Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023)

Main / Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023)

Discription

Last week, there were 139 vulnerabilities disclosed in 105 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

* * *

### New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our [Premium](), [Care](), and [Response]() customers last week:

* [Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation]()
* This vulnerability is being actively exploited. We have blocked over 600 exploit attempts in the past 24 hours, and expect this to continue. [You can read more about this here. ]()

Wordfence [Premium](), [Care](), and [Response]() customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

* * *

### Total Unpatched & Patched Vulnerabilities Last Week

**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 47
Patched | 92

* * *

### Total Vulnerabilities by CVSS Severity Last Week

* * *

### Total Vulnerabilities by CWE Type Last Week

**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 64
Cross-Site Request Forgery (CSRF) | 31
Missing Authorization | 23
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 8
Deserialization of Untrusted Data | 2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2
URL Redirection to Untrusted Site (‘Open Redirect’) | 2
Use of Less Trusted Source | 1
Incorrect Authorization | 1
Unrestricted Upload of File with Dangerous Type | 1
Improper Authorization | 1
Authorization Bypass Through User-Controlled Key | 1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1
Unverified Password Change | 1

* * *

### Researchers That Contributed to WordPress Security Last Week

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.

* * *

### WordPress Plugins with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
10Web Social Post Feed | [wd-facebook-feed]()
Active Directory Integration / LDAP Integration | [ldap-login-for-intranet-sites]()
Add Posts to Pages | [add-posts-to-pages]()
Announcement & Notification Banner â Bulletin | [bulletin-announcements]()
Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection | [stopbadbots]()
Block Referer Spam | [block-referer-spam]()
Booking Ultra Pro Appointments Booking Calendar Plugin | [booking-ultra-pro]()
Brands for WooCommerce | [brands-for-woocommerce]()
Button | [button]()
CALL ME NOW | [lokalyze-call-now]()
CM On Demand Search And Replace | [cm-on-demand-search-and-replace]()
Column-Matic | [column-matic]()
Community by PeepSo â Social Network, Membership, Registration, User Profiles | [peepso-core]()
Complianz â GDPR/CCPA Cookie Consent | [complianz-gdpr]()
Custom Base Terms | [custom-base-terms]()
Custom Field Suite | [custom-field-suite]()
DBargain | [d-bargain]()
DevBuddy Twitter Feed | [devbuddy-twitter-feed]()
Directorist â WordPress Business Directory Plugin with Classified Ads Listings | [directorist]()
Don8 | [don8]()
Donations Made Easy â Smart Donations | [smart-donations]()
Download Manager | [download-manager]()
Download Monitor | [download-monitor]()
Dyslexiefont Free | [dyslexiefont]()
Easy Form by AYS | [easy-form]()
Easy Hide Login | [easy-hide-login]()
Elementor Website Builder | [elementor]()
Essential Addons for Elementor | [essential-addons-for-elementor-lite]()
ExactMetrics â Google Analytics Dashboard for WordPress (Website Stats Plugin) | [google-analytics-dashboard-for-wp]()
Featured Image Pro Post Grid | [featured-image-pro]()
Forget About Shortcode Buttons | [forget-about-shortcode-buttons]()
Free WordPress Lead Generation Opt in, Free Popups, Generated Lead Email Popup, Exit-Intent Popup â NotifyVisitors | [notifyvisitors-lead-form]()
Frontend Post WordPress Plugin â AccessPress Anonymous Post | [accesspress-anonymous-post]()
GTmetrix for WordPress | [gtmetrix-for-wordpress]()
Get your number | [get-your-number]()
GiveWP â Donation Plugin and Fundraising Platform | [give]()
Google Site Verification plugin using Meta Tag | [google-site-verification-using-meta-tag]()
Hide My WP Ghost â Security Plugin | [hide-my-wp]()
Hostel | [hostel]()
Hyphenator | [hyphenator]()
Injection Guard | [injection-guard]()
LetterPress â E-Mail campaigns, marketing and newsletter Plugin for WordPress | [letterpress]()
Link Whisper Free | [link-whisper]()
Locatoraid Store Locator | [locatoraid]()
MW WP Form | [mw-wp-form]()
MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder | [mailchimp-subscribe-sm]()
Manager for Icomoon | [manager-for-icomoon]()
MonsterInsights â Google Analytics Dashboard for WordPress (Website Stats Made Easy) | [google-analytics-for-wordpress]()
My WP Customize Admin/Frontend | [my-wp]()
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue | [mailin]()
Order Your Posts Manually | [order-your-posts-manually]()
Owl Carousel | [owl-carousel]()
Pinterest RSS Widget | [pinterest-rss-widget]()
Portfolio Gallery â Responsive Image Gallery | [gallery-portfolio]()
Post Form â Registration Form â Profile Form for User Profiles and Content Forms for User Submissions | [buddyforms]()
Post Snippets â Custom WordPress Code Snippets Customizer | [post-snippets]()
Post State Tags | [post-state-tags]()
Pricing Table Builder â AP Pricing Tables Lite | [ap-pricing-tables-lite]()
Pro Mime Types | [pro-mime-types]()
Product page shipping calculator for WooCommerce | [product-page-shipping-calculator-for-woocommerce]()
QuBot â Chatbot Builder with Templates | [qubotchat]()
Quick Page/Post Redirect Plugin | [quick-pagepost-redirect-plugin]()
Radio Station by netmixÂ® â Manage and play your Show Schedule in WordPress! | [radio-station]()
RegistrationMagic â Custom Registration Forms, User Registration, Payment, and User Login | [custom-registration-form-builder-with-submission-manager]()
Restaurant Menu â Food Ordering System â Table Reservation | [menu-ordering-reservations]()
SALERT â Fake Sales Notification WooCommerce | [salert]()
SEO by 10Web | [seo-by-10web]()
ShortPixel Adaptive Images â WebP, AVIF, CDN, Image Optimization | [shortpixel-adaptive-images]()
Simple Calendar â Google Calendar Plugin | [google-calendar-events]()
Slimstat Analytics | [wp-slimstat]()
Snow Monkey Forms | [snow-monkey-forms]()
SoundCloud Is Gold | [soundcloud-is-gold]()
Sunny Search | [fast-search-powered-by-solr]()
Team Circle Image Slider With Lightbox | [circle-image-slider-with-lightbox]()
Ultimate Addons for Contact Form 7 | [ultimate-addons-for-contact-form-7]()
VK All in One Expansion Unit | [vk-all-in-one-expansion-unit]()
VK Blocks | [vk-blocks]()
VK Blocks Pro | [vk-blocks-pro]()
WCP Contact Form | [wcp-contact-form]()
WP Abstracts | [wp-abstracts-manuscripts-manager]()
WP All Backup | [wp-all-backup]()
WP Category Post List Widget | [wp-category-posts-list]()
WP Chinese Conversion | [wp-chinese-conversion]()
WP Multi Store Locator | [wp-multi-store-locator]()
WP Reactions Lite | [wp-reactions-lite]()
WP Register Profile With Shortcode | [wp-register-profile-with-shortcode]()
WP Replicate Post | [wp-replicate-post]()
WP Responsive Tabs horizontal vertical and accordion Tabs | [responsive-horizontal-vertical-and-accordion-tabs]()
WP-Chatbot for Messenger | [wp-chatbot]()
WPCS â WordPress Currency Switcher Professional | [currency-switcher]()
Web Stories for WordPress | [UNKNOWN-CVE-2023-1979-1]()
Whydonate â FREE Donate button â Crowdfunding â Fundraising | [wp-whydonate]()
Wise Chat | [wise-chat]()
Woo Custom Emails | [woo-custom-emails]()
Woodmart Core | [woodmart-core]()
WordPress Online Booking and Scheduling Plugin â Bookly | [bookly-responsive-appointment-booking-tool]()
YITH WooCommerce Gift Cards Premium | [yith-woocommerce-gift-cards-premium]()
Yoast SEO Premium | [wordpress-seo-premium]()
Yoast SEO: Local | [wpseo-local]()
Zero Spam for WordPress | [zero-spam]()
eBecas | [ebecas]()
iframe popup | [iframe-popup]()
itemprop WP for SERP/SEO Rich snippets | [itempropwp]()
weebotLite | [weebotlite]()
wordpress vertical image slider plugin | [wp-vertical-image-slider]()

* * *

### WordPress Themes with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
Divi | [Divi]()
Woodmart | [woodmart]()

* * *

### Vulnerability Details

#### [Woodmart Core <= 1.0.36 – Missing Authorization to Privilege Escalation]()

**Affected Software**: [Woodmart Core]()
**CVE ID**: CVE-2023-32244
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Manager for Icomoon <= 2.0 – Unauthenticated Arbitrary File Upload via ‘upload’]()

**Affected Software**: [Manager for Icomoon]()
**CVE ID**: CVE-2023-29386
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [deokhunKim]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation]()

**Affected Software**: [Essential Addons for Elementor]()
**CVE ID**: CVE-2023-32243
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Woodmart Core <= 1.0.36 – PHP Object Injection]()

**Affected Software**: [Woodmart Core]()
**CVE ID**: CVE-2023-32242
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Ultimate Addons for Contact Form 7 <= 3.1.23 – Unauthenticated SQL Injection via form_id]()

**Affected Software**: [Ultimate Addons for Contact Form 7]()
**CVE ID**: CVE-2022-47586
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Replicate Post <= 4.0.2 – Authenticated (Contributor+) SQL Injection]()

**Affected Software**: [WP Replicate Post]()
**CVE ID**: CVE-2023-2237
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Bookly <= 21.7.1 – Arbitrary File Deletion]()

**Affected Software**: [WordPress Online Booking and Scheduling Plugin â Bookly]()
**CVE ID**: CVE-2023-26526
**CVSS Score**: 8.1 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Booking Ultra Pro <= 1.1.4 – Unauthenticated Stored Cross-Site Scripting]()

**Affected Software**: [Booking Ultra Pro Appointments Booking Calendar Plugin]()
**CVE ID**: CVE-2023-32511
**CVSS Score**: 7.2 (High)
**Researcher/s**: [thiennv]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Zero Spam for WordPress <= 5.4.4 – Authenticated(Administrator+) SQL Injection]()

**Affected Software**: [Zero Spam for WordPress]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.2 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Active Directory Integration / LDAP Integration <= 4.1.4 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [Active Directory Integration / LDAP Integration]()
**CVE ID**: CVE-2023-2484
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Slimstat Analytics <= 5.0.4 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [Slimstat Analytics]()
**CVE ID**: CVE-2022-45373
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Order Your Posts Manually <= 2.2.5 – Authenticated (Administrator+) SQL Injection via ‘sortdata’]()

**Affected Software**: [Order Your Posts Manually]()
**CVE ID**: CVE-2023-32508
**CVSS Score**: 7.2 (High)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [AP Pricing Tables Lite <= 1.1.6 – Authenticated (Admin+) SQL Injection]()

**Affected Software**: [Pricing Table Builder â AP Pricing Tables Lite]()
**CVE ID**: CVE-2023-0900
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Simone Onofri](), [Donato Onofri]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WP Chinese Conversion <= 1.1.16 – Unauthenticated Stored Cross-Site Scripting]()

**Affected Software**: [WP Chinese Conversion]()
**CVE ID**: CVE-2023-32518
**CVSS Score**: 7.2 (High)
**Researcher/s**: [thiennv]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Zero Spam <= 5.4.4 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [Zero Spam for WordPress]()
**CVE ID**: CVE-2023-32121
**CVSS Score**: 7.2 (High)
**Researcher/s**: [OZ1NG (TOOR, LISA)]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [QuBotChat <= 1.1.5 – Unauthenticated Stored Cross-Site Scripting]()

**Affected Software**: [QuBot â Chatbot Builder with Templates]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.2 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Directorist <= 7.5.3 – Authenticated (Administrator+) Local File Inclusion]()

**Affected Software**: [Directorist â WordPress Business Directory Plugin with Classified Ads Listings]()
**CVE ID**: CVE-2023-2252
**CVSS Score**: 7.2 (High)
**Researcher/s**: [rSolutions Security Team]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Booking Ultra Pro <= 1.1.4 – Unauthenticated Stored Cross-Site Scripting]()

**Affected Software**: [Booking Ultra Pro Appointments Booking Calendar Plugin]()
**CVE ID**: CVE-2023-32236
**CVSS Score**: 7.2 (High)
**Researcher/s**: [TEAM WEBoB of BoB 11th]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [GiveWP <= 2.25.3 – Authenticated (Admin+) PHP Object Injection]()

**Affected Software**: [GiveWP â Donation Plugin and Fundraising Platform]()
**CVE ID**: CVE-2023-32513
**CVSS Score**: 6.6 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [RegistrationMagic <= 5.2.0.5 – Authenticated (Admin+) Insecure Direct Object Reference to Arbitrary User Password Change]()

**Affected Software**: [RegistrationMagic â Custom Registration Forms, User Registration, Payment, and User Login]()
**CVE ID**: CVE-2023-2548
**CVSS Score**: 6.6 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [YITH WooCommerce Gift Cards Premium <= 3.23.1 – Missing Authorization]()

**Affected Software**: [YITH WooCommerce Gift Cards Premium]()
**CVE ID**: CVE-2022-44633
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Portfolio Gallery â Responsive Image Gallery <= 1.4.5 – Missing Authorization to Arbitrary Gallery Deletion]()

**Affected Software**: [Portfolio Gallery â Responsive Image Gallery]()
**CVE ID**: CVE-2023-32585
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Hide My WP Ghost â Security Plugin <= 5.0.18 – IP Address Spoofing to Protection Mechanism Bypass]()

**Affected Software**: [Hide My WP Ghost â Security Plugin]()
**CVE ID**: CVE-2022-4537
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [rezaduty]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Pro Mime Types – Manage file media types <= 1.0.7 – Cross-Site Request Forgery via pmt_settings_section_callback_tab_1]()

**Affected Software**: [Pro Mime Types]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Nguyen Xuan Chien]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [VK Blocks <= 1.53.0.1 – Stored (Contributor+) Cross-Site Scripting in Post]()

**Affected Software/s**: [VK Blocks Pro](), [VK Blocks]()
**CVE ID**: CVE-2023-27925
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [apple502j]()
**Patch Status**: Patched
**Vulnerability Details:** Read More

References

Back to Main

Subscribe for the latest news: