modal-dialog]()
Motors â Car Dealer, Classifieds & Listing | [motors-car-dealership-classified-listings]()
NEX-Forms â Ultimate Form Builder â Contact forms and much more | [nex-forms-express-wp-form-builder]()
Ninja Tables â Best Data Table Plugin for WordPress | [ninja-tables]()
OoohBoi Steroids for Elementor | [ooohboi-steroids-for-elementor]()
Panorama â WordPress Project Management Plugin | [project-panorama-lite]()
Post Shortcode | [post-shortcode]()
PowerPress Podcasting plugin by Blubrry | [powerpress]()
Pretty Url | [pretty-url]()
Product Slider For WooCommerce Lite | [product-slider-for-woocommerce-lite]()
PropertyHive | [propertyhive]()
Query Wrangler | [query-wrangler]()
RapidExpCart | [rapidexpcart]()
Redirect After Login | [redirect-after-login]()
Reservation.Studio widget | [reservation-studio-widget]()
Responsive Filterable Portfolio | [responsive-filterable-portfolio]()
ReviewX â Multi-criteria Rating & Reviews for WooCommerce | [reviewx]()
Robokassa payment gateway for Woocommerce | [robokassa]()
Semalt Blocker | [semalt]()
ShopEngine â Elementor WooCommerce Builder Addons, Variation Swatches, Wishlist, Products Compare â All in One Solution | [shopengine]()
Shortcode IMDB | [shortcode-imdb]()
Simple Share Buttons Adder | [simple-share-buttons-adder]()
Simple Tooltips | [simple-tooltips]()
SiteAlert â Uptime, Speed, and Security Monitoring for WordPress | [my-wp-health-check]()
Sloth Logo Customizer | [sloth-logo-customizer]()
Smart WooCommerce Search | [smart-woocommerce-search]()
Social Share Boost | [social-share-boost]()
SparkPost | [sparkpost]()
Stock Exporter for WooCommerce | [stock-exporter-for-woocommerce]()
Stream | [stream]()
Subscribers â Free Web Push Notifications | [subscribers-com]()
Tablesome â Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT ) | [tablesome]()
TaxoPress is the WordPress Tag, Category, and Taxonomy Manager | [simple-tags]()
The School Management â Education & Learning Management | [school-management-system]()
Themify Portfolio Post | [themify-portfolio-post]()
Thumbnail carousel slider | [wp-responsive-thumbnail-slider]()
Uji Popup | [uji-popup]()
Ultimate Carousel For Elementor | [ultimate-carousel-for-elementor]()
Ultimate Carousel For WPBakery Page Builder | [ultimate-carousel-for-visual-composer]()
Update Image Tag Alt Attribute | [update-alt-attribute]()
Verified Reviews (Avis VÃ©rifiÃ©s) | [netreviews]()
Video Grid | [video-grid]()
Video List Manager | [video-list-manager]()
Visual CSS Style Editor | [yellow-pencil-visual-theme-customizer]()
WCP Contact Form | [wcp-contact-form]()
WP Cerber Security, Anti-spam & Malware Scan | [wp-cerber]()
WP Custom Author URL | [wp-custom-author-url]()
WP Docs | [wp-docs]()
WP Links Page | [wp-links-page]()
WP Login Box | [wp-login-box]()
WP Original Media Path | [wp-original-media-path]()
WP Popups â WordPress Popup builder | [wp-popups-lite]()
WP Responsive Tabs horizontal vertical and accordion Tabs | [responsive-horizontal-vertical-and-accordion-tabs]()
WP-FormAssembly | [formassembly-web-forms]()
WP-dTree | [wp-dtree-30]()
WPJAM Basic | [wpjam-basic]()
White Label Branding for Elementor Page Builder | [white-label-branding-elementor]()
WooCommerce Easy Duplicate Product | [woo-easy-duplicate-product]()
WooCommerce Order Status Change Notifier | [woocommerce-order-status-change-notifier]()
Woocommerce Email Report | [wooemailreport]()
Woocommerce Products Designer by ORION â online product customizer for t-shirts, print cards, phone cases Lettering & Decals | [woocommerce-products-designer]()
WordPress Header Builder Plugin â Pearl | [pearl-header-builder]()
Wp-D3 | [wp-d3]()
YARPP â Yet Another Related Posts Plugin | [yet-another-related-posts-plugin]()
YML for Yandex Market | [yml-for-yandex-market]()
YourChannel: Everything you want in a YouTube plugin. | [yourchannel]()
Zendesk Support for WordPress | [zendesk]()
eRocket | [erocket]()
f(x) TOC | [fx-toc]()
miniOrange’s Google Authenticator â WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login | [miniorange-2-factor-authentication]()
vSlider Multi Image Slider for WordPress | [vslider]()

* * *

### Vulnerability Details

#### [Email posts to subscribers <= 6.2 – Unauthenticated SQL Injection]()

**Affected Software**: [Email posts to subscribers]()
**CVE ID**: CVE-2022-46818
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Le Ngoc Anh]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Bitcoin / AltCoin Payment Gateway for WooCommerce <= 1.7.1 – Unauthenticated SQL Injection]()

**Affected Software**: [Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop]()
**CVE ID**: CVE-2022-4118
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [cydave]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [ReviewX â Multi-criteria Rating & Reviews for WooCommerce <= 1.6.8 – Authenticated (Subscriber+) SQL Injection]()

**Affected Software**: [ReviewX â Multi-criteria Rating & Reviews for WooCommerce]()
**CVE ID**: CVE-2023-26325
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Joshua Martinelle]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [YARPP <= 5.30.2 – Authenticated (Subscriber+) Local File Inclusion]()

**Affected Software**: [YARPP â Yet Another Related Posts Plugin]()
**CVE ID**: CVE-2022-45374
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Accessibility Suite by Online ADA <= 4.11 – Authenticated (Subscriber+) SQL Injection]()

**Affected Software**: [Accessibility Suite by Online ADA]()
**CVE ID**: CVE-2022-47420
**CVSS Score**: 8.8 (High)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Avirato hotels online booking engine <= 5.0.5 – Authenticated (Subscriber+) SQL Injection]()

**Affected Software**: [Avirato hotels online booking engine]()
**CVE ID**: CVE-2023-0768
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Contact Form to DB by BestWebSoft <= 1.7.0 – Authenticated (Contributor+) SQL Injection via cntctfrmtdb_department]()

**Affected Software**: [Contact Form to DB by BestWebSoft â Messages Database Plugin For WordPress]()
**CVE ID**: CVE-2023-29096
**CVSS Score**: 8.8 (High)
**Researcher/s**: [easyBug]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Kiwiz – Certification de facturation – Woocommerce <= 2.1.3 – Unauthenticated Arbitrary File Download]()

**Affected Software**: [Kiwiz – Certification de facturation – Woocommerce]()
**CVE ID**: CVE-2023-2180
**CVSS Score**: 7.5 (High)
**Researcher/s**: [WPScanTeam]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [miniOrange’s Google Authenticator <= 5.6.5 – Missing Authorization to Plugin Settings Change]()

**Affected Software**: [miniOrange’s Google Authenticator â WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login]()
**CVE ID**: CVE-2022-4943
**CVSS Score**: 7.5 (High)
**Researcher/s**: [Ramuel Gall]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Jetpack CRM <= 5.3.1 – Cross-Site Request Forgery and PHAR Deserialization]()

**Affected Software**: [Jetpack CRM â Clients, Leads, Invoices, Billing, Email Marketing, & Automation]()
**CVE ID**: CVE-2022-3342
**CVSS Score**: 7.5 (High)
**Researcher/s**: [Ramuel Gall]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [The School Management â Education & Learning Management <= 4.1 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [The School Management â Education & Learning Management]()
**CVE ID**: CVE-2022-47430
**CVSS Score**: 7.2 (High)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Ad Inserter <= 2.7.25 – Authenticated (Admin+) PHP Object Injection]()

**Affected Software**: [Ad Inserter â Ad Manager & AdSense Ads]()
**CVE ID**: CVE-2023-1549
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Nguyen Huu Do]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Shortcode IMDB <= 6.0.8 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [Shortcode IMDB]()
**CVE ID**: CVE-2022-47432
**CVSS Score**: 7.2 (High)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WP Cerber Security <= 9.1 – Unauthenticated Stored Cross-Site Scripting]()

**Affected Software**: [WP Cerber Security, Anti-spam & Malware Scan]()
**CVE ID**: CVE-2022-4712
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Ramuel Gall]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Video List Manager <= 1.7 – Authenticated (Admin+) SQL Injection]()

**Affected Software**: [Video List Manager]()
**CVE ID**: CVE-2023-1408
**CVSS Score**: 7.2 (High)
**Researcher/s**: [zhangyunpei](), [Yeting Li VARAS@IIE]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Help Desk WP <= 1.2.0 – Authenticated (Editor+) Stored Cross-Site Scripting]()

**Affected Software**: [Help Desk WP]()
**CVE ID**: CVE-2023-1019
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Ameen Alkurdy]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Booking calendar, Appointment Booking System <= 3.2.6 – Authenticated (Administrator+) SQL Injection via *_selected]()

**Affected Software**: [Booking calendar, Appointment Booking System]()
**CVE ID**: CVE-2022-47428
**CVSS Score**: 7.2 (High)
**Researcher/s**: [thiennv]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [NEX-Forms <= 8.3.3 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [NEX-Forms â Ultimate Form Builder â Contact forms and much more]()
**CVE ID**: CVE-2023-2114
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Alexander Schmid]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Ebook Store <= 5.775 – Missing Authorization via ebook_store_export_orders]()

**Affected Software**: [Ebook Store]()
**CVE ID**: CVE-2023-22701
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [f(x) TOC <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**Affected Software**: [f(x) TOC]()
**CVE ID**: CVE-2023-0490
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes](Read More

References

Back to Main

Subscribe for the latest news: