Wordfence Intelligence CE Weekly WordPress Vulnerability Report (Feb 20, 2023 to Feb 26, 2023)

Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence Community Edition.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Our mission with Wordfence Intelligence Community Edition is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence Community Edition user interface and vulnerability API are completely free to access and utilize both personally and commercially.

Last week, there were 136 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. You can find those vulnerabilities below along with some data about the vulnerabilities that were added.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Vulnerability Details

Zendrop – Global Dropshipping <= 1.0.0 – SQL Injection in setMetaData

Houzez Login Register <= 2.6.3 – Privilege Escalation

Zendrop – Global Dropshipping <= 1.0.0 – Arbitrary File Upload

Live Streaming – Broadcast Live Video <= 5.5.15 – Missing Authorization to Unauthenticated Remote Code Execution

PayGreen – Ancienne version <= 4.10.2 – Cross-Site Request Forgery

BuddyForms <= 2.7.7 – PHAR Deserialization

Paytm Payment Gateway <= 2.7.3 – Authenticated (Editor+) SQL Injection via ‘post’

Drag and Drop Multiple File Upload for WooCommerce <= 1.0.8 – Cross-Site Request Forgery in upload and delete_file

Booking Ultra Pro <= 1.1.4 – Cross-Site Request Forgery

WP Meta SEO <= 4.5.2 – Authenticated (Subscriber+) SQL Injection

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.6.5 – Cross-Site Request Forgery in dnd_upload_cf7_upload and dnd_codedropz_upload_delete

Custom Content Shortcode <= 4.0.2 – Authenticated (Contributor+) Local File Inclusion via Shortcode

Slimstat Analytics <= 4.9.3.2 – Authenticated (Subscriber+) SQL Injection via Shortcode

simple-git < 3.16.0 – Remote Code Execution

GMAce <= 1.5.2 – Cross-Site Request Forgery via gmace_manager_client

Community by PeepSo <= 6.0.2.0 – Cross-Site Request Forgery leading to Plugin/Subscription Deletion

Video Gallery – YouTube Gallery <= 1.7.6 – Missing Authorization

Real Estate 7 Theme <= 3.3.1 – Stored Cross-Site Scripting

10Web Booster – Website speed optimization, Cache & Page Speed optimizer <= 2.13.44 – Missing Authorization in Settings Import to Stored Cross-Site Scripting

ProfilePress <= 4.5.4 – Unauthenticated Stored Cross-Site Scripting

WP Meta SEO <= 4.5.2 – Missing Authorization in ‘startProcess’

All In One Favicon <= 4.7 – Authenticated(Admin+) Directory Traversal

WP OAuth Server <= 4.2.3 – Cross-Site Request Forgery to Arbitrary Post Deletion (wo_ajax_remove_client)

All in One SEO Pack <= 4.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

Sp*tify Play Button for WordPress <= 2.05 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Simple YouTube Responsive <= 2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

ProfilePress <= 4.5.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

JS Job Manager <= 2.0.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting via title

GoToWP <= 5.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Hero Banner Ultimate <= 1.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

wpDataTables <= 2.1.49 – Authenticated (Contributor+) Stored Cross Site Scripting

Custom Content Shortcode <= 4.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Companion Sitemap Generator <= 4.5.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Strong Testimonials <= 3.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

Ditty <= 3.0.32 – Authenticated (Contributor+) Stored Cross-Scripting via Shortcode

Gutenberge Blocks <= 2.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

Multiple Page Generator Plugin <= 3.3.9 – Cross-Site Request Forgery

CSS JS Manager <= 2.4.49 – Cross-Site Request Forgery

Easy Google Analytics for WordPress <= 1.6.0 – Cross-Site Request Forgery

Japanized For WooCommerce <= 2.5.4 – Reflected Cross-Site Scripting

asMember <= 1.5.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Social Login WP <= 5.0.0.0 – Cross-Site Request Forgery

Etsy Shop <= 3.0.3 – Cross-Site Request Forgery to Plugin Settings Update

phpinfo() WP <= 3.0 – Cross-Site Request Forgery

Admin Block Country <= 7.1.4 – Cross-Site Request Forgery via admin_block_country_initial_page

WP Meta SEO <= 4.5.3 – Missing Authorization in ‘wpmsGGSaveInformation’

Feed Them Social <= 3.0.2 – Cross-Site Request Forgery

WP Meta SEO <= 4.5.3 – Missing Authorization in ‘saveSitemapSettings’

Publish to Schedule <= 4.4.2 – Cross-Site Request Forgery leading to Plugin Option Changes

Client Portal – Private user pages and login <= 1.1.8 – Cross-Site Request Forgery via cp_create_private_pages_for_all_users function

Apollo13 Framework Extensions <= 1.8.10 – Missing Authorization

Community by PeepSo <= 6.0.2.0 – Cross Site Request Forgery

WP Dynamic Keywords Injector <= 2.3.15 – Cross-Site Request Forgery

WP-RecentComments <= 2.2.7 – Unauthenticated Information Exposure

Conditional Checkout Fields & Edit Checkout Fields for WooCommerce <= 1.2.1 – Missing Authorization

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘loadRedirectSettings’ function

http-cache-semantics < 4.1.1 – Regular Expression Denial of Service (ReDoS)

GMAce <= 1.5.2 – Authenticated(Admin+) Directory Traversal

VK All in One Expansion Unit <= 9.87.0.1 – Reflected Cross-Site Scripting via REQUEST_URI

WordPress Custom Settings <= 1.0 – Authenticated(Admin+) Stored Cross-Site Scripting

Jobs for WordPress <= 2.5.10.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

WPMobile.App — Android and iOS Mobile Application <= 11.18 – Authenticated (Administrator+) Stored Cross-Site Scripting

All in One SEO Pack <= 4.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Sitemap Index <= 1.2.3 – Authenticated(Admin+) Stored Cross-Site Scripting

Accordions <= 2.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Several Parameters

Custom Login Page <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Simple Portfolio Gallery <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Exquisite PayPal Donation <= v2.0.0 – Authenticated(Admin+) Stored Cross-Site Scripting

Chat Bee <= 1.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Stock market charts from finviz <= 1.0 – Authenticated(Admin+) Stored Cross-Site Scripting

Clio Grow <= 1.0.0 – Authenticated (Admin+) Stored Cross Site Scripting

TypeSquare Webfonts for ConoHa <= 2.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Circles Gallery <= 1.0.10 – Authenticated (Admin+) Stored Cross-Site Scripting via Admin Settings

Video Gallery – YouTube Gallery <= 1.7.6 – Authenticated (Admin+) Stored Cross Site Scripting

WP Table Builder – WordPress Table Plugin <= 1.4.6 – Authenticated (Admin+) Stored Cross-Site Scripting

CPT – Speakers <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Binge Site Verification using Meta Tag <= 1.0 – Authenticated (Admin+) Stored Cross-Site Scripting via Admin Settings

CM Answers <= 3.1.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Calculated Fields Form <= 1.1.150 – Authenticated (Administrator+) Stored Cross-Site Scripting

WP Custom Fields Search <= 1.2.34 – Authenticated (Administrator+) Stored Cross-Site Scripting

Sponsors Carousel <= 4.02 – Authenticated (Admin+) Stored Cross-Site Scripting in show

Top 10 – Popular posts plugin – <= 3.2.4 – Authenticated(Admin+) Stored Cross-Site Scripting

KB Support <= 1.5.84 – Authenticated (Subscriber+) CSV Injection

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘redirectionPageContent’ function

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘addRedirect’ function

Top 10 – Popular posts plugin for WordPress <= 3.2.3 – Missing Authorization on tptn_ajax_clearcache

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘deleteRedirect’ function

Accept Stripe Donation – AidWP <= 3.1.5 – Cross Site Request Forgery

Read More Excerpt Link <= 1.5 – Cross-Site Request Forgery

Redirect Redirection <= 1.1.3 – Cross-Site Request Forgery via ‘SaveSettings’ function

My YouTube Channel <= 3.23.3 – Cross-Site Request Forgery to Cache Deletion

Contextual Related Posts <= 3.3.1 – Missing Authorization in crp_ajax_clearcache

WP Meta SEO <= 4.5.3 – Missing Authorization in ‘regenerateSitemaps’

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘SaveSettings’ function

WP Meta SEO <= 4.5.3 – Missing Authorization in ‘checkAllCategoryInSitemap’

Educare – Students & Result Management System <= 1.4.1 – Cross-Site Request Forgery

Redirect Redirection <= 1.1.3 – Cross-Site Request Forgery via ‘bulkDelete’ function

Coupon Zen <= 1.0.5 – Cross-Site Request Forgery to Plugin Activation

Starter Templates — Elementor, WordPress & Beaver Builder Templates <= 3.1.20 – Cross-Site Request Forgery in add_to_favorite

For the visually impaired <= 0.58 – Cross-Site Request Forgery to Plugin Settings Changes

Advanced Database Cleaner <= 3.1.1 – Cross-Site Request Forgery via aDBc_save_settings_callback

Top 10 – Popular posts plugin for WordPress <= 3.2.3 – Cross-Site Request Forgery via tptn_ajax_clearcache

Redirect Redirection <= 1.1.3 – Cross-Site Request Forgery via ‘statusBulkEdit’ function

Auto Affiliate Links <= 6.3.0.2 – Cross-Site Request Forgery via aalChangeOptions function

WP Meta SEO <= 4.5.3 – Cross-Site Request Forgery via ‘setIgnore’

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘instantEditRedirect’ function

多合一搜索自动推Baidu/Google/Bing/IndexNow/Yandex/头条 <= 4.2.1 – Cross-Site Request Forgery

WP Meta SEO <= 4.5.3 – Cross-Site Request Forgery via ‘regenerateSitemaps’

Theme Tweaker <= 5.20 – Cross-Site Request Forgery

Upload Resume <= 1.2.0 – Authenticated Sensitive Information Disclosure via resume_upload_form_list shortcode

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘LoadTab’ function

Redirect Redirection <= 1.1.3 – Cross-Site Request Forgery via ‘addRedirectRule’ function

Redirect Redirection <= 1.1.3 – Cross-Site Request Forgery via ‘saveRedirectSettings’ function

Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.2.2 – Cross-Site Request Forgery via settings_page function

WP Meta SEO <= 4.5.3 – Missing Authorization in ‘listPostsCategory’

Redirect Redirection <= 1.1.3 – Cross-Site Request Forgery via ‘addRedirect’ function

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘liveSearch’ function

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘loadSettings’ function

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 5.0.4 – Cross-Site Request Forgery in rttpg_spare_me

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘addRedirectRule’ function

Client Portal <= 1.1.8 – Cross-Site Request Forgery via cp_create_private_pages_for_all_users

Contextual Related Posts <= 3.3.1 – Cross-Site Request Forgery in crpClearCache

Top 10 – Popular posts plugin for WordPress <= 3.2.4 – Missing Authorization on tptn_chart_data

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘logFilter’ function

WordPress Books Gallery <= 4.4.8 – Cross-Site Request Forgery leading to Plugin Settings Changes

Redirect Redirection <= 1.1.3 – Cross-Site Request Forgery via ‘deleteRedirect’ function

Redirect Redirection <= 1.1.3 – Cross-Site Request Forgery via ‘cronLogDeleteOption’ function

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘logPageContent’ function

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘selectAll’ function

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘bulkDelete’ function

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘statusBulkEdit’ function

Minify HTML <= 2.02 – Cross-Site Request Forgery in minify_html_menu_options

Redirect Redirection <= 1.1.3 – Missing Authorization in ‘saveRedirectSettings’ function

WordPress Tooltips <= 8.2.5 – Multiple Cross-Site Request Forgery

Redirect Redirection <= 1.1.3 – Cross-Site Request Forgery via ‘instantEditRedirect’ function

CP Multi View Event Calendar <= 1.4.13 – Insufficient Authorization

If you’d like to receive this weekly vulnerability report by email, along with Wordfence Intelligence CE product updates, sign up to the Wordfence Intelligence Community Edition Newsletter by filling out this form below.

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence Community Edition leaderboard along with being mentioned in our weekly vulnerability report.

The post Wordfence Intelligence CE Weekly WordPress Vulnerability Report (Feb 20, 2023 to Feb 26, 2023) appeared first on Wordfence.