Site icon API Security Blog

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)

Last week, there were 90 vulnerabilities disclosed in 77 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

* * *

### New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our [Premium](), [Care](), and [Response]() customers last week:

* [Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 – Arbitrary File Upload in File Manager]()
* [ReviewX <= 1.6.13 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation]()
* WAF-RULE-600 – Data redacted while we work with the developer to ensure the vulnerability gets patched.

Wordfence [Premium](), [Care](), and [Response]() customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

* * *

### Total Unpatched & Patched Vulnerabilities Last Week

**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 26
Patched | 64

* * *

### Total Vulnerabilities by CVSS Severity Last Week

**Severity Rating** | **Number of Vulnerabilities**
—|—
Low Severity | 1
Medium Severity | 67
High Severity | 16
Critical Severity | 6

* * *

### Total Vulnerabilities by CWE Type Last Week

**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 35
Cross-Site Request Forgery (CSRF) | 23
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 11
Missing Authorization | 6
Unrestricted Upload of File with Dangerous Type | 3
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2
Deserialization of Untrusted Data | 2
Authentication Bypass Using an Alternate Path or Channel | 2
Authorization Bypass Through User-Controlled Key | 1
Information Exposure | 1
Improper Authorization | 1
Creation of Emergent Resource | 1
Client-Side Enforcement of Server-Side Security | 1
Guessable CAPTCHA | 1

* * *

### Researchers That Contributed to WordPress Security Last Week

**Researcher Name** | **Number of Vulnerabilities**
—|—
[Rafie Muhammad]() | 16
[Lana Codes]()
(Wordfence Vulnerability Researcher) | 11
[Alex Thomas]()
(Wordfence Vulnerability Researcher) | 6
[Rio Darmawan]() | 4
[Mika]() | 4
[yuyudhn]() | 3
[LEE SE HYOUNG]() | 3
[Marco Wotschka]()
(Wordfence Vulnerability Researcher) | 3
[thiennv]() | 3
[Nguyen Xuan Chien]() | 3
[Chien Vuong]() | 2
[Hao Huynh]() | 2
[Skalucy]() | 2
[Erwan LR]() | 2
[Cat]() | 2
[Le Ngoc Anh]() | 2
[dc11]() | 2
[WON JOON HWANG]() | 2
[Muhammad Daffa]() | 2
[Nguyen Anh Tien]() | 1
[Bob Matyas]() | 1
[Marco Frison]() | 1
[My Le]() | 1
[Nithissh S]() | 1
[Emili Castells]() | 1
[Yuki Haruma]() | 1
[NGO VAN TU]() | 1
[Abdi Pranata]() | 1
[MyungJu Kim]() | 1

_Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report._

* * *

### WordPress Plugins with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
AI ChatBot | [chatbot]()
Abandoned Cart Lite for WooCommerce | [woocommerce-abandoned-cart]()
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | [woo-bulk-editor]()
Bubble Menu – circle floating menu | [bubble-menu]()
Button Generator – easily Button Builder | [button-generation]()
Calculator Builder | [calculator-builder]()
Conditional Menus | [conditional-menus]()
Contact Form Entries – Contact Form 7, WPforms and more | [contact-form-entries]()
Counter Box – WordPress plugin for countdown, timer, counter | [counter-box]()
Custom Post Type Generator | [custom-post-type-generator]()
Custom Twitter Feeds (Tweets Widget) | [custom-twitter-feeds]()
Download Theme | [download-theme]()
Duplicator Pro | [duplicator-pro]()
Easy Admin Menu | [easy-admin-menu]()
Easy Captcha | [easy-captcha]()
Easy Google Maps | [google-maps-easy]()
Elementor Website Builder – More than Just a Page Builder | [elementor]()
EventPrime – Modern Events Calendar, Bookings and Tickets | [eventprime-event-calendar-management]()
File Renaming on Upload | [file-renaming-on-upload]()
Flickr Justified Gallery | [flickr-justified-gallery]()
Float menu – awesome floating side menu | [float-menu]()
Floating button | [profit-button]()
Front End Users | [front-end-only-users]()
Go Pricing – WordPress Responsive Pricing Tables | [go_pricing]()
Google Map Shortcode | [google-map-shortcode]()
Herd Effects – fake notifications and social proof plugin | [mwp-herd-effect]()
IP Metaboxes | [ip-metaboxes]()
Integration for Contact Form 7 and Zoho CRM, Bigin | [cf7-zoho]()
JetFormBuilder — Dynamic Blocks Form Builder | [jetformbuilder]()
LearnDash WordPress Plugin | [sfwd-lms]()
Leyka | [leyka]()
MStore API | [mstore-api]()
MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder | [mailchimp-subscribe-sm]()
Multiple Page Generator Plugin – MPG | [multiple-pages-generator-by-porthas]()
Novelist | [novelist]()
OAuth Single Sign On – SSO (OAuth Client) | [miniorange-login-with-eve-online-google-facebook]()
Popup Box – new WordPress popup plugin | [popup-box]()
Product Gallery Slider for WooCommerce | [woo-product-gallery-slider]()
Product Vendors | [woocommerce-product-vendors]()
QuBot – Chatbot Builder with Templates | [qubotchat]()
QueryWall: Plug’n Play Firewall | [querywall]()
Recently Viewed Products | [recently-viewed-products]()
Responsive Tabs For WPBakery Page Builder (formerly Visual Composer) | [responsive-tabs-for-wpbakery]()
SIS Handball | [sis-handball]()
SKU Label Changer For WooCommerce | [woo-sku-label-changer]()
Shopping Cart & eCommerce Store | [wp-easycart]()
Side Menu Lite – add sticky fixed buttons | [side-menu-lite]()
SlideOnline | [slideonline]()
Slider Revolution | [revslider]()
Sticky Buttons – floating buttons builder | [sticky-buttons]()
SupportCandy – Helpdesk & Support Ticket System | [supportcandy]()
This Day In History | [this-day-in-history]()
Tutor LMS – eLearning and online course solution | [tutor]()
UTM Tracker | [utm-tracker]()
Uncanny Automator – Automate everything with the #1 no-code Automation tool for WordPress | [uncanny-automator]()
Unite Gallery Lite | [unite-gallery-lite]()
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | [unlimited-elements-for-elementor]()
Upload Resume | [resume-upload-form]()
User Activity Log | [user-activity-log]()
Video Contest WordPress Plugin | [video-contest]()
WIP Custom Login | [wip-custom-login]()
WP Coder – add custom html, css and js code | [wp-coder]()
WP Tiles | [wp-tiles]()
WP-Hijri | [wp-hijri]()
WP-Matomo Integration (WP-Piwik) | [wp-piwik]()
WS Form LITE – Drag & Drop Contact Form Builder for WordPress | [ws-form]()
WooCommerce Product Categories Selection Widget | [woocommerce-product-category-selection-widget]()
WooCommerce Shipping & Tax | [woocommerce-services]()
WordPress Backup & Migration | [wp-migration-duplicator]()
WordPress File Upload | [wp-file-upload]()
WordPress File Upload Pro | [wordpress-file-upload-pro]()
Wow Skype Buttons | [mwp-skype]()
Yoast SEO: Local | [wpseo-local]()
YouTube Playlist Player | [youtube-playlist-player]()
seo-by-rank-math-pro | [seo-by-rank-math-pro]()
woocommerce-follow-up-emails | [woocommerce-follow-up-emails]()
woocommerce-warranty | [woocommerce-warranty]()

* * *

### Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

#### [Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 – Arbitrary File Upload in File Manager]()

**Affected Software**: [Unlimited Elements For Elementor (Free Widgets, Addons, Templates)]()
**CVE ID**: CVE-2023-31090
**CVSS Score**: 9.9 (Critical)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Follow-Up Emails <= 4.9.40 – Authenticated Arbitrary File Upload in Template Editing]()

**Affected Software**: [woocommerce-follow-up-emails]()
**CVE ID**: CVE-2023-33318
**CVSS Score**: 9.9 (Critical)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Leyka <= 3.30 – Privilege Escalation via Admin Password Reset]()

**Affected Software**: [Leyka]()
**CVE ID**: CVE-2023-33327
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Nguyen Anh Tien]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Recently Viewed Products <= 1.0.0 – Unauthenticated PHP Object Injection]()

**Affected Software**: [Recently Viewed Products]()
**CVE ID**: CVE-2023-34027
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [MStore API <= 3.9.1 – Authentication Bypass]()

**Affected Software**: [MStore API]()
**CVE ID**: CVE-2023-2734
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [MStore API <= 3.9.2 – Authentication Bypass]()

**Affected Software**: [MStore API]()
**CVE ID**: CVE-2023-2732
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [LearnDash LMS <= 4.5.3 – Authenticated (Contributor+) SQL Injection]()

**Affected Software**: [LearnDash WordPress Plugin]()
**CVE ID**: CVE-2023-28777
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Contact Form Entries <= 1.3.0 – Authenticated (Contributor+) SQL Injection via shortcode]()

**Affected Software**: [Contact Form Entries – Contact Form 7, WPforms and more]()
**CVE ID**: CVE-2023-31212
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [OAuth Single Sign On – SSO (OAuth Client) <= 6.23.3 – Missing Authorization]()

**Affected Software**: [OAuth Single Sign On – SSO (OAuth Client)]()
**CVE ID**: CVE-2022-34155
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [SupportCandy <= 3.1.6 – Authenticated (Subscriber+) SQL Injection]()

**Affected Software**: [SupportCandy – Helpdesk & Support Ticket System]()
**CVE ID**: CVE-2023-2719
**CVSS Score**: 8.8 (High)
**Researcher/s**: [dc11]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Authenticated (Subscriber+) PHP Object Injection]()

**Affected Software**: [Go Pricing – WordPress Responsive Pricing Tables]()
**CVE ID**: CVE-2023-2500
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Easy Captcha <= 1.0 – Missing Authorization via easy_captcha_update_settings]()

**Affected Software**: [Easy Captcha]()
**CVE ID**: CVE-2023-33324
**CVSS Score**: 7.5 (High)
**Researcher/s**: [Skalucy]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.2.3 – Authenticated (Admin+) SQL Injection]()

**Affected Software**: [Integration for Contact Form 7 and Zoho CRM, Bigin]()
**CVE ID**: CVE-2023-2527
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Chien Vuong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [QueryWall <= 1.1.1 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [QueryWall: Plug’n Play Firewall]()
**CVE ID**: CVE-2023-2492
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Chien Vuong]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Slider Revolution <= 6.6.12 – Authenticated (Administrator+) Arbitrary File Upload]()

**Affected Software**: [Slider Revolution]()
**CVE ID**: CVE-2023-2359
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Marco Frison]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [SupportCandy <= 3.1.6 – Authenticated (Admin+) SQL Injection]()

**Affected Software**: [SupportCandy – Helpdesk & Support Ticket System]()
**CVE ID**: CVE-2023-2805
**CVSS Score**: 7.2 (High)
**Researcher/s**: [dc11]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [SIS Handball <= 1.0.45 – Authenticated (Administrator+) SQL Injection via ‘orderby’]()

**Affected Software**: [SIS Handball]()
**CVE ID**: CVE-2023-33924
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Multiple Page Generator Plugin – MPG <= 3.3.19 – Authenticated (Administrator+) SQL Injection in projects_list and total_projects]()

**Affected Software**: [Multiple Page Generator Plugin – MPG]()
**CVE ID**: CVE-2023-33927
**CVSS Score**: 7.2 (High)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Follow-Up Emails <= 4.9.50 – Authenticated (Follow-up emails manager+) SQL Injection]()

**Affected Software**: [woocommerce-follow-up-emails]()
**CVE ID**: CVE-2023-33330
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Product Vendors <= 2.1.76 – Authenticated (Vendor admin+) SQL Injection]()

**Affected Software**: [Product Vendors]()
**CVE ID**: CVE-2023-33331
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Warranty Requests <= 2.1.6 – Reflected Cross-Site Scripting]()

**Affected Software**: [woocommerce-warranty]()
**CVE ID**: CVE-2023-33317
**CVSS Score**: 7.1 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Improper Authorization to Arbitrary File Upload]()

**Affected Software**: [Go Pricing – WordPress Responsive Pricing Tables]()
**CVE ID**: CVE-2023-2496
**CVSS Score**: 7.1 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [User Activity Log <= 1.6.1 – Authenticated(Administrator+) SQL Injection via txtsearch]()

**Affected Software**: [User Activity Log]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.6 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WIP Custom Login <= 1.2.9 – Cross-Site Request Forgery via save_option]()

**Affected Software**: [WIP Custom Login]()
**CVE ID**: CVE-2023-33313
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [BEAR <= 1.1.3.1 – Cross-Site Request Forgery via Multiple Functions]()

**Affected Software**: [BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net]()
**CVE ID**: CVE-2023-33314
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Nguyen Xuan Chien]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_bulk_delete_product]()

**Affected Software**: [Shopping Cart & eCommerce Store]()
**CVE ID**: CVE-2023-2892
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_delete_product]()

**Affected Software**: [Shopping Cart & eCommerce Store]()
**CVE ID**: CVE-2023-2891
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [Go Pricing – WordPress Responsive Pricing Tables]()
**CVE ID**: CVE-2023-2498
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Google Map Shortcode <= 3.1.2 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode]()

**Affected Software**: [Google Map Shortcode]()
**CVE ID**: CVE-2023-2899
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Contact Form Entries <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via vx-entries shortcode]()

**Affected Software**: [Contact Form Entries – Contact Form 7, WPforms and more]()
**CVE ID**: CVE-2023-33311
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [SlideOnline <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**Affected Software**: [SlideOnline]()
**CVE ID**: CVE-2023-0489
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Yoast SEO: Local <= 14.9 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**Affected Software**: [Yoast SEO: Local]()
**CVE ID**: CVE-2023-28785
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Responsive Tabs For WPBakery Page Builder <= 1.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode]()

**Affected Software**: [Responsive Tabs For WPBakery Page Builder (formerly Visual Composer)]()
**CVE ID**: CVE-2023-0368
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Duplicator Pro <= 4.5.11 – Reflected Cross-Site Scripting]()

**Affected Software**: [Duplicator Pro]()
**CVE ID**: CVE-2023-33309
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [EventPrime <= 2.8.6 – Reflected Cross-Site Scripting]()

**Affected Software**: [EventPrime – Modern Events Calendar, Bookings and Tickets]()
**CVE ID**: CVE-2023-33326
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Follow-Up Emails <= 4.9.40 – Reflected Cross-Site Scripting]()

**Affected Software**: [woocommerce-follow-up-emails]()
**CVE ID**: CVE-2023-33319
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [This Day In History <= 3.10.1 – Reflected Cross-Site Scripting]()

**Affected Software**: [This Day In History]()
**CVE ID**: CVE-2023-34026
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Unpatched
**Vulnerability Details:** Read More

Exit mobile version