Wordfence Intelligence CE Weekly Vulnerability Report (1-30-2023 to 2-5-2023)

In case you missed it, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme and, plugin vulnerabilities known as Wordfence Intelligence Community Edition.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Our mission with Wordfence Intelligence Community Edition is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence Community Edition user interface and vulnerability API are completely free to access and utilize both personally and commercially.

Last week, there were 69 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below.

EZP Coming Soon Page <= 1.0.7.3 – Authenticated (Admin+) Stored Cross Site Scripting

Metform Elementor Contact Form Builder <= 3.1.2 – Unauthenticated Stored Cross-Site Scripting

IP Vault – WP Firewall <= 1.1 – Authenticated (Admin+) Stored Cross-Site Scripting

Gallery – Image and Video Gallery with Thumbnails <= 2.0.1 – Unauthenticated Stored Cross-Site Scripting

Magazine Edge <= 1.13 – Authenticated (Subscriber+) Arbitrary Plugin Activation

EmbedSocial – Social Media Feeds, Reviews and Galleries = 1.1.27 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Galleries by Angie Makes <= 1.67 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

WP Dark Mode <= 3.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

WP Private Message < 1.0.6 – Insecure Direct Object Reference

Custom Add User <= 2.0.2 – Reflected Cross-Site Scripting

Image Hover Effects Plugin – Caption Hover with Carousel <= 2.8 – Unauthenticated Stored Cross Site Scripting

Interactive Geo Maps <= 1.5.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Flexible Elementor Panel <= 2.3.8 – Cross Site Request Forgery

RankMath SEO <= 1.0.107.2 – Authenticated (Contributor+) Local File Inclusion

GS Books Showcase <= 1.3.0 – Authenticator (Contributor+) Stored Cross-Site Scripting via Shortcode

WP Tabs <= 2.1.14 – Cross Site Request Forgery

Marketing Performance <= 2.0.0 – Unauthenticated Stored Cross Site Scripting

Multi-column Tag Map <= 17.0.24 – Authenticated (Contributor+) Stored Cross Site Scripting

WP htpasswd <= 1.7 – Authenticated (Admin+) Stored Cross Site Scripting

WP Email Capture <= 3.9.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Album and Image Gallery plus Lightbox <= 1.6.2 – Missing Authorization

WebinarIgnition <= 2.14.2 – Authenticated (Admin+) Stored Cross-Site Scripting

Namaste! LMS <= 2.5.9.3 – Authenticated (Admin+) Stored Cross-Site Scripting

WP Booking System <= 2.0.18 – Authenticated (Admin+) Stored Cross Site Scripting

Beautiful Cookie Consent Banner <= 2.10.0 – Unauthenticated Stored Cross-Site Scripting

User Activity <= 1.0.1 – IP Address Spoofing

Ocean Extra <= 2.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

1003 Mortgage Application <= 1.73 – Unauthenticated CSV Injection

Side Cart Woocommerce (Ajax) <= 2.1 – Cross-Site Request Forgery

Correos Oficial <= 1.3.0.0 – Unauthenticated Arbitrary File Download

Cost Calculator <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

WP Statistics <= 13.2.10 – Authenticated (Subscriber+) SQL Injection

Posts and Users Stats <= 1.1.3 – Authenticated (Subscriber+) CSV Injection

Wufoo Shortcode <= 1.51 – Authenticated (Contributor+) Cross-Site Scripting via Shortcodes

GS Insever Portfolio <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

BackupBuddy <= 8.8.2 – Reflected Cross-Site Scripting

Print Invoice & Delivery Notes for WooCommerce <= 4.7.1 – Reflected Cross-Site Scripting

Watu Quiz <= 3.3.8 – Authenticated (Admin+) Stored Cross-Site Scripting

GeoDirectory <= 2.2.23 – Authenticated (Admin+) SQL Injection

Simple History <= 3.3.1 – Authenticated (Subscriber+) CSV Injection

Real Media Library: Media Library Folder & File Manager <= 4.18.28 – Authenticated (Author+) Stored Cross-Site Scripting

Usersnap <= 4.16 – Authenticated (Admin+) Stored Cross Site Scripting

EmbedStories <= 0.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

PHP Execution <= 1.0.0 – Cross Site Request Forgery

ShortPixel Adaptive Images <= 3.6.1 – Reflected Cross-Site Scripting

Beautiful Cookie Consent Banner <= 2.10.0 – Missing Authorization to Settings Update

Real Media Library: Media Library Folder & File Manager <= 4.18.28 – Authenticated (Author+) Stored Cross-Site Scripting

Formidable Form Builder <= 5.5.6 – Cross-Site Request Forgery

Robo Gallery Plugin <= 3.2.11 – Cross-Site Request Forgery

VK All in One Expansion Unit <= 9.85.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

We’re Open! <= 1.45 – Cross-Site Request Forgery

Opening Hours <= 2.3.0 – Authenticated (Admin+) Stored Cross-Site Scripting

Multi Rating <= 5.0.5 – Cross Site Request Forgery

Podlove Podcast Publisher <= 3.8.2 – Authenticated (Admin+) Stored Cross-Site Scripting

1003 Mortgage Application <= 1.73 – Authenticated (Subscriber+) Arbitrary File Download

Donation Block For PayPal <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Easy Digital Downloads <= 3.1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

PrivateContent <= 8.4.3 – Protection Mechanism Bypass

0mk Shortener <= 0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Jobs for WordPress <= 2.5.10.2 – Authenticated (Author+) Cross Site Scripting

Arigato Autoresponder and Newsletter <= 2.1.7.1 – Authenticated (Admin+) Stored Cross-Site Scripting

GS Filterable Portfolio <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

GS Portfolio for Envato <= 1.3.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Kraken.io Image Optimizer <= 2.6.8 – Missing Authorization to Authenticated (Subscriber+) Plugin Options Update

CC Custom Taxonomy <= 1.0.1 – Authenticated (Administrator+) Cross Site Scripting

Commenter Emails <= 2.6.1 – Unauthenticated CSV Injection

Similar Posts – Best Related Posts Plugin for WordPress <= 3.1.6 – Authenticated (Admin+) Stored Cross-Site Scripting

GS Products Slider for WooCommerce <= 1.5.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Auto YouTube Importer <= 1.0.3 – Cross-Site Request Forgery

If you’d like to receive this weekly vulnerability report by email, along with Wordfence Intelligence CE product updates, sign up to the Wordfence Intelligence Community Edition Newsletter by filling out this form below.

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence Community Edition leaderboard along with being mentioned in our weekly vulnerability report.

The post Wordfence Intelligence CE Weekly Vulnerability Report (1-30-2023 to 2-5-2023) appeared first on Wordfence.