Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023)

Main / Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023)

Discription

Last week, there were 58 vulnerabilities disclosed in 43 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 27 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

* * *

### New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our [Premium](), [Care](), and [Response]() customers last week:

* [Easy Digital Downloads 3.1 – 3.1.1.4.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation]()

Wordfence [Premium](), [Care](), and [Response]() customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

* * *

### Total Unpatched & Patched Vulnerabilities Last Week

**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 14
Patched | 44

* * *

### Total Vulnerabilities by CVSS Severity Last Week

* * *

### Total Vulnerabilities by CWE Type Last Week

**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 31
Missing Authorization | 9
Cross-Site Request Forgery (CSRF) | 5
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3
Server-Side Request Forgery (SSRF) | 2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2
Improper Authentication | 1
Information Exposure | 1
Unverified Password Change | 1
URL Redirection to Untrusted Site (‘Open Redirect’) | 1
Deserialization of Untrusted Data | 1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 1

* * *

### Researchers That Contributed to WordPress Security Last Week

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.

* * *

### WordPress Plugins with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
Add to Feedly | [add-to-feedly]()
Advanced Custom Fields (ACF) | [advanced-custom-fields]()
Advanced Custom Fields Pro | [advanced-custom-fields-pro]()
Advanced Woo Search | [advanced-woo-search]()
Albo Pretorio On line | [albo-pretorio-on-line]()
AnyWhere Elementor | [anywhere-elementor]()
CM Pop-Up banners for WordPress | [cm-pop-up-banners]()
Community by PeepSo â Social Network, Membership, Registration, User Profiles | [peepso-core]()
Contact Form 7 extension for Google Map fields | [cf7-google-map]()
Cryptocurrency Payment & Donation Box â Accept Payments in any Cryptocurrency on your WP Site for Free | [cryptocurrency-donation-box]()
Custom 404 Pro | [custom-404-pro]()
DX Delete Attached Media | [dx-delete-attached-media]()
Easy Appointments | [easy-appointments]()
Easy Digital Downloads â Simple eCommerce for Selling Digital Files | [easy-digital-downloads]()
FV Flowplayer Video Player | [fv-wordpress-flowplayer]()
Fast & Effective Popups & Lead-Generation for WordPress â HollerBox | [holler-box]()
Hostel | [hostel]()
Image Optimizer by 10web â Image Optimizer and Compression plugin | [image-optimizer-wd]()
Library Viewer | [library-viewer]()
Login rebuilder | [login-rebuilder]()
Loginizer | [loginizer]()
Manager for Icomoon | [manager-for-icomoon]()
Metform Elementor Contact Form Builder â Flexible and Design-Friendly Contact Form builder plugin for WordPress | [metform]()
Multi Rating | [multi-rating]()
Newsletter Popup | [newsletter-popup]()
OSM â OpenStreetMap | [osm]()
Otter â Gutenberg Blocks â Page Builder for Gutenberg Editor & FSE | [otter-blocks]()
Participants Database | [participants-database]()
Photo Gallery by Ays â Responsive Image Gallery | [gallery-photo-gallery]()
Product Addons & Fields for WooCommerce | [woocommerce-product-addon]()
Spiffy Calendar | [spiffy-calendar]()
TK Google Fonts GDPR Compliant | [tk-google-fonts]()
TP Education | [tp-education]()
UserAgent-Spy | [useragent-spy]()
WOLF â WordPress Posts Bulk Editor and Manager Professional | [bulk-editor]()
WP Directory Kit | [wpdirectorykit]()
WP Docs | [wp-docs]()
WP EasyPay â Square for WordPress | [wp-easy-pay]()
WP Fastest Cache | [wp-fastest-cache]()
WP Job Portal â A Complete Job Board | [wp-job-portal]()
WP-FormAssembly | [formassembly-web-forms]()
WPO365 | Mail Integration for Office 365 / Outlook | [mail-integration-365]()
WPPizza â A Restaurant Plugin | [wppizza]()

* * *

### WordPress Themes with Reported Vulnerabilities Last Week

* * *

### Vulnerability Details

#### [Easy Digital Downloads 3.1 – 3.1.1.4.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation]()

**Affected Software**: [Easy Digital Downloads â Simple eCommerce for Selling Digital Files]()
**CVE ID**: CVE-2023-30869
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Nguyen Anh Tien]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Otter – Gutenberg Blocks <= 2.2.5 – Authenticated (Author+) PHAR Deserialization]()

**Affected Software**: [Otter â Gutenberg Blocks â Page Builder for Gutenberg Editor & FSE]()
**CVE ID**: CVE-2023-2288
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Alex Sanford]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [CM Pop-Up banners <= 1.5.10 – Authenticated (Subscriber+) SQL Injection via getStatistics]()

**Affected Software**: [CM Pop-Up banners for WordPress]()
**CVE ID**: CVE-2023-30750
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [AnyWhere Elementor <= 1.2.7 – Sensitive Information Exposure]()

**Affected Software**: [AnyWhere Elementor]()
**CVE ID**: CVE-2023-0443
**CVSS Score**: 8.6 (High)
**Researcher/s**: [Sanjay Das]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [JupiterX Theme <= 3.0.0 – Authenticated Local File Inclusion via print_pane]()

**Affected Software**: [JupiterX]()
**CVE ID**: CVE-2023-32110
**CVSS Score**: 8.1 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [TK Google Fonts GDPR Compliant <= 2.2.7 – Authorization Bypass]()

**Affected Software**: [TK Google Fonts GDPR Compliant]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.3 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Newsletter Popup <= 1.2 – Unauthenticted Stored Cross-Site Scripting via ‘nl_data’]()

**Affected Software**: [Newsletter Popup]()
**CVE ID**: CVE-2023-0733
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Cryptocurrency Donation Box â Bitcoin & Crypto Donations <= 2.2.5 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [Cryptocurrency Payment & Donation Box â Accept Payments in any Cryptocurrency on your WP Site for Free]()
**CVE ID**: CVE-2023-32128
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Contact Form 7 extension for Google Map fields <= 1.8.3 – Stored Cross-Site Scripting]()

**Affected Software**: [Contact Form 7 extension for Google Map fields]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.2 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [HollerBox <= 2.1.3 – Authenticated (edit_popups+) SQL Injection]()

**Affected Software**: [Fast & Effective Popups & Lead-Generation for WordPress â HollerBox]()
**CVE ID**: CVE-2023-2111
**CVSS Score**: 6.6 (Medium)
**Researcher/s**: [WPScanTeam]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Metform Elementor Contact Form Builder <= 3.3.0 – Missing Authorization]()

**Affected Software**: [Metform Elementor Contact Form Builder â Flexible and Design-Friendly Contact Form builder plugin for WordPress]()
**CVE ID**: CVE-2023-1843
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Directory Kit <= 1.2.2 – Missing Authorization to Plugin Installation, Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_public_action]()

**Affected Software**: [WP Directory Kit]()
**CVE ID**: CVE-2023-2280
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Ramuel Gall](), [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Fastest Cache <= 1.1.4 – Authenticated(Administrator+) Blind Server Side Request Forgery via check_url]()

**Affected Software**: [WP Fastest Cache]()
**CVE ID**: CVE-2023-1938
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WOLF <= 1.0.6 – Authenticated (Subscriber+) Stored Cross-Site Scripting via wpbe_update_page_field]()

**Affected Software**: [WOLF â WordPress Posts Bulk Editor and Manager Professional]()
**CVE ID**: CVE-2023-31218
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Junsu Yeo]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [OSM – OpenStreetMap <= 6.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode]()

**Affected Software**: [OSM â OpenStreetMap]()
**CVE ID**: CVE-2022-4676
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Library Viewer <= 2.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [Library Viewer]()
**CVE ID**: CVE-2023-32102
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Manager for Icomoon <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [Manager for Icomoon]()
**CVE ID**: CVE-2023-29387
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [deokhunKim]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [TP Education <= 4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes]()

**Affected Software**: [TP Education]()
**CVE ID**: CVE-2023-32103
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [deokhunKim]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [TheGem < 5.8.1.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting]()

**Affected Software**: [TheGem]()
**CVE ID**: CVE-2023-32237
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [TheGem < 5.8.1.1 – Missing Authorization]()

**Affected Software**: [TheGem]()
**CVE ID**: CVE-2023-32238
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [TheGem < 5.8.1.1 – Improper Authentication]()

**Affected Software**: [TheGem]()
**CVE ID**: CVE-2023-32238
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Easy Appointments <= 3.11.9 – Cross-Site Request Forgery via multiple AJAX actions]()

**Affected Software**: [Easy Appointments]()
**CVE ID**: CVE-2022-36424
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Editorialmag <= 1.1.9 – Missing Authorization to Authenticated Plugin Activation]()

**Affected Software**: [Editorialmag]()
**CVE ID**: CVE-2023-32129
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WPO365 | Mail Integration for Office 365 / Outlook <= 1.9.0 – reflected Cross-Site Scripting via error_description]()

**Affected Software**: [WPO365 | Mail Integration for Office 365 / Outlook]()
**CVE ID**: CVE-2023-32119
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Nguyen Xuan Chien]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WPPizza <= 3.17.1 – Reflected Cross-Site Scripting]()

**Affected Software**: [WPPizza â A Restaurant Plugin]()
**CVE ID**: CVE-2023-32105
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Le Ngoc Anh]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Loginizer <= 1.7.8 – Reflected Cross-Site Scripting via ‘limit_session[count]’]()

**Affected Software**: [Loginizer]()
**CVE ID**: CVE-2023-2296
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Custom 404 Pro <= 3.7.2 – Reflected Cross-Site Scripting via ‘s’]()

**Affected Software**: [Custom 404 Pro]()
**CVE ID**: CVE-2023-2023
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Chien Vuong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Docs <= 1.9.9 – Reflected Cross-Site Scripting]()

**Affected Software**: [WP Docs]()
**CVE ID**: CVE-2023-32106
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Le Ngoc Anh]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [FV Flowplayer Video Player <= 7.5.32.7212 – Reflected Cross-Site Scripting via id]()

**Affected Software**: [FV Flowplayer Video Player]()
**CVE ID**: CVE-2023-30499
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Albo Pretorio Online <= 4.6.3 – Reflected Cross-Site Scripting]()

**Affected Software**: [Albo Pretorio On line]()
**CVE ID**: CVE-2023-32108
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [thiennv]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Advanced Custom Fields PRO <= 6.1.5 – Reflected Cross-Site Scripting via ‘post_status’]()

**Affected Software**: [Advanced Custom Fields Pro]()
**CVE ID**: CVE-2023-30777
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [PPOM for WooCommerce <= 32.0.6 – Reflected Cross-Site Scripting]()

**Affected Software**: [Product Addons & Fields for WooCommerce]()
**CVE ID**: CVE-2023-2256
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Alex Sanford]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Photo Gallery by Ays <= 5.1.3 – Reflected Cross-Site Scripting via ays_gpg_settings_tab]()

**Affected Software**: [Photo Gallery by Ays â Responsive Image Gallery]()
**CVE ID**: CVE-2023-32107
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Le Ngoc Anh]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Albo Pretorio Online <= 4.6.3 – Reflected Cross-Site Scripting]()

**Affected Software**: [Albo Pretorio On line]()
**CVE ID**: CVE-2023-32109
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Phd]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Advanced Custom Fields <= 6.1.5 – Reflected Cross-Site Scripting via ‘post_status’]()

**Affected Software**: [Advanced Custom Fields (ACF)]()
**CVE ID**: CVE-2023-30777
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP EasyPay <= 4.0.4 – Reflected Cross-Site Scripting]()

**Affected Software**: [WP EasyPay â Square for WordPress]()
**CVE ID**: CVE-2023-1465
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Pablo Sanchez]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [TheGem < 5.8.1.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting]()

**Affected Software**: [TheGem]()
**CVE ID**: CVE-2023-32237
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Participants Database <= 2.4.9 – Cross-Site Request Forgery via _process_general]()

**Affected Software**: [Participants Database]()
**CVE ID**: CVE-2023-31235
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Skalucy]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Library Viewer <= 2.0.6 – Open Redirect via ‘redirect_to’]()

**Affected Software**: [Library Viewer]()
**CVE ID**: CVE-2023-32101
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Community by PeepSo <= 6.0.9.0 – Missing Authorization to Sensitive Information Exposure]()

**Affected Software**: [Community by PeepSo â Social Network, Membership, Registration, User Profiles]()
**CVE ID**: CVE-2023-27630
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Job Portal <= 1.1.9 – Missing Authorization to Settings Modification]()

**Affected Software**: [WP Job Portal â A Complete Job Board]()
**CVE ID**: CVE-2022-41786
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Multi Rating <= 5.0.6 – Missing Authorization to Arbitrary Ratings Value Change]()

**Affected Software**: [Multi Rating]()
**CVE ID**: CVE-2023-32127
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WP-FormAssembly <= 2.0.8 – Limited Server Side Request Forgery via ‘formassembly’ shortcode]()

**Affected Software**: [WP-FormAssembly]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Spiffy Calendar <= 4.9.3 – Reflected Cross-Site Scripting via page parameter]()

**Affected Software**: [Spiffy Calendar]()
**CVE ID**: CVE-2023-32122
**CVSS Score**: 4.7 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Add to Feedly <= 1.2.11 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings]()

**Affected Software**: [Add to Feedly]()
**CVE ID**: CVE-2023-2470
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Fioravante Souza]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Advanced Woo Search <= 2.77 – Authenticated (Admin+) Stored Cross-Site Scripting]()

**Affected Software**: [Advanced Woo Search]()
**CVE ID**: CVE-2023-2452
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Ivan Kuzymchak](Read More

References

Back to Main

Subscribe for the latest news: