Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023)

Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!

Last week, there were 109 vulnerabilities disclosed in 98 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Elementor <= 3.18.1 – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import
WordPress Core 6.4-6.4.1 – Remote Code Execution POP Chain via Object Injection
(Note that the existence of the POP chain is not classified as a vulnerability on its own so it does not have a Wordfence Intelligence Entry. The rule is intended to block exploitation by any existing Object Injection vulnerability.)
Two additional firewall rules for vulnerabilities that have not yet been patched or publicly disclosed.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
63

Patched
46

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
88

High Severity
9

Critical Severity
12

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
28

Missing Authorization
28

Cross-Site Request Forgery (CSRF)
21

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
6

Unrestricted Upload of File with Dangerous Type
5

Deserialization of Untrusted Data
5

Information Exposure
3

Improper Authorization
2

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
2

Use of Less Trusted Source
1

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1

Uncontrolled Resource Consumption (‘Resource Exhaustion’)
1

Protection Mechanism Failure
1

Authorization Bypass Through User-Controlled Key
1

Server-Side Request Forgery (SSRF)
1

Improper Control of Generation of Code (‘Code Injection’)
1

Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
1

Improper Neutralization of Alternate XSS Syntax
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Nguyen Xuan Chien
13

Rafie Muhammad
12

Abdi Pranata
12

Dmitrii Ignatyev
7

Vladislav Pokrovsky (ΞX.MI)
7

Mika
6

Ngô Thiên An (ancorn_)
5

emad
4

István Márton(Wordfence Vulnerability Researcher)
4

Skalucy
4

Brandon James Roldan (tomorrowisnew)
3

thiennv
3

lttn
3

LVT-tholv2k
2

Marco Wotschka(Wordfence Vulnerability Researcher
2

Abu Hurayra (HurayraIIT)
2

Kyle Sanchez
2

qilin_99
2

Rafshanzani Suhada
1

Universe
1

German Ritter
1

DoYeon Park (p6rkdoye0n)
1

Naveen Muthusamy
1

Hong Quan
1

0x9567b
1

Luqman Hakim Y
1

Yuchen Ji
1

Labda
1

Enrico Marcolini
1

Claudio Marchesini (Dottormarc)
1

Rachit Arora
1

Muhammad Daffa
1

Huynh Tien Si
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

Advanced Database Cleaner
advanced-database-cleaner

Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress
advanced-page-visit-counter

Alma – Pay in installments or later for WooCommerce
alma-gateway-for-woocommerce

Alt Manager
alt-manager

Annual Archive
anual-archive

AppMySite – Create an app with the Best Mobile App Builder
appmysite

ArtPlacer Widget
artplacer-widget

Astra Pro Addon
astra-addon

Author Avatars List/Block
author-avatars

Awesome Support – WordPress HelpDesk & Support Plugin
awesome-support

BCorp Shortcodes
bcorp-shortcodes

Backup Migration
backup-backup

Bacola Core
bacola-core

Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo
biteship

Block for Font Awesome
block-for-font-awesome

Bold Page Builder
bold-page-builder

Bulk Edit Post Titles
bulk-edit-post-titles

Burst Statistics Pro
burst-pro

Burst Statistics – Privacy-Friendly Analytics for WordPress
burst-statistics

CSV Importer
csv-importer

CSprite
csprite

Caddy – Smart Side Cart for WooCommerce
caddy

Calculated Fields Form
calculated-fields-form

Clotya Core
clotya-core

Code Embed
simple-embed-code

Cookie Bar
cookie-bar

Cosmetsy Core
cosmetsy-core

Custom Login
custom-login

Custom Post Type Page Template
custom-post-type-page-template

Dashboard Widgets Suite
dashboard-widgets-suite

Digital Publications by Supsystic
digital-publications-by-supsystic

Duplicator Pro
duplicator-pro

Duplicator – WordPress Migration & Backup Plugin
duplicator

Elementor Timeline Widget
3r-elementor-timeline-widget

Elementor Website Builder – More than Just a Page Builder
elementor

Email Subscription Popup
email-subscribe

EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
embedpress

Event Manager, Event Calendar, Event Tickets for WooCommerce – Eventin
wp-event-solution

FOX – Currency Switcher Professional for WooCommerce
woocommerce-currency-switcher

First Order Discount Woocommerce
first-order-discount-woocommerce

Fix My Feed RSS Repair
fix-my-feed-rss-repair

Flexible Woocommerce Checkout Field Editor
flexible-woocommerce-checkout-field-editor

Furnob Core
furnob-core

Genesis Simple Love
genesis-simple-love

Gift Up Gift Cards for WordPress and WooCommerce
gift-up

Guest Author
guest-author

Ibtana – WordPress Website Builder
ibtana-visual-editor

Import and export users and customers
import-users-from-csv-with-meta

Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site
integrate-google-drive

LiveChat – WP live chat plugin for WordPress
wp-live-chat-software-for-wordpress

Login With Ajax
login-with-ajax

MW WP Form
mw-wp-form

Manage Notification E-mails
manage-notification-emails

Medibazar Core
medibazar-core

Menu Bar Cart Icon For WooCommerce By Binary Carpenter
bc-menu-cart-woo

Multi Currency For WooCommerce
wc-multi-currency

Optin Forms – Simple List Building Plugin for WordPress
optin-forms

Parto Core
partdo-core

PayTR Taksit Tablosu – WooCommerce
paytr-taksit-tablosu-woocommerce

Piotnet Forms
piotnetforms

Post Duplicator
post-duplicator

Product Catalog Feed by PixelYourSite
product-catalog-feed

Product Enquiry for WooCommerce
gm-woocommerce-quote-popup

Redirects
redirects

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
custom-registration-form-builder-with-submission-manager

Responsive Slick Slider WordPress
responsive-slick-slider

Rocket Maintenance Mode & Coming Soon Page
rocket-maintenance-mode

Sayfa Sayac
sayfa-sayac

SharkDropship & Affiliate for AliExpress, eBay, Amazon, Etsy
woo-aliexpress-dropshipping

Shortcoder — Create Shortcodes for Anything
shortcoder

Shortcodes and extra features for Phlox theme
auxin-elements

Smart External Link Click Monitor [Link Log]
link-log

Smart Forms – when you need more than just a contact form
smart-forms

Social Media Feather | social media sharing
social-media-feather

Spectra – WordPress Gutenberg Blocks
ultimate-addons-for-gutenberg

SpeedyCache – Cache, Optimization, Performance
speedycache

Square Thumbnails
square-thumbnails

Structured Content (JSON-LD) #wpsc
structured-content

SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything!
suretriggers

Symbiostock – Sell Photos Online For Free!
symbiostock

System Dashboard
system-dashboard

Translate WordPress – Google Language Translator
google-language-translator

Tutor LMS – eLearning and online course solution
tutor

Ultimate Addons for Contact Form 7
ultimate-addons-for-contact-form-7

Ultimate Dashboard – Custom WordPress Dashboard
ultimate-dashboard

Video PopUp
video-popup

WP Booking System – Booking Calendar
wp-booking-system

WP Photo Album Plus
wp-photo-album-plus

WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
wedevs-project-manager

WPBakery Page Builder Addons by Livemesh
addons-for-visual-composer

WPPerformanceTester
wpperformancetester

WPsoonOnlinePage
wp-soononline-page

WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute
wapppress-builds-android-app-for-website

Webflow Pages
webflow-pages

Welcart e-Commerce
usc-e-shop

WooDiscuz – WooCommerce Comments
woodiscuz-woocommerce-comments

WooPayments – Fully Integrated Solution Built and Supported by Woo
woocommerce-payments

WordPress Simple HTML Sitemap
wp-simple-html-sitemap

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Adifier – Classified Ads WordPress Theme
adifier-system

Bacola – Grocery Store and Food eCommerce Theme
bacola

Clotya – Fashion Store eCommerce Theme
clotya

Cosmetsy – Beauty Cosmetics Shop Theme
cosmetsy

Couponis Demo
couponis-demo

Furnob – Furniture Store WooCommerce Theme
furnob

Machic – Electronics Store WooCommerce Theme
machic-core

Medibazar – Medical WooCommerce Theme
medibazar

Partdo – Auto Parts and Tools Shop WooCommerce Theme
partdo

Soledad
soledad

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

WappPress <= 5.0.3 – Unauthenticated Arbitrary File Upload

Burst Statistics – Privacy-Friendly Analytics for WordPress 1.4.0 to 1.4.6.1 – Unauthenticated SQL Injection

Couponis Demo < 2.2 – Unauthenticated SQL Injection

Genesis Simple Love <= 2.0 – Unauthenticated PHP Object Injection

Soledad <= 8.4.1 – Unauthenticated PHP Object Injection

Adifier System < 3.1.4 – Unauthenticated SQL Injection

BCorp Shortcodes <= 0.23 – Unauthenticated PHP Object Injection

Sayfa Sayaç <= 2.6 – Unauthenticated PHP Object Injection

MW WP Form <= 5.0.1 – Unauthenticated Arbitrary File Upload

Duplicator <= 1.5.7 AND Duplicator Pro < 4.5.14.2 – Unauthenticated Sensitive Information Exposure

Adifier System < 3.1.4 – Unauthenticated Local File Inclusion

Backup Migration <= 1.3.5 – Unauthenticated Sensitive Information Exposure

Structured Content <= 1.5.3 – Authenticated (Contributor+) PHP Object Injection

Smart Forms <= 2.6.84 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Elementor <= 3.18.1 – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import

Soledad <= 8.4.1 – Authenticated (Contributor+) SQL Injection

Astra Pro <= 4.3.1 – Authenticated(Contributor+) Remote Code Execution via Metabox

ArtPlacer Widget <= 2.20.6 – Authenticated (Editor+) SQL Injection

Piotnet Forms <= 1.0.26 – Unauthenticated Arbitrary File Upload

Advanced Database Cleaner <= 3.1.2 – Authenticated (Administrator+) SQL Injection

Symbiostock Lite <= 6.0.0 – Authenticated (Shop Manager+) Arbitrary File Upload

Import and export users and customers <= 1.24.2 – Authenticated(Administrator+) Directory Traversal via Recurring Import Functionality

Code Embed <= 2.3.6 – Authenticated(Contributor+) Denial of Service

Alma – Pay in installments or later for WooCommerce <= 5.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Ibtana – WordPress Website Builder <= 1.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Spectra <= 2.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

WooCommerce Payments <= 6.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Annual Archive <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Advanced Page Visit Counter <= 8.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Livemesh Addons for WPBakery Page Builder <= 3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

Video PopUp <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Guest Author <= 2.3 – Authenticated (Author+) Stored Cross-Site Scripting

Bold Page Builder <= 4.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Shortcodes and extra features for Phlox theme <= 2.15.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

WP Project Manager <= 2.6.7 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Author Avatars List/Block <= 2.1.16 – Authenticated (Contributor+) Stored Cross-Site Scripting

Structured Content <= 1.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Ultimate Addons for Contact Form 7 <= 3.2.0 – Reflected Cross-Site Scripting

Multiple Plugins by KlbTheme <= (Various Versions) – Reflected Cross-Site Scripting

WP Photo Album Plus <= 8.5.02.005 – Cross-Site Scripting

Email Subscription Popup <= 1.2.18 – Reflected Cross-Site Scripting

Machic Core <= 1.2.6 – Reflected Cross-Site Scripting

Smart External Link Click Monitor [Link Log] <= 5.0.2 – Reflected Cross-Site Scripting

Soledad <= 8.4.1 – Reflected Cross-Site Scripting

Biteship <= 2.2.22 – Authenticated (Shop manager+) Stored Cross-Site Scripting

Cookie Bar <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

WOOCS – WooCommerce Currency Switcher <= 1.4.1.4 – Cross-Site Request Forgery via delete_profiles_data

Digital Publications by Supsystic <= 1.7.6 – Cross-Site Request Forgery via AJAX action

SpeedyCache <= 1.1.2 – Authenticated (Subscriber+) Server-Side Request Forgery

Awesome Support <= 6.1.6 – Missing Authorization

WP Photo Album Plus <= 8.5.02.005 – IP Spoofing

Manage Notification E-mails <= 1.8.5 – Missing Authorization

RegistrationMagic <= 5.2.3.0 – Missing Authorization

Square Thumbnails <= 1.1.0 – Missing Authorization

Awesome Support <= 6.1.6 – Missing Authorization

Gift Up 2.21.3 – Cross-Site Request Forgery via consume_post

Ultimate Dashboard <= 3.7.10 – Login Page Disclosure on Multi-site

PayTR Taksit Tablosu <= 1.3.1 – Improper Authorization

Flexible Woocommerce Checkout Field Editor <= 2.0.1 – Missing Authorization

WP Photo Album Plus <= 8.5.02.005 – Insecure Direct Object Reference

AppMySite <= 3.10.0 – Unauthenticated Information Disclsoure

Redirects <= 1.2.1 – Missing Authorization

Webflow Pages <= 1.0.8 – Missing Authorization

Shortcoder <= 6.3.1 – Missing Authorization

EmbedPress <= 3.9.4 – Missing Authorization

Alt Manager <= 1.5.9 – Missing Authorization

Custom Login <= 4.1.0 – Missing Authorization

Google Language Translator <= 6.0.20 – Missing Authorization to Notice Dismissal

WP Simple HTML Sitemap <= 2.4 – Missing Authorization

Login With Ajax <= 4.1 – Missing Authorization

WP Project Manager <= 2.6.7 – Missing Authorization

Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy <= 2.1.1 – Missing Authorization

Rocket Maintenance Mode & Coming Soon Page <= 4.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Optin Forms <= 1.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Smart External Link Click Monitor [Link Log] <= 5.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Calculated Fields Form <= 1.2.40 – Authenticated (Admin+) Stored Cross-Site Scripting

Dashboard Widgets Suite <= 3.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Tutor LMS <= 2.2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Fix My Feed RSS Repair <= 1.4 – Cross-Site Request Forgery

Product Catalog Feed by PixelYourSite <= 2.1.1 – Cross-Site Request Forgery

LiveChat <= 4.5.15 – Cross-Site Request Forgery

System Dashboard <= 2.8.8 – Missing Authorization to Information Disclosure (sd_php_info)

CSV Importer <= 0.3.8 – Cross-Site Request Forgery

Integrate Google Drive <= 1.3.4 – Cross-Site Request Forgery

WPPerformanceTester <= 2.0.0 – Cross-Site Request Forgery

Social Media Feather <= 2.1.3 – Missing Authorization

SureTriggers <= 1.0.23 – Cross-Site Request Forgery

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_db_specs)

Block for Font Awesome <= 1.4.0 – Cross-Site Request Forgery

Multi Currency For WooCommerce <= 1.5.5 – Cross-Site Request Forgery

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_global_value)

WP Booking System <= 2.0.19.2 – Missing Authorization

Elementor Timeline Widget <= 2.0 – Missing Authorization to Notice Dismissal

Custom Post Type Page Template <= 1.1 – Cross-Site Request Forgery

WPsoonOnlinePage <= 1.9 – Cross-Site Request Forgery

Caddy <= 1.9.7 – Cross-Site Request Forgery

First Order Discount Woocommerce <= 1.21 – Cross-Site Request Forgery

Bulk Edit Post Titles <= 5.0.0 – Missing Authorization

Responsive Slick Slider WordPress <= 1.4 – Authenticated (Contributor+) Content Injection

WooDiscuz – WooCommerce Comments <= 2.3.0 – Cross-Site Request Forgery

Post Duplicator <= 2.31 – Missing Authorization via mtphr_duplicate_post

Multiple Themes by KlbTheme <= (Various Versions) – Cross-Site Request Forgery

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_option_value)

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_constants)

Eventin <= 3.3.44 – Missing Authorization

Product Enquiry for WooCommerce <= 3.0 – Cross-Site Request Forgery

CSprite <= 1.1 – Cross-Site Request Forgery

BC Menu Bar Cart Icon For WooCommerce By Binary Carpenter <= 1.49.3 – Cross-Site Request Forgery

Welcart e-Commerce <= 2.9.6 – Authenticated (Administrator+) Directory Traversal

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023) appeared first on Wordfence.