Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
AI ChatBot	chatbot
ARI Stream Quiz – WordPress Quizzes Builder	ari-stream-quiz
Abandoned Cart Lite for WooCommerce	woocommerce-abandoned-cart
Accept Stripe Payments	stripe-payments
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)	wp-analytify
Auto Affiliate Links	wp-auto-affiliate-links
Autocomplete Location field Contact Form 7	autocomplete-location-field-contact-form-7
Availability Calendar	availability-calendar
Awesome Support – WordPress HelpDesk & Support Plugin	awesome-support
BackWPup – WordPress Backup Plugin	backwpup
BlossomThemes Email Newsletter	blossomthemes-email-newsletter
Booster for WooCommerce	woocommerce-jetpack
Bootstrap Shortcodes Ultimate	bs-shortcode-ultimate
Broken Link Checker for YouTube	broken-link-checker-for-youtube
Bulk Comment Remove	bulk-comment-remove
Captcha Code	captcha-code-authentication
CataBlog	catablog
Chatbot for WordPress	collectchat
Community by PeepSo – Social Network, Membership, Registration, User Profiles	peepso-core
Consensu.io | Conformidade e Consentimento de Cookies para LGPD	consensu-io
Contact Form Email	contact-form-to-email
Contact Form to Any API	contact-form-to-any-api
Debug Log Manager	debug-log-manager
Display Custom Post	display-custom-post
Drop Shadow Boxes	drop-shadow-boxes
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box	easy-facebook-likebox
Easy Social Icons	easy-social-icons
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management
Events Manager	events-manager
Export any WordPress data to XML/CSV	wp-all-export
Fast Custom Social Share by CodeBard	fast-custom-social-share-by-codebard
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager	file-manager
Floating Action Button	floating-action-button
Frontier Post	frontier-post
Grab & Save	save-grab
HUSKY – Products Filter for WooCommerce Professional	woocommerce-products-filter
Hide login page, Hide wp admin – stop attack on login page	hide-login-page
Import Spreadsheets from Microsoft Excel	import-spreadsheets-from-microsoft-excel
Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages	page-builder-add
League Table	league-table-lite
License Manager for WooCommerce	license-manager-for-woocommerce
Link Whisper Free	link-whisper
Login Lockdown – Protect Login Form	login-lockdown
Mail Bank – #1 Mail SMTP Plugin for WordPress	wp-mail-bank
Maspik – Spam Blacklist	contact-forms-anti-spam
MyBookTable Bookstore by Stormhill Media	mybooktable
Parallax Image	parallax-image
Parcel Pro	woo-parcel-pro
PayTR Taksit Tablosu – WooCommerce	paytr-taksit-tablosu-woocommerce
Perfmatters	perfmatters
Porto Theme – Functionality	porto-functionality
Post Meta Data Manager	post-meta-data-manager
Preloader for Website	preloader-for-website
Quttera Web Malware Scanner	quttera-web-malware-scanner
Salon booking system	salon-booking-system
Seraphinite Post .DOCX Source	seraphinite-post-docx-source
Simple Testimonials Showcase	simple-testimonials-showcase
Simply Exclude	simply-exclude
SpiderVPlayer	player
Super Progressive Web Apps	super-progressive-web-apps
Tainacan	tainacan
Taxonomy filter	taxonomy-filter
Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More	gs-team-members
TextMe SMS	textme-sms-integration
The Events Calendar	the-events-calendar
Theme Editor	theme-editor
Theme My Login 2fa	tml-2fa
TriPay Payment Gateway	tripay-payment-gateway
UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping	wc-multishipping
UserPro – Community and User Profile WordPress Plugin	userpro
Video PopUp	video-popup
WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors	wc-vendors
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce	wc-multivendor-marketplace
WP ALL Export Pro	wp-all-export-pro
WP Child Theme Generator	wp-child-theme-generator
WP Githuber MD – WordPress Markdown Editor	wp-githuber-md
WP Mail Log	wp-mail-log
WP Roadmap – Product Feedback Board	wp-roadmap
Widgets for Google Reviews	wp-reviews-plugin-for-google
WordPress Gallery Plugin – NextGEN Gallery	nextgen-gallery
WordPress Job Board and Recruitment Plugin – JobWP	jobwp
WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout	gs-pinterest-portfolio
Yoast SEO	wordpress-seo
eDoc Employee Job Application – Best WordPress Job Manager for Employees	edoc-employee-application
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin	mycred
salient-core	salient-core
wpForo Forum	wpforo

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

UserPro <= 5.1.1 – Authentication Bypass to Administrator

UserPro <= 5.1.1 – Insecure Password Reset Mechanism

Porto Theme – Functionality <= 2.11.1 – Unauthenticated SQL Injection

WP Child Theme Generator <= 1.0.8 – Authenticated (Administrator+) Arbitrary File Upload

UserPro <= 5.1.1 – Cross-Site Request Forgery to Privilege Escalation

WP Githuber MD <= 1.16.2 – Authenticated (Author+) Arbitrary File Upload

Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 – Cross-Site Request Forgery to Remote Code Execution

Link Whisper Free <= 0.6.5 – Authenticated (Contributor+) SQL Injection

UserPro <= 5.1.4 – Authenticated (Subscriber+) Privilege Escalation

UserPro <= 5.1.0 – Cross-Site Request Forgery to PHP Object Injection

Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 – Cross-Site Request Forgery to PHAR Deserialization

BackWPup <= 4.0.1 – Authenticated (Administrator+) Directory Traversal

WordPress Job Board and Recruitment Plugin – JobWP <= 2.1 – Sensitive Information Exposure

UserPro <= 5.1.1 – Missing Authorization via multiple functions

License Manager for WooCommerce <= 2.2.10 – Authenticated (Administrator+) SQL Injection

Login Lockdown <= 2.06 – Authenticated (Administrator+) SQL Injection

WP Mail Log <= 1.1.2 – Authenticated (Editor+) SQL Injection via id

Salon booking system < 8.7 – Authenticated (Editor+) Privilege Escalation

CataBlog <= 1.7.0 – Authenticated (Editor+) Arbitrary File Upload

WC Vendors Marketplace <= 2.4.7 – Authenticated (Shop manager+) SQL Injection via search dates

Theme Editor <= 2.7.1 – Authenticated (Administrator+) Arbitrary File Upload

ChatBot <= 4.7.8 – Authenticated (Administrator+) SQL Injection

Quttera Web Malware Scanner <= 3.4.1.48 – Authenticated (Administrator+) Directory Traversal via ShowFile

Widgets for Google Reviews <= 11.0.2 – Authenticated (Editor+) Arbitrary File Upload

UserPro <= 5.1.1 – Sensitive Information Disclosure via Shortcode

UserPro <= 5.1.4 – Missing Authorization to Arbitrary Shortcode Execution via userpro_shortcode_template

CataBlog <= 1.7.0 – Authenticated (Editor+) Arbitrary File Deletion

Contact Form to Any API <= 1.1.6 – Missing Authorization via delete_cf7_records()

Display Custom Post <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Bootstrap Shortcodes Ultimate <= 4.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Salient Core <= 2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 – Authenticated (Admin+) Remote Code Execution

EventPrime – Modern Events Calendar, Bookings and Tickets <= 3.3.2 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Parallax Image <= 1.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

wpForo Forum <= 2.2.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Video PopUp <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Community by PeepSo <= 6.2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Easy Social Icons <= 3.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Drop Shadow Boxes <= 1.7.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

GS Team Members <= 2.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

myCred <= 2.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Perfmatters < 2.2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Import Spreadsheets from Microsoft Excel <= 10.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

WCFM Marketplace <= 3.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

UserPro <= 5.1.1 – Cross-Site Request Forgery via multiple functions

UserPro <= 5.1.1 – Cross-Site Request Forgery to Sensitive Information Exposure

Enfold <= 5.6.4 – Reflected Cross-Site Scripting

Grab & Save <= 1.0.4 – Reflected Cross-Site Scripting

Simply Exclude <= 2.0.6.6 – Reflected Cross-Site Scripting

Perfmatters <= 2.1.6 – Reflected Cross-Site Scripting

UserPro <= 5.1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting via userpro_save_userdata

Tainacan <= 0.20.4 – Reflected Cross-Site Scripting

Events Manager <= 6.4.5 – Reflected Cross-Site Scripting

Salient Core <= 2.0.2 – Reflected Cross-Site Scripting

eDoc Employee Job Application <= 1.13 – Reflected Cross-Site Scripting

Maspik – Spam blacklist <= 0.9.2 – Unauthenticated Stored Cross-Site Scripting via efas_add_to_log

Community by PeepSo <= 6.2.6.0 – Reflected Cross-Site Scripting

Yoast SEO <= 21.0 – Authenticated (Seo Manager+) Stored Cross-Site Scripting

Theme My Login 2FA < 1.2 – 2FA Bypass via Brute Force

Porto Theme – Functionality <= 2.11.1 – Missing Authorization

BlossomThemes Email Newsletter <= 2.2.4 – Missing Authorization

Quttera Web Malware Scanner <= 3.4.1.48 – Sensitive Data Exposure

Accept Stripe Payments <= 2.0.79 – Unauthenticated Content Injection

Accept Stripe Payments <= 2.0.79 – Insecure Direct Object Reference

Preloader for Website <= 1.2.2 – Missing Authorization via plwao_register_settings()

Hide login page <= 1.1.7 – Login Page Disclosure

The Events Calendar <= 6.2.8 – Information Disclosure

PayTR Taksit Tablosu <= 1.3.1 – Missing Authorization

Perfmatters <= 2.1.6 – Missing Authorization

Captcha Code <= 2.8 – Captcha Bypass

Contact Form Email <= 1.3.41 – Captcha Bypass

Super Progressive Web Apps <= 2.2.21 – Missing Authorization

Maspik – Spam blacklist <= 0.10.1 – Bypass

Consensu.io <= 1.0.2 – Missing Authorization via update_config_db()

Autocomplete Location field Contact Form 7 <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Video Player <= 1.5.22 – Authenticated (Administrator+) Stored Cross-Site Scripting

WP Roadmap <= 1.0.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

Fast Custom Social Share by CodeBard <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

TriPay Payment Gateway <= 3.2.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Chatbot for WordPress <= 2.3.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Chatbot for WordPress
CVE ID: CVE-2023-5691
CVSS Score: 4.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dfd67329-11b1-4f00-a422-bb4833a3181d

Booster for WooCommerce <= 7.1.2 – Missing Authorization to Product Creation/Modification

MyBookTable Bookstore <= 3.3.3 – Cross-Site Request Forgery

Auto Affiliate Links <= 6.4.2.5 – Cross-Site Request Forgery

Frontier Post <= 6.1 – Cross-Site Request Forgery

Mail Bank – #1 Mail SMTP Plugin for WordPress <= 4.0.14 – Missing Authorization

NextGEN Gallery <= 3.37 – Cross-Site Request Forgery

Debug Log Manager <= 2.2.1 – Missing Authorization

wpForo Forum <= 2.2.5 – Cross-Site Request Forgery via logout()

GS Pins for Pinterest Lite <= 1.8.0 – Missing Authorization via _update_shortcode

Bulk Comment Remove <= 2 – Cross-Site Request Forgery via brc_admin()

Floating Action Button <= 1.2.1 – Cross-Site Request Forgery

Availability Calendar <= 1.2.6 – Cross-Site Request Forgery via add_availability_calendar_create_admin_page()

WCMultiShipping <= 2.3.5 – Missing Authorization to Log Export

Awesome Support <= 6.1.4 – Missing Authorization via wpas_edit_reply_ajax()

Awesome Support <= 6.1.4 – Cross-Site Request Forgery via wpas_edit_reply_ajax()

wpForo Forum <= 2.2.5 – Missing Authorization

Grab & Save <= 1.0.4 – Cross-Site Request Forgery

Perfmatters <= 2.1.6 – Cross-Site Request Forgery

Broken Link Checker for YouTube <= 1.3 – Cross-Site Request Forgery via plugin_settings_page()

TextMe SMS <= 1.15.20 – Missing Authorization via tetxme_update_option_page()

Easy Social Feed <= 6.5.1 – Missing Authorization via hide_free_sidebar()

Simple Testimonials Showcase <= 1.1.5 – Cross-Site Request Forgery

ARI Stream Quiz <= 1.2.32 – Cross-Site Request Forgery

Landing Page Builder <= 1.5.1.5 – Open Redirect

HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 – Missing Authorization via woof_meta_get_keys()

Post Meta Data Manager <= 1.2.1 – Cross-Site Request Forgery to Post, Term, and User Meta Deletion

Analytify Dashboard <= 5.1.1 – Cross-Site Request Forgery

Booster for WooCommerce <= 7.1.1 – Missing Authorization to Authenticated (Subscriber+) Order Information Disclosure

WooCommerce Parcel Pro <= 1.6.11 – Cross-Site Request Forgery

Seraphinite Post .DOCX Source <= 2.16.6 – Cross-Site Request Forgery

Taxonomy filter <= 2.2.9 – Cross-Site Request Forgery via taxonomy_filter_save_main_settings()

League Table <= 1.13 – Cross-Site Request Forgery

Abandoned Cart Lite for WooCommerce <= 5.16.0 – Improper Authorization via wcal_preview_emails

Abandoned Cart Lite for WooCommerce <= 5.16.0 – Improper Authorization via wcal_delete_expired_used_coupon_code

File Manager <= 6.3 – Authenticated (Admin+) Arbitrary OS File Access via Path Traversal

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023) appeared first on Wordfence.