Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023)

Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Please note there was a minor error in the heading of the email, and this report only runs from November 6th to November 12th.

Last week, there were 135 vulnerabilities disclosed in 119 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 40 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Master Slider Pro <= 3.6.5 – Unauthenticated PHP Object Injection

WD WidgetTwitter <= 1.0.9 – Authenticated (Contributor+) SQL Injection via Shortcode

Rename Media Files <= 1.0.1 – Authenticated (Contributor+) Remote Code Execution

Mmm Simple File List <= 2.3 – Authenticated (Subscriber+) Directory Traversal

Brizy <= 2.4.29 – Cross-Site Scripting

Who Hit The Page – Hit Counter <= 1.4.14.3 – Authenticated (Administrator+) SQL Injection

Redirect 404 Error Page to Homepage or Custom Page with Logs <= 1.8.7 – Authenticated (Administrator+) SQL Injection

Webpushr <= 4.34.0 – Missing Authorization to Unauthenticated Stored Cross-Site Scripting

Master Slider Pro <= 3.6.5 – Authenticated (Editor+) SQL Injection

Profile Builder <= 3.10.3 – Cross-Site Request Forgery via pms-cross-promotion.php

EazyDocs <= 2.3.3 – Missing Authorization via doc_one_page and edit_doc_one_page

Japanized For WooCommerce <= 2.6.4 – Missing Authorization

Podlove Web Player <= 5.7.1 – Missing Authorization

Elementor Website Builder <= 3.16.4 – Missing Authorization to Arbitrary Attachment Read

WooCommerce Checkout Manager <= 7.3.0 – Missing Authorization

Telephone Number Linker <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Featured Image Caption <= 0.8.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

ANAC XML Bandi di Gara <= 7.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

EasyRotator for WordPress <= 1.0.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Bitly’s WordPress Plugin <= 2.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

BZScore – Live Score <= 1.03 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Sponsors <= 3.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

WP MapIt <= 2.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Social Feed <= 1.5.4.6 – Authenticated (Author+) Stored Cross-Site Scripting via Shortcode

Garden Gnome Package <= 2.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Social Sharing Plugin – Social Warfare <= 4.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Donations Made Easy – Smart Donations <= 4.0.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

WordPress Backup & Migration <= 1.4.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting

ImageMapper <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CBX Map for Google Map & OpenStreetMap <= 1.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Elementor Website Builder <= 3.16.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg()

QR Code Tag <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Mmm Simple File List <= 2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

POWR <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

SendPress Newsletters <= 1.22.3.31 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Lava Directory Manager <= 1.1.34 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Advanced iFrame <= 2023.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Ziteboard Online Whiteboard <= 2.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via ziteboard Shortcode

Simple Like Page Plugin <= 1.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

NitroPack <= 1.9.2 – Missing Authorization via multiple AJAX functions

Category Post List Widget <= 2.0 – Unauthenticated Stored Cross-Site Scripting via custom_css

Essential Grid <= 3.1.0 – Reflected Cross-Site Scripting

Category Post List Widget <= 2.0 – Cross-Site Request Forgery via get_cplw_settings

SendPress Newsletters <= 1.23.11.6 – Reflected Cross-Site Scripting

Edit WooCommerce Templates <= 1.1.1 – Unauthenticated Cross-Site Scripting

Under Construction / Maintenance Mode from Acurax <= 2.6 – Unauthenticated Cross-Site Scripting

EazyDocs <= 2.3.3 – Unauthenticated Stored Cross-Site Scripting via edit_doc_one_page

Restrict Categories <= 2.6.4 – Reflected Cross-Site Scripting via rc-search

Post Pay Counter <= 2.789 – Reflected Cross-Site Scripting

Atarim <= 3.12 – Unauthenticated Cross-Site Scripting

Product Enquiry for WooCommerce <= 3.0 – Unauthenticated Stored Cross-Site Scripting via name

Martins Free & Easy SEO BackLink Link Building Network <= 1.2.29 – Reflected Cross-Site Scripting via _wpnonce

WP Crowdfunding <= 2.1.6 – Reflected Cross-Site Scripting via postid

LearnPress <= 4.2.5.3 – Reflected Cross-Site Scripting via add_internal_scripts_to_head

Photo Feed <= 2.2.1 – Reflected Cross-Site Scripting via pf-gid

Auto Affiliate Links <= 6.4.2.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

CodeBard’s Patron Button and Widgets for Patreon <= 2.1.9 – Reflected Cross-Site Scripting via cb_p6_tab

Master Slider Pro <= 3.6.5 – Reflected Cross-Site Scripting

Star CloudPRNT for WooCommerce <= 2.0.3 – Unauthenticated Cross-Site Scripting

WPDBSpringClean <= 1.6 – Reflected Cross-Site Scripting

Q2W3 Post Order <= 1.2.8 – Reflected Cross-Site Scripting

Seo By 10Web <= 1.2.9 – Reflected Cross-Site Scripting

Plainview Protect Passwords <= 1.4 – Reflected Cross-Site Scripting

Additional Order Filters for WooCommerce <= 1.10 – Reflected Cross-Site Scripting

ImageMapper <= 1.2.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting via imgmap_save_area_title

Responsive Column Widgets <= 1.2.7 – Reflected Cross-Site Scripting via tab

Products, Order & Customers Export for WooCommerce <= 2.0.7 – Reflected Cross-Site Scripting via date parameters

Extra Product Options for WooCommerce <= 3.0.3 – Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings

Actueel Financieel Nieuws – Denk Internet Solutions <= 5.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Direct Checkout – Quick View – Buy Now For WooCommerce <= 1.5.8 – Authenticated (Shop manager+) Stored Cross-Site Scripting via Custom CSS Code

Recently viewed and most viewed products <= 1.1.1 – Authenticated (Shop Manager+) Stored Cross-Site Scripting

Responsive Pricing Table < 5.1.8 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Forms for Mailchimp by Optin Cat <= 2.5.4 – Authenticated (Editor+) Stored Cross-Site Scripting

Countdown and CountUp, WooCommerce Sales Timer <= 1.8.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Live Gold Price & Silver Price Charts Widgets <= 2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

ANAC XML Bandi di Gara <= 7.5 – Authenticated (Editor+) Stored Cross-Site Scripting

Add Local Avatar <= 12.1 – Cross-Site Request Forgery via manage_avatar_cache

Code Snippets <= 3.5.0 – Cross-Site Request Forgery via load

ImageMapper <= 1.2.6 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Page/Post Deletion via imgmap_delete_area_ajax

Solid Central <= 3.0.0 – Stored Cross-Site Scripting via packages

Quiz And Survey Master <= 8.1.18 – Multiple Cross-Site Request Forgery

WP Discord Invite < 2.5.1 – Cross-Site Request Forgery to Settings Update

UpdraftPlus <= 1.23.10 – Cross-Site Request Forgery to Google Drive Storage Update

Ecwid Ecommerce Shopping Cart <= 6.12.3 – Missing Authorization on multiple functions

Ultimate Addons for Contact Form 7 <= 3.2.6 – Missing Authorization

Front End PM < 11.4.3 – Sensitive Information Exposure via Directory Listing

CoCart – Headless ecommerce <= 3.9.0 – Missing Authorization

Restrict Content <= 3.2.7 – Information Exposure via legacy log file

Cloud Templates & Patterns collection <= 1.2.2 – Sensitive Information Exposure via Log File

Email Marketing for WooCommerce by Omnisend <= 1.13.8 – Sensitive Information Exposure

Seers <= 8.0.6 – Missing Authorization via multiple AJAX actions

Animator <= 3.0.9 – Missing Authorization to Plugin Settings Update

WooCommerce Product Enquiry <= 2.3.4 – Unauthenticated Self-Based Cross-Site Scripting

Integrate Google Drive <= 1.3.1 – Open Redirect via state

Amazonify <= 0.8.1 – Authenticated (Admin+) Stored Cross-Site Scripting

WP Edit Username <= 1.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Pinyin Slugs <= 2.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

OneClick Chat to Order <= 1.0.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

ANAC XML Viewer <= 1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Team Members Showcase <= 1.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Product Visibility by Country for WooCommerce <= 1.4.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Custom post types <= 4.0.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

TWB Woocommerce Reviews <= 1.7.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Flo Forms <= 1.0.41 – Missing Authorization via flo_send_test_email

Arigato Autoresponder and Newsletter <= 2.7.2.2 – Cross-Site Request Forgery

Best Restaurant Menu by PriceListo <= 1.3.1 – Cross-Site Request Forgery via menu_page

Amazonify <= 0.8.1 – Cross-Site Request Forgery to Amazon Tracking ID Update

ANAC XML Bandi di Gara <= 7.5 – Cross-Site Request Forgery via settings.php

WooCommerce Product Table Lite <= 2.6.2 – Cross-Site Request Forgery

Patreon WordPress <= 1.8.6 – Cross-Site Request Forgery

Product Catalog Simple <= 1.7.5 – Cross-Site Request Forgery via ic_system_status

BadgeOS <= 3.7.1.6 – Missing Authorization

Korea SNS <= 1.6.3 – Cross-Site Request Forgery via kon_tergos_options

Woo Custom and Sequential Order Number <= 2.6.0 – Cross-Site Request Forgery

WP Links Page <= 4.9.4 – Cross-Site Request Forgery via wplf_ajax_update_screenshots

Dragfy Addons for Elementor <= 1.0.2 – Missing Authorization via save_settings

WordPress Backup & Migration <= 1.4.3 – Missing Authorization to Settings Update

Donations Made Easy – Smart Donations <= 4.0.12 – Cross-Site Request Forgery

Foyer <= 1.7.5 – Content Injection via Improper Access Control

Preloader Matrix <= 2.0.1 – Cross-Site Request Forgery

Youtube SpeedLoad <= 0.6.3 – Cross-Site Request Forgery

Plugin Name: Device Theme Switcher <= 3.0.2 – Cross-Site Request Forgery

ImageMapper <= 1.2.6 – Cross-Site Request Forgery to Plugin Settings Change via ajax

WP Full Stripe Free <= 1.6.1 – Cross-Site Request Forgery

MSHOP MY SITE <= 1.1.6 – Missing Authorization via update_settings

Plainview Protect Passwords <= 1.4 – Cross-Site Request Forgery

UserHeat Plugin <= 1.1.6 – Cross-Site Request Forgery

Easy Social Icons <= 3.2.4 – Missing Authorization via cnss_save_ajax_order

Auto Tag Creator <= 1.0.2 – Missing Authorization via tag_save_settings_callback

Droit Dark Mode <= 1.1.2 – Cross-Site Request Forgery

Visitors Traffic Real Time Statistics <= 7.2 – Missing Authorization via multiple AJAX actions

ProfileGrid <= 5.6.6 – Cross-Site Request Forgery

ARI Stream Quiz <= 1.3.0 – Authenticated(Contributor+) Content Injection

Image Hover Effects <= 5.5 – Cross-Site Request Forgery

Job Manager & Career <= 1.4.3 – Sensitive Information Exposure

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023) appeared first on Wordfence.