Last week, there were 42 vulnerabilities disclosed in 37 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 10 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Individuals and Enterprises can use the vulnerability Database API to receive a complete dump of our database of over 11,800 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Patch Status | Number of Vulnerabilities |
---|---|
Unpatched | 5 |
Patched | 37 |
Severity Rating | Number of Vulnerabilities |
---|---|
Low Severity | 0 |
Medium Severity | 37 |
High Severity | 5 |
Critical Severity | 0 |
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 21 |
Cross-Site Request Forgery (CSRF) | 8 |
Missing Authorization | 6 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 2 |
Improper Neutralization of Formula Elements in a CSV File | 1 |
Information Exposure | 1 |
Deserialization of Untrusted Data | 1 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 1 |
Authorization Bypass Through User-Controlled Key | 1 |
Researcher Name | Number of Vulnerabilities |
---|---|
Lana Codes | |
(Wordfence Vulnerability Researcher) | 11 |
Marco Wotschka | |
(Wordfence Vulnerability Researcher) | 3 |
Ivan Kuzymchak | |
(Wordfence Vulnerability Researcher) | 3 |
Do Xuan Trung | 1 |
Skalucy | 1 |
Zeyad Alshahrani | 1 |
Etharus | 1 |
JackYu | 1 |
Malek Althubiany | 1 |
Nguyen Xuan Chien | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
Software Name | Software Slug |
---|---|
Ad Inserter – Ad Manager & AdSense Ads | ad-inserter |
Anchor Episodes Index (Spotify for Podcasters) | anchor-episodes-index |
Astra Bulk Edit | astra-bulk-edit |
Brands for WooCommerce | brands-for-woocommerce |
Chat Button: WhatsApp, Facebook Messenger Chat, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget | bit-assist |
Checkfront Online Booking System | checkfront-wp-booking |
Comment Blacklist Updater | comment-blacklist-updater |
Comments – wpDiscuz | wpdiscuz |
Connect Matomo (WP-Matomo, WP-Piwik) | wp-piwik |
Contact Form by FormGet – Best Form Builder Plugin for WordPress | formget-contact-form |
Copy Anything to Clipboard | copy-the-code |
DoFollow Case by Case | dofollow-case-by-case |
Drag and Drop Multiple File Upload for WooCommerce | drag-and-drop-multiple-file-upload-for-woocommerce |
Easy Registration Forms | easy-registration-forms |
Inactive Logout | inactive-logout |
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free | funnelforms-free |
Leaflet Map | leaflet-map |
Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator | legal-pages |
Media Library Assistant | media-library-assistant |
Memberlite Shortcodes | memberlite-shortcodes |
Migration, Backup, Staging – WPvivid | wpvivid-backuprestore |
Payment gateway per Product for WooCommerce | woocommerce-product-payments |
Pop ups, WordPress Exit Intent Popup, Email Pop Up, Lightbox Pop Up, Spin the Wheel, Contact Form Builder – Poptin | poptin |
Pre-Publish Checklist | pre-publish-checklist |
School Management System – WPSchoolPress | wpschoolpress |
Simple Cloudflare Turnstile – CAPTCHA Alternative | simple-cloudflare-turnstile |
Statify – Extended Evaluation | extended-evaluation-for-statify |
Super Store Finder | superstorefinder-wp |
Table of Contents Plus | table-of-contents-plus |
WP Discord Invite | wp-discord-invite |
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce | wp-event-manager |
WP Mailto Links – Protect Email Addresses | wp-mailto-links |
Weaver Xtreme Theme Support | weaverx-theme-support |
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode | coming-soon |
Widget Responsive for Youtube | youtube-widget-responsive |
WordPress Charts | wp-charts |
iPanorama 360 – WordPress Virtual Tour Builder | ipanorama-360-virtual-tour-builder-lite |
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Affected Software: Comments – wpDiscuz CVE ID: CVE Unknown CVSS Score: 8.8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9dd1e52c-83b7-4b3e-a791-a2c0ccd856bc>
Affected Software: Migration, Backup, Staging – WPvivid CVE ID: CVE-2023-4274 CVSS Score: 8.7 (High) Researcher/s: Ivan Kuzymchak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d94f38f-4b52-4b0d-800c-a6fca40bda3c>
Affected Software: iPanorama 360 – WordPress Virtual Tour Builder CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/00687370-8374-44cc-8fd1-53b462acd061>
Affected Software: Weaver Xtreme Theme Support CVE ID: CVE-2023-4971 CVSS Score: 7.2 (High) Researcher/s: Do Xuan Trung Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/572689c6-d7d6-46c3-9e96-b9185337e8ce>
Affected Software: Drag and Drop Multiple File Upload for WooCommerce CVE ID: CVE-2023-4821 CVSS Score: 7.2 (High) Researcher/s: Zeyad Alshahrani Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abc8ee11-c149-4a2b-a388-7bd234c2cc64>
Affected Software: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free CVE ID: CVE-2023-4950 CVSS Score: 6.5 (Medium) Researcher/s: Malek Althubiany Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ebcbf872-1420-4a57-a4b4-8a52ba74e0a1>
Affected Software: WordPress Charts CVE ID: CVE-2023-5062 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2de2d2c5-1373-45b6-93a0-575713226669>
Affected Software: Leaflet Map CVE ID: CVE-2023-5050 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3084c9ab-00aa-4b8e-aa46-bd70b335ec77>
Affected Software: Widget Responsive for Youtube CVE ID: CVE-2023-5063 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/72daa533-8b17-420c-9b51-b5f72da2726c>
Affected Software: Pop ups, WordPress Exit Intent Popup, Email Pop Up, Lightbox Pop Up, Spin the Wheel, Contact Form Builder – Poptin CVE ID: CVE-2023-4961 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/778af777-4c98-45cd-9704-1bdc96054aa7>
Affected Software: Simple Cloudflare Turnstile – CAPTCHA Alternative CVE ID: CVE-2023-5135 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/91f6c9d3-641d-42f7-bf11-e3c3a44eeb76>
Affected Software: Memberlite Shortcodes CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/935054c3-8541-4ff3-a035-7ee8afe53f72>
Affected Software: Anchor Episodes Index (Spotify for Podcasters) CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/96defcb7-6af1-4fb8-9fa0-231c6776bbc1>
Affected Software: Media Library Assistant CVE ID: CVE-2023-4716 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c5f6ae5d-7854-44c7-9fb8-efaa6e850d59>
Affected Software: Copy Anything to Clipboard CVE ID: CVE-2023-5086 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e834a211-ccc8-4a30-a15d-879ba34184e9>
Affected Software: WP Mailto Links – Protect Email Addresses CVE ID: CVE-2023-5109 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ec882062-0059-47ca-a007-3347e7adb70b>
Affected Software: Connect Matomo (WP-Matomo, WP-Piwik) CVE ID: CVE-2023-4774 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/faa4f041-4740-4ebb-afb3-10019ce571be>
Affected Software: Contact Form by FormGet – Best Form Builder Plugin for WordPress CVE ID: CVE-2023-5125 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fdd73289-f292-4903-951e-6a89049d39a7>
Affected Software: School Management System – WPSchoolPress CVE ID: CVE Unknown CVSS Score: 6.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1a2fb050-1a7c-45cc-86c7-02331d47f780>
Affected Software: Payment gateway per Product for WooCommerce CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/597786ce-58eb-4e96-a80e-bad3e75787fa>
Affected Software: WP Discord Invite CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a961d30e-f2cb-458d-8f1a-18f6e769efbc>
Affected Software: Super Store Finder CVE ID: CVE-2023-5054 CVSS Score: 5.8 (Medium) Researcher/s: Etharus Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d31d0553-9378-4c7e-a258-12562aa6b388>
Affected Software: Statify – Extended Evaluation CVE ID: CVE Unknown CVSS Score: 5.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/35027df9-ae55-453f-bb42-4b2664d66293>
Affected Software: Comment Blacklist Updater CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fc7bab78-4ebb-4be9-8891-1ac0e3ed0af3>
Affected Software: Ad Inserter – Ad Manager & AdSense Ads CVE ID: CVE-2023-4645 CVSS Score: 5.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/57b3eef3-e165-45ac-89d7-2a2a6529b310>
Affected Software: Pre-Publish Checklist CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8e00a06c-9623-48e0-b212-20a2f1e7e640>
Affected Software: Inactive Logout CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c583ef34-ddec-4d6c-9685-ef4bce5e785e>
Affected Software: Ad Inserter – Ad Manager & AdSense Ads CVE ID: CVE-2023-4668 CVSS Score: 5.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ce457c98-c55b-4b71-a80b-393eceb9effd>
Affected Software: Table of Contents Plus CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/05206a31-033e-49b9-9b66-5a6165782643>
Affected Software: Migration, Backup, Staging – WPvivid CVE ID: CVE-2023-5120 CVSS Score: 4.4 (Medium) Researcher/s: Ivan Kuzymchak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/320f4260-20c2-4f27-91ba-d2488b417f62>
Affected Software: Chat Button: WhatsApp, Facebook Messenger Chat, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/77a923d5-b73e-45cf-9617-09b4d5c8bb5a>
Affected Software: Migration, Backup, Staging – WPvivid CVE ID: CVE-2023-5121 CVSS Score: 4.4 (Medium) Researcher/s: Ivan Kuzymchak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cdcac5f9-a744-4853-8a80-ed38fec81dbb>
Affected Software: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce CVE ID: CVE-2023-4423 CVSS Score: 4.4 (Medium) Researcher/s: JackYu Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dd9d22b0-a84a-4bf2-b8b4-89bae2970f29>
Affected Software: Astra Bulk Edit CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2548d5b0-1f1a-4847-a5ea-e3bb6f7a5013>
Affected Software: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode CVE ID: CVE-2023-4975 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2cb5370f-14aa-445d-bda3-62a0dd068fc5>
Affected Software: Easy Registration Forms CVE ID: CVE-2023-5134 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/562fe11f-36a0-4f23-9eed-50ada7ab2961>
Affected Software: DoFollow Case by Case CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/60c63be2-dd17-4224-ba96-ba30ed0b25ce>
Affected Software: Brands for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/996dc1d7-12f8-467d-bf48-a7a82f1c0a41>
Affected Software: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b3f87bd6-b432-4bf8-9046-8d66b45f6a85>
Affected Software: Inactive Logout CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d9189eb3-be7f-42e1-92cc-b48af5615eb9>
Affected Software: Brands for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f7afbe2b-72a8-40da-bc94-ff2a1b9569b4>
Affected Software: Checkfront Online Booking System CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fc5a8506-b191-4ab3-9c59-4f1150be6a38>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 18, 2023 to September 24, 2023) appeared first on Wordfence.