Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 24, 2023 to Apr 30, 2023)

Main / Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 24, 2023 to Apr 30, 2023)

Discription

Last week, there were 77 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

* * *

### Total Unpatched & Patched Vulnerabilities Last Week

**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 40
Patched | 37

* * *

### Total Vulnerabilities by CVSS Severity Last Week

* * *

### Total Vulnerabilities by CWE Type Last Week

**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 44
Cross-Site Request Forgery (CSRF) | 9
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 8
Missing Authorization | 7
URL Redirection to Untrusted Site (‘Open Redirect’) | 3
Deserialization of Untrusted Data | 2
Server-Side Request Forgery (SSRF) | 2
Improper Neutralization of Formula Elements in a CSV File | 1
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 1

* * *

### Researchers That Contributed to WordPress Security Last Week

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.

* * *

### WordPress Plugins with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
AJAX Thumbnail Rebuild | [ajax-thumbnail-rebuild]()
Advanced Category Template | [advanced-category-template]()
Advanced Youtube Channel Pagination | [advanced-youtube-channel-pagination]()
Arconix Shortcodes | [arconix-shortcodes]()
Autoptimize | [autoptimize]()
BSK Forms Blacklist | [bsk-gravityforms-blacklist]()
Bit File Manager â 100% free file manager for WordPress | [file-manager]()
Booking Manager | [booking-manager]()
CM On Demand Search And Replace | [cm-on-demand-search-and-replace]()
CRM Memberships | [crm-memberships]()
Chronosly Events Calendar | [chronosly-events-calendar]()
ClickFunnels | [clickfunnels]()
Custom 404 Pro | [custom-404-pro]()
Customizer Export/Import | [customizer-export-import]()
Decon WP SMS | [decon-wp-sms]()
Depicter Slider â Responsive Image Slider, Video Slider & Post Slider | [depicter]()
Display custom fields in the frontend â Post and User Profile Fields | [shortcode-to-display-post-and-user-data]()
Dynamically Register Sidebars | [dynamically-register-sidebars]()
Easy Bet | [easy-bet]()
Elementor Website Builder | [elementor]()
Emails & Newsletters with Jackmail | [jackmail-newsletters]()
Extensions for Leaflet Map | [extensions-leaflet-map]()
Forms Ada â Form Builder | [forms-ada-form-builder]()
HTTP Headers | [http-headers]()
Image Optimizer by 10web â Image Optimizer and Compression plugin | [image-optimizer-wd]()
Inactive User Deleter | [inactive-user-deleter]()
Integration for Contact Form 7 HubSpot | [cf7-hubspot]()
Ko-fi Button | [ko-fi-button]()
Logo Scheduler â Great for holidays, events, and more | [logo-scheduler-great-for-holidays-events-and-more]()
Maintenance Switch | [maintenance-switch]()
Mass Email To users | [mass-email-to-users]()
NS Coupon To Become Customer | [ns-coupon-to-become-customer]()
Ninja Forms Contact Form â The Drag and Drop Form Builder for WordPress | [ninja-forms]()
Orbit Fox by ThemeIsle | [themeisle-companion]()
Photo Gallery Slideshow & Masonry Tiled Gallery | [wp-responsive-photo-gallery]()
Plugins List | [plugins-list]()
Progress Bar | [progress-bar]()
Push Notifications for WordPress by PushAssist | [push-notification-for-wp-by-pushassist]()
REST API TO MiniProgram | [rest-api-to-miniprogram]()
Rating-Widget: Star Review System | [rating-widget]()
Recipe Maker For Your Food Blog from Zip Recipes | [zip-recipes]()
SEO ALert | [seo-alert]()
Shield Security â Smart Bot Blocking & Intrusion Prevention | [wp-simple-firewall]()
Simple Giveaways â Grow your business, email lists and traffic with contests | [giveasap]()
Stock Sync for WooCommerce | [stock-sync-for-woocommerce]()
Stream | [stream]()
Thumbnail Slider With Lightbox | [wp-responsive-slider-with-lightbox]()
Thumbs Rating | [thumbs-rating]()
Tiempo.com | [tiempocom]()
Tippy | [tippy]()
URL Params | [url-params]()
Ultimate Addons for Contact Form 7 | [ultimate-addons-for-contact-form-7]()
Updraft | [updraft]()
User IP and Location | [user-ip-and-location]()
Video XML Sitemap Generator | [video-xml-sitemap-generator]()
WP BrowserUpdate | [wp-browser-update]()
WP Directory Kit | [wpdirectorykit]()
WP Inventory Manager | [wp-inventory-manager]()
WP Page Numbers | [wp-page-numbers]()
WP Search Analytics | [search-analytics]()
WP Visitor Statistics (Real Time Traffic) | [wp-stats-manager]()
WP-CORS | [wp-cors]()
WooCommerce Multivendor Marketplace â REST API | [wcfm-marketplace-rest-api]()
Woocommerce Tip/Donation | [woo-tipdonation]()
XML for Google Merchant Center | [xml-for-google-merchant-center]()
YARPP â Yet Another Related Posts Plugin | [yet-another-related-posts-plugin]()
Zephyr Project Manager | [zephyr-project-manager]()
wordpress vertical image slider plugin | [wp-vertical-image-slider]()

* * *

### WordPress Themes with Reported Vulnerabilities Last Week

* * *

### Vulnerability Details

#### [Custom 404 Pro <= 3.7.2 – Unauthenticated SQL Injection]()

**Affected Software**: [Custom 404 Pro]()
**CVE ID**: CVE Unknown
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Visitor Statistics (Real Time Traffic) <= 6.8.1 – Unauthenticated SQL Injection]()

**Affected Software**: [WP Visitor Statistics (Real Time Traffic)]()
**CVE ID**: CVE-2023-0600
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Tráº§n Quá»c TrÆ°á»ng An]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Ultimate Addons for Contact Form 7 <= 3.1.23 – Authenticated (Subscriber+) SQL Injection via id]()

**Affected Software**: [Ultimate Addons for Contact Form 7]()
**CVE ID**: CVE-2023-30495
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Ivy]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Easy Bet <= 1.0.2 – Authenticated(Contributor+) SQL Injection]()

**Affected Software**: [Easy Bet]()
**CVE ID**: CVE-2023-31092
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Yuki Haruma]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [YARPP – Yet Another Related Posts Plugin <= 5.30.2 – Authenticated (Subscriber+) SQL Injection via Shortcode]()

**Affected Software**: [YARPP â Yet Another Related Posts Plugin]()
**CVE ID**: CVE-2023-0579
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Thumbnail Slider With Lightbox <= 1.0.17]()

**Affected Software**: [Thumbnail Slider With Lightbox]()
**CVE ID**: CVE Unknown
**CVSS Score**: 8.2 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Orbit Fox by ThemeIsle <= 2.10.23 – Authenticated (Author+) Server-Side Request Forgery via URL]()

**Affected Software**: [Orbit Fox by ThemeIsle]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.4 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Shield Security <= 17.0.17 – Unauthenticated Stored Cross-Site Scripting]()

**Affected Software**: [Shield Security â Smart Bot Blocking & Intrusion Prevention]()
**CVE ID**: CVE-2023-0992
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Ramuel Gall]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Bit File Manager <= 5.2.7 – Authenticated (Admin+) PHP Object Injection]()

**Affected Software**: [Bit File Manager â 100% free file manager for WordPress]()
**CVE ID**: CVE-2022-47599
**CVSS Score**: 7.2 (High)
**Researcher/s**: [rezaduty]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [BSK Forms Blacklist <= 3.6.2 – Authenticated (Administrator+) SQL Injection via ‘order’ and ‘orderby’]()

**Affected Software**: [BSK Forms Blacklist]()
**CVE ID**: CVE-2023-30872
**CVSS Score**: 7.2 (High)
**Researcher/s**: [TomS]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Customizer Export/Import <= 0.9.5 – Authenticated (Administrator+) PHP Object Injection]()

**Affected Software**: [Customizer Export/Import]()
**CVE ID**: CVE-2023-1347
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Nguyen Duy Quoc Khanh]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Inactive User Deleter <= 1.58 – Cross-Site Request Forgery via multiple functions]()

**Affected Software**: [Inactive User Deleter]()
**CVE ID**: CVE-2023-27424
**CVSS Score**: 7.1 (High)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [HTTP Headers <= 1.18.9 – Authenticated(Administrator+) SQL Injection]()

**Affected Software**: [HTTP Headers]()
**CVE ID**: CVE-2023-1207
**CVSS Score**: 6.6 (Medium)
**Researcher/s**: [qerogram]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Elementor <= 3.12.1 – Authenticated(Administrator+) SQL Injection via ‘replace_urls’]()

**Affected Software**: [Elementor Website Builder]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.6 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Display custom fields in the frontend â Post and User Profile Fields <= 1.2.0 – Missing Authorization via vg_display_data shortcode]()

**Affected Software**: [Display custom fields in the frontend â Post and User Profile Fields]()
**CVE ID**: CVE-2023-31073
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Yuki Haruma]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [ClickFunnels <= 3.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [ClickFunnels]()
**CVE ID**: CVE-2022-4782
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Rating Widget <= 3.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes]()

**Affected Software**: [Rating-Widget: Star Review System]()
**CVE ID**: CVE-2023-23831
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Arconix Shortcodes <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode]()

**Affected Software**: [Arconix Shortcodes]()
**CVE ID**: CVE-2023-23703
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Progress Bar <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via wppb shortcode]()

**Affected Software**: [Progress Bar]()
**CVE ID**: CVE-2023-23699
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [REST API TO MiniProgram <= 4.6.1 – Authenticated (Subscriber+) Media Attachment Deletion]()

**Affected Software**: [REST API TO MiniProgram]()
**CVE ID**: CVE-2023-0551
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [URL Params <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [URL Params]()
**CVE ID**: CVE-2023-0274
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [User IP and Location <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [User IP and Location]()
**CVE ID**: CVE-2023-30780
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [deokhunKim]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Tippy <= 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via tippy shortcode]()

**Affected Software**: [Tippy]()
**CVE ID**: CVE-2023-31079
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Plugins List <= 2.5 – Authenticated (Author+) Stored Cross-Site Scripting via replace_plugin_list_tags]()

**Affected Software**: [Plugins List]()
**CVE ID**: CVE-2023-31232
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Yuki Haruma]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Booking Manager <= 2.0.28 – Authenticated (Subscriber+) Server-Side Request Forgery]()

**Affected Software**: [Booking Manager]()
**CVE ID**: CVE-2023-1977
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Shreya Pohekar]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Updraft <= 0.6.1 – Reflected Cross-Site Scripting via ‘backup_timestamp’]()

**Affected Software**: [Updraft]()
**CVE ID**: CVE-2023-26530
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Nguyen Xuan Hoa]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WP BrowserUpdate <= 4.5 – Authenticated (Admin+) Stored Cross-Site Scripting]()

**Affected Software**: [WP BrowserUpdate]()
**CVE ID**: CVE-2023-28690
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [qilin_99]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Mass Email To users <= 1.1.4 – Unauthenticated Reflected Cross-Site Scripting via ‘entrant’]()

**Affected Software**: [Mass Email To users]()
**CVE ID**: CVE-2022-47600
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [XML for Google Merchant Center <= 3.0.1 – Reflected Cross-Site Scripting via page parameter]()

**Affected Software**: [XML for Google Merchant Center]()
**CVE ID**: CVE-2023-30877
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Viable blog <= 1.1.4 – Cross-Site Scripting]()

**Affected Software**: [Viable Blog]()
**CVE ID**: CVE-2023-27419
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LÃ¡szlÃ³ Radnai]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Arya Multipurpose <= 1.0.5 – Unauthenticated Cross-Site Scripting]()

**Affected Software**: [Arya Multipurpose]()
**CVE ID**: CVE-2023-27420
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LÃ¡szlÃ³ Radnai]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Photo Gallery Slideshow & Masonry Tiled Gallery <= 1.0.13 – Reflected Cross-Site Scripting]()

**Affected Software**: [Photo Gallery Slideshow & Masonry Tiled Gallery]()
**CVE ID**: CVE-2023-2402
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Forms Ada <= 1.0 – Reflected Cross-Site Scripting via ‘p’ parameter]()

**Affected Software**: [Forms Ada â Form Builder]()
**CVE ID**: CVE-2023-27613
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Pavak Tiwari]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WP Inventory Manager <= 2.1.0.12 – Reflected Cross-Site Scripting via ‘message’]()

**Affected Software**: [WP Inventory Manager]()
**CVE ID**: CVE-2023-2123
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [daniloalbuqrque]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Logo Scheduler <= 1.2.0 – Reflected Cross-Site Scripting via page parameter]()

**Affected Software**: [Logo Scheduler â Great for holidays, events, and more]()
**CVE ID**: CVE-2023-30875
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Yuki Haruma]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Tiempo.com <= 0.1.2 – Reflected Cross-Site Scripting]()

**Affected Software**: [Tiempo.com]()
**CVE ID**: CVE-2023-2272
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Extensions for Leaflet Map <= 3.4.1 – Reflected Cross-Site Scripting]()

**Affected Software**: [Extensions for Leaflet Map]()
**CVE ID**: CVE-2023-31074
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Le Ngoc Anh]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Maintenance Switch <= 1.5.2 – Reflected Cross-Site Scripting]()

**Affected Software**: [Maintenance Switch]()
**CVE ID**: CVE-2022-47590
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Stock Sync for WooCommerce <= 2.4.0 – Reflected Cross-Site Scripting via page parameter]()

**Affected Software**: [Stock Sync for WooCommerce]()
**CVE ID**: CVE-2023-31094
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Ivy]()
**Patch Status**: Patched
**Vulnerability Details:** Read More

References

Back to Main

Subscribe for the latest news: