Wordfence Intelligence Weekly WordPress Vulnerability Report (July 10, 2023 to July 16, 2023)

Main / Wordfence Intelligence Weekly WordPress Vulnerability Report (July 10, 2023 to July 16, 2023)

Discription

_**Note**: We accidentally sent out an email for this report with last weeks subject line. Due to the subject line not being very different week to week for this report, we opted to just leave it as is and not send a follow-up email. We apologize for this error on our part!_

Last week, there were 69 vulnerabilities disclosed in 68 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

* * *

### New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our [Premium](), [Care](), and [Response]() customers last week:

* WAF-RULE-618 – Information redacted while we work with the developer to ensure this gets patched.

Wordfence [Premium](), [Care](), and [Response]() customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

* * *

### Total Unpatched & Patched Vulnerabilities Last Week

**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 16
Patched | 53

* * *

### Total Vulnerabilities by CVSS Severity Last Week

* * *

### Total Vulnerabilities by CWE Type Last Week

* * *

### Researchers That Contributed to WordPress Security Last Week

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.

* * *

### WordPress Plugins with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
ARMember â Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | [armember-membership]()
All-In-One Security (AIOS) â Security and Firewall | [all-in-one-wp-security-and-firewall]()
Art Direction | [art-direction]()
Authors List | [authors-list]()
BookingPress â Appointment Booking Calendar Plugin and Online Scheduling Plugin | [bookingpress-appointment-booking]()
BuddyPress Builder for Elementor â BuddyBuilder | [stax-buddy-builder]()
Buy Me a Coffee â Button and Widget Plugin | [buymeacoffee]()
Checkout with Zelle on Woocommerce | [wc-zelle]()
Coming Soon Chop Chop | [cc-coming-soon]()
Contact Form Plugin â Fastest Contact Form Builder Plugin for WordPress by Fluent Forms | [fluentform]()
Custom Field For WP Job Manager | [custom-field-for-wp-job-manager]()
Custom Fields for WooCommerce | [addify-custom-fields-for-woocommerce]()
Custom Registration Forms Builder for WooCommerce | [addify-custom-registration-forms-builder]()
DirectoryPress â Business Directory And Classified Ad Listing | [directorypress]()
Dovetail | [dovetail]()
Drag & Drop Sales Funnel Builder for WordPress â WPFunnels | [wpfunnels]()
Export and Import Users and Customers | [users-customers-import-export-for-wp-woocommerce]()
Falang multilanguage for WordPress | [falang]()
Forminator â Contact Form, Payment Form & Custom Form Builder | [forminator]()
Grid Kit Premium | [grid-kit-premium]()
HTTP Headers | [http-headers]()
IP2Location Country Blocker | [ip2location-country-blocker]()
Image Watermark for WooCommerce | [addify-image-watermark-for-woocommerce]()
Integrate Google Drive â Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site | [integrate-google-drive]()
Integration for Contact Form 7 and Salesforce | [cf7-salesforce]()
JetFormBuilder â Dynamic Blocks Form Builder | [jetformbuilder]()
KB Support â WordPress Help Desk | [kb-support]()
MF Gig Calendar | [mf-gig-calendar]()
Mail Control â Email Customizer, SMTP Deliverability, logging, open and click Tracking | [mail-control]()
MailArchiver | [mailarchiver]()
Media Library Assistant | [media-library-assistant]()
OptiMonk: Popups, Personalization & A/B Testing | [exit-intent-popups-by-optimonk]()
POST SMTP Mailer â Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress | [post-smtp]()
Premium Addons Pro for Elementor | [premium-addons-pro]()
Price Calculator for WooCommerce | [addify-price-calculator-for-woocommerce]()
Product Dynamic Pricing and Discounts for WooCommerce | [addify-product-dynamic-pricing-and-discounts]()
Radio Forge Muses Player with Skins | [radio-forge]()
Replace Word | [replace-word]()
School Management System â WPSchoolPress | [wpschoolpress]()
Short URL | [shorten-url]()
Shortcode IMDB | [shortcode-imdb]()
Social Media Icons Widget | [spoontalk-social-media-icons-widget]()
Social Share, Social Login and Social Comments Plugin â Super Socializer | [super-socializer]()
Spectra â WordPress Gutenberg Blocks | [ultimate-addons-for-gutenberg]()
Terms descriptions | [terms-descriptions]()
Twittee Text Tweet | [twittee-text-tweet]()
User Activity Log | [user-activity-log]()
Variation Images Gallery for WooCommerce | [woo-product-variation-gallery]()
Variation Swatches for WooCommerce | [woo-product-variation-swatches]()
WP Default Feature Image | [wp-default-feature-image]()
WP Social AutoConnect | [wp-fb-autoconnect]()
WP Testimonials | [testimonial-widgets]()
WPAdmin AWS CDN | [aws-cdn-by-wpadmin]()
WooCommerce Abandoned Cart Recovery | [addify-abandoned-cart-recovery]()
WooCommerce Advanced Free Gifts | [addify-free-gifts-woocommerce]()
WooCommerce Checkout Field Manager | [addify-checkout-fields-manager]()
WooCommerce Custom Order Number | [addify-custom-order-number]()
WooCommerce Gift Registry | [addify-gift-registry-for-woocommerce]()
WooCommerce GoCardless Gateway | [woocommerce-gateway-gocardless]()
WooCommerce Order Approval | [addify-order-approval-woocommerce]()
WooCommerce Order Tracking | [addify-order-tracking-for-woocommerce]()
WooCommerce Pre-Orders | [woocommerce-pre-orders]()
WooCommerce Product Labels and Stickets | [addify-product-labels-and-stickers]()
WooCommerce Product Stock Alert | [woocommerce-product-stock-alert]()
WooCommerce Ship to Multiple Addresses | [woocommerce-shipping-multiple-addresses]()
WooCommerce Warranty Requests | [woocommerce-warranty]()
Zippy | [zippy]()
cartflows-pro | [cartflows-pro]()

* * *

### WordPress Themes with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
RealHomes | [realhomes]()

* * *

### Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you shouldâve already been notified if your site was affected by any of these vulnerabilities.

#### [JetFormBuilder <= 3.0.8 – Authenticated (Author+) Privilege Escalation]()

**Affected Software**: [JetFormBuilder â Dynamic Blocks Form Builder]()
**CVE ID**: CVE-2023-37866
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Spectra <= 2.6.6 – Authenticated (Contributor+) Server-Side Request Forgery in import_wpforms]()

**Affected Software**: [Spectra â WordPress Gutenberg Blocks]()
**CVE ID**: CVE-2023-36679
**CVSS Score**: 8.5 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [User Activity Log <= 1.6.2 – Unauthenticated SQL Injection via username]()

**Affected Software**: [User Activity Log]()
**CVE ID**: CVE Unknown
**CVSS Score**: 8.1 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Checkout with Zelle on Woocommerce <= 3.1 – Missing Authorization]()

**Affected Software**: [Checkout with Zelle on Woocommerce]()
**CVE ID**: CVE-2023-37969
**CVSS Score**: 7.3 (High)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Integrate Google Drive <= 1.1.99 – Missing Authorization via REST API Endpoints]()

**Affected Software**: [Integrate Google Drive â Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site]()
**CVE ID**: CVE-2023-32117
**CVSS Score**: 7.3 (High)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Buy Me a Coffee â Button and Widget Plugin <= 3.7 – Missing Authorization]()

**Affected Software**: [Buy Me a Coffee â Button and Widget Plugin]()
**CVE ID**: CVE-2023-2078
**CVSS Score**: 7.3 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [RealHomes <= 4.0.2 – Missing Authorization]()

**Affected Software**: [RealHomes]()
**CVE ID**: CVE-2023-37885
**CVSS Score**: 7.3 (High)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [DirectoryPress <= 3.6.2 – Missing Authorization]()

**Affected Software**: [DirectoryPress â Business Directory And Classified Ad Listing]()
**CVE ID**: CVE-2023-37967
**CVSS Score**: 7.3 (High)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Export and Import Users and Customers <= 2.4.1 – Missing Authorization to Authenticated (Shop Manager) Arbitrary User Password Change]()

**Affected Software**: [Export and Import Users and Customers]()
**CVE ID**: CVE-2023-3459
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [User Activity Log <= 1.6.2 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [User Activity Log]()
**CVE ID**: CVE-2023-37966
**CVSS Score**: 7.2 (High)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Post SMTP <= 2.5.7 – Unauthenticated Stored Cross-Site Scripting via Email]()

**Affected Software**: [POST SMTP Mailer â Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress]()
**CVE ID**: CVE-2023-3082
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Mail Control <= 0.2.8 – Unauthenticated Stored Cross-Site Scripting via Email Subject]()

**Affected Software**: [Mail Control â Email Customizer, SMTP Deliverability, logging, open and click Tracking]()
**CVE ID**: CVE-2023-3158
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [FluentForm <= 4.3.25 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [Contact Form Plugin â Fastest Contact Form Builder Plugin for WordPress by Fluent Forms]()
**CVE ID**: CVE-2023-24410
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Ravi Dharmawan]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Radio Forge Muses Player with Skins <= 2.5 – Reflected Cross-Site Scripting]()

**Affected Software**: [Radio Forge Muses Player with Skins]()
**CVE ID**: CVE-2023-37976
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Le Hong Minh]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [MailArchiver <= 2.10.1 – Unauthenticated Stored Cross-Site Scripting via Email Subject]()

**Affected Software**: [MailArchiver]()
**CVE ID**: CVE-2023-3136
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Buy Me a Coffee â Button and Widget Plugin <= 3.7 – Cross-Site Request Forgery]()

**Affected Software**: [Buy Me a Coffee â Button and Widget Plugin]()
**CVE ID**: CVE-2023-2079
**CVSS Score**: 7.1 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Integration for Contact Form 7 and Salesforce <= 1.3.3 – Open Redirect]()

**Affected Software**: [Integration for Contact Form 7 and Salesforce]()
**CVE ID**: CVE-2023-37982
**CVSS Score**: 7.1 (High)
**Researcher/s**: [Le Hong Minh]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Zippy <= 1.6.2 – Missing Authorization via adminInit]()

**Affected Software**: [Zippy]()
**CVE ID**: CVE-2023-34381
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Emili Castells]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Download IP2Location Country Blocker <= 2.29.1 – Bypass via IP Spoofing]()

**Affected Software**: [IP2Location Country Blocker]()
**CVE ID**: CVE-2023-37865
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce GoCardless Gateway <= 2.5.6 – Unauthenticated Insecure Direct Object Reference]()

**Affected Software**: [WooCommerce GoCardless Gateway]()
**CVE ID**: CVE-2023-37871
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Art Direction <= 0.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**Affected Software**: [Art Direction]()
**CVE ID**: CVE-2023-37983
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Yuki Haruma]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Super Socializer <= 7.13.53 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [Social Share, Social Login and Social Comments Plugin â Super Socializer]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [MF Gig Calendar <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via event_title and event_time]()

**Affected Software**: [MF Gig Calendar]()
**CVE ID**: CVE-2023-37970
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Spectra <= 2.6.6 – Authenticated (Contributor+) Server-Side Request Forgery in template_importer]()

**Affected Software**: [Spectra â WordPress Gutenberg Blocks]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Buy Me a Coffee â Button and Widget Plugin <= 3.6 – Authenticated (Subscriber+) Stored Cross-Site Scripting]()

**Affected Software**: [Buy Me a Coffee â Button and Widget Plugin]()
**CVE ID**: CVE-2023-2082
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Warranty Requests <= 2.1.9 – Missing Authorization]()

**Affected Software**: [WooCommerce Warranty Requests]()
**CVE ID**: CVE-2023-37870
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Ship to Multiple Addresses <= 3.8.5 – Missing Authorization]()

**Affected Software**: [WooCommerce Ship to Multiple Addresses]()
**CVE ID**: CVE-2023-37872
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [RealHomes <= 4.0.2 – Missing Authorization]()

**Affected Software**: [RealHomes]()
**CVE ID**: CVE-2023-37886
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Forminator <= 1.24.1 – Reflected Cross-Site Scripting]()

**Affected Software**: [Forminator â Contact Form, Payment Form & Custom Form Builder]()
**CVE ID**: CVE-2023-3134
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Andreas Damen]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Shortcode IMDB <= 6.0.8 – Cross-Site Request Forgery]()

**Affected Software**: [Shortcode IMDB]()
**CVE ID**: CVE-2023-37892
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Authors List <= 2.0.2 – Reflected Cross-Site Scripting via al_id]()

**Affected Software**: [Authors List]()
**CVE ID**: CVE-2023-37981
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Grid Kit Premium < 2.2.0 – Reflected Cross-Site Scripting]()

**Affected Software**: [Grid Kit Premium]()
**CVE ID**: CVE-2023-3292
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WPFunnels <= 2.7.16 – Reflected Cross-Site Scripting]()

**Affected Software**: [Drag & Drop Sales Funnel Builder for WordPress â WPFunnels]()
**CVE ID**: CVE-2023-37977
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Media Library Assistant <= 3.07 – Reflected Cross-Site Scripting]()

**Affected Software**: [Media Library Assistant]()
**CVE ID**: CVE-2023-34010
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Phd]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Variation Swatches for WooCommerce <= 2.3.7 – Reflected Cross-Site Scripting]()

**Affected Software**: [Variation Swatches for WooCommerce]()
**CVE ID**: CVE-2023-37975
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Phd]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [CartFlows Pro <= 1.11.11 – Reflected Cross-Site Scripting]()

**Affected Software**: [cartflows-pro]()
**CVE ID**: CVE-2023-36686
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Coming Soon Chop Chop <= 2.2.4 – Reflected Cross-Site Scripting]()

**Affected Software**: [Coming Soon Chop Chop]()
**CVE ID**: CVE-2023-37893
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Phd]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Variation Images Gallery for WooCommerce <= 2.3.3 – Reflected Cross-Site Scripting via style]()

**Affected Software**: [Variation Images Gallery for WooCommerce]()
**CVE ID**: CVE-2023-37894
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Nguyen Xuan Chien]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Terms Descriptions <= 3.4.4 – Reflected Cross-Site Scripting via term_search]()

**Affected Software**: [Terms descriptions]()
**CVE ID**: CVE-2023-28779
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Kindaichi Hiro]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Twittee Text Tweet <= 1.0.8 – Reflected Cross-Site Scripting]()

**Affected Software**: [Twittee Text Tweet]()
**CVE ID**: CVE-2023-0602
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Shreya Pohekar]()
**Patch Status**: Unpatched
**Vulnerability Details:** Read More

References

Back to Main

Subscribe for the latest news: