Last week, there were 152 vulnerabilities disclosed in 134 WordPress Plugins and 0 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. There were more unpatched vulnerabilities than patched last week, so it’s more important than ever to review those vulnerabilities in this report now to ensure your site is not affected and make the appropriate adjustments if your site is.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
81

Patched
71

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
134

High Severity
16

Critical Severity
2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
93

Cross-Site Request Forgery (CSRF)
30

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
11

Missing Authorization
10

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
2

Deserialization of Untrusted Data
2

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1

Information Exposure
1

Improper Access Control
1

URL Redirection to Untrusted Site (‘Open Redirect’)
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Lana Codes
30

Marco Wotschka
11

Yuki Haruma
9

yuyudhn
7

Muhammad Daffa
6

LEE SE HYOUNG
6

Rio Darmawan
6

Sajjad Shariati
6

Shreya Pohekar
5

minhtuanact
5

Justiice
4

Ramuel Gall
4

TEAM WEBoB of BoB 11th
3

Mika
3

Ivan Kuzymchak
3

Le Ngoc Anh
3

Erwan LR
3

Cat
3

WPScanTeam
2

Lokesh Dachepalli
2

Nguyen Xuan Chien
2

Joshua Martinelle
1

Rafie Muhammad
1

Rafshanzani Suhada
1

Nguyen Huu Do
1

Ryo Sato
1

Skalucy
1

Shezad Master
1

zhangyunpei
1

Yeting Li VARAS@IIE
1

Ameen Alkurdy
1

Nithissh S
1

Chien Vuong
1

thiennv
1

Alexander Schmid
1

cydave
1

easyBug
1

Daniel Ruf
1

Alex Thomas
1

deokhunKim
1

Lucio Sá
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

AI ChatBot
chatbot

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership

Accessibility Suite by Online ADA
online-accessibility

Accordion & FAQ – Helpie WordPress Frequently Asked Questions plugin
helpie-faq

Active Directory Integration / LDAP Integration
ldap-login-for-intranet-sites

ActiveCampaign – Forms, Site Tracking, Live Chat
activecampaign-subscription-forms

Ad Inserter – Ad Manager & AdSense Ads
ad-inserter

Album Gallery – WordPress Gallery
new-album-gallery

ApexChat
apexchat

Avirato hotels online booking engine
avirato-calendar

BBSpoiler
bbspoiler

BadgeOS
badgeos

Best Travel Booking WordPress Plugin, Tour Booking System, Trip Booking WordPress Plugin – Yatra
yatra

Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop
woo-altcoin-payment-gateway

BizLibrary
bizlibrary

Booking calendar, Appointment Booking System
booking-calendar

Button Builder – Buttons X
buttons-x

CMP – Coming Soon & Maintenance Plugin by NiteoThemes
cmp-coming-soon-maintenance

CMS Tree Page View
cms-tree-page-view

Cab Grid
cab-grid

Captcha Them All
captcha-them-all

Category Specific RSS feed Subscription
category-specific-rss-feed-menu

Church Admin
church-admin

Clock In Portal- Staff & Attendance Management
clock-in-portal

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
contact-form-to-db

Continuous announcement scroller
continuous-announcement-scroller

Custom Post Type List Shortcode
custom-post-type-list-shortcode

Customer Support Software, Live Chat, & Marketing Automation
formilla-chat-and-marketing

Dave’s WordPress Live Search
daves-wordpress-live-search

Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
charitable

EZP Maintenance Mode
easy-pie-maintenance-mode

Easy Ad Manager
easy-ad-manager

Easy Slider Revolution
easy-slider-revolution

Ebook Store
ebook-store

Email posts to subscribers
email-posts-to-subscribers

Enable/Disable Auto Login when Register
auto-login-when-resister

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
essential-blocks

File Gallery
file-gallery

Flyzoo Chat
flyzoo

Form Block
form-block

FormCraft – Contact Form Builder for WordPress
formcraft-form-builder

Formilla Edge Targeted Messaging Platform for Sales and Marketing
formilla-edge

Freshdesk (official)
freshdesk-support

GDPR Compliance & Cookie Consent
gdpr-compliance-cookie-consent

Gallery Metabox
gallery-metabox

Google Analytics Top Content Widget
google-analytics-top-posts-widget

Gps Plotter
gps-plotter

Help Desk WP
helpdeskwp

Image Optimizer by 10web – Image Optimizer and Compression plugin
image-optimizer-wd

Japanized For WooCommerce
woocommerce-for-japan

Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
zero-bs-crm

Kaya QR Code Generator
kaya-qr-code-generator

Kiwiz – Certification de facturation – Woocommerce
woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz

Kodex Posts likes
kodex-posts-likes

LIQUID SPEECH BALLOON
liquid-speech-balloon

Layer Slider
slider-slideshow

LearnPress Export Import – WordPress extension for LearnPress
learnpress-import-export

Live Chat by Formilla – Real-time Chat & Chatbots Plugin
formilla-live-chat

Locatoraid Store Locator
locatoraid

Login Page Styler | Custom Login | Custom WP Admin Login Page | Admin Security | Admin Protection | Login Page Customizer | Admin Login | Login Security | Login Redirect | Theme Login | Login Menu | Login Form | Admin Dashboard | Change Login Logo | Login
login-page-styler

Mail Subscribe List
mail-subscribe-list

Mega Addons For WPBakery Page Builder
mega-addons-for-visual-composer

Membership Database
member-database

Modal Dialog
modal-dialog

Motors – Car Dealer, Classifieds & Listing
motors-car-dealership-classified-listings

NEX-Forms – Ultimate Form Builder – Contact forms and much more
nex-forms-express-wp-form-builder

Ninja Tables – Best Data Table Plugin for WordPress
ninja-tables

OoohBoi Steroids for Elementor
ooohboi-steroids-for-elementor

Panorama – WordPress Project Management Plugin
project-panorama-lite

Post Shortcode
post-shortcode

PowerPress Podcasting plugin by Blubrry
powerpress

Pretty Url
pretty-url

Product Slider For WooCommerce Lite
product-slider-for-woocommerce-lite

PropertyHive
propertyhive

Query Wrangler
query-wrangler

RapidExpCart
rapidexpcart

Redirect After Login
redirect-after-login

Reservation.Studio widget
reservation-studio-widget

Responsive Filterable Portfolio
responsive-filterable-portfolio

ReviewX – Multi-criteria Rating & Reviews for WooCommerce
reviewx

Robokassa payment gateway for Woocommerce
robokassa

Semalt Blocker
semalt

ShopEngine – Elementor WooCommerce Builder Addons, Variation Swatches, Wishlist, Products Compare – All in One Solution
shopengine

Shortcode IMDB
shortcode-imdb

Simple Share Buttons Adder
simple-share-buttons-adder

Simple Tooltips
simple-tooltips

SiteAlert – Uptime, Speed, and Security Monitoring for WordPress
my-wp-health-check

Sloth Logo Customizer
sloth-logo-customizer

Smart WooCommerce Search
smart-woocommerce-search

Social Share Boost
social-share-boost

SparkPost
sparkpost

Stock Exporter for WooCommerce
stock-exporter-for-woocommerce

Stream
stream

Subscribers – Free Web Push Notifications
subscribers-com

Tablesome – Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT )
tablesome

TaxoPress is the WordPress Tag, Category, and Taxonomy Manager
simple-tags

The School Management – Education & Learning Management
school-management-system

Themify Portfolio Post
themify-portfolio-post

Thumbnail carousel slider
wp-responsive-thumbnail-slider

Uji Popup
uji-popup

Ultimate Carousel For Elementor
ultimate-carousel-for-elementor

Ultimate Carousel For WPBakery Page Builder
ultimate-carousel-for-visual-composer

Update Image Tag Alt Attribute
update-alt-attribute

Verified Reviews (Avis Vérifiés)
netreviews

Video Grid
video-grid

Video List Manager
video-list-manager

Visual CSS Style Editor
yellow-pencil-visual-theme-customizer

WCP Contact Form
wcp-contact-form

WP Cerber Security, Anti-spam & Malware Scan
wp-cerber

WP Custom Author URL
wp-custom-author-url

WP Docs
wp-docs

WP Links Page
wp-links-page

WP Login Box
wp-login-box

WP Original Media Path
wp-original-media-path

WP Popups – WordPress Popup builder
wp-popups-lite

WP Responsive Tabs horizontal vertical and accordion Tabs
responsive-horizontal-vertical-and-accordion-tabs

WP-FormAssembly
formassembly-web-forms

WP-dTree
wp-dtree-30

WPJAM Basic
wpjam-basic

White Label Branding for Elementor Page Builder
white-label-branding-elementor

WooCommerce Easy Duplicate Product
woo-easy-duplicate-product

WooCommerce Order Status Change Notifier
woocommerce-order-status-change-notifier

Woocommerce Email Report
wooemailreport

Woocommerce Products Designer by ORION – online product customizer for t-shirts, print cards, phone cases Lettering & Decals
woocommerce-products-designer

WordPress Header Builder Plugin – Pearl
pearl-header-builder

Wp-D3
wp-d3

YARPP – Yet Another Related Posts Plugin
yet-another-related-posts-plugin

YML for Yandex Market
yml-for-yandex-market

YourChannel: Everything you want in a YouTube plugin.
yourchannel

Zendesk Support for WordPress
zendesk

eRocket
erocket

f(x) TOC
fx-toc

miniOrange’s Google Authenticator – WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login
miniorange-2-factor-authentication

vSlider Multi Image Slider for WordPress
vslider

Vulnerability Details

Email posts to subscribers <= 6.2 – Unauthenticated SQL Injection

Bitcoin / AltCoin Payment Gateway for WooCommerce <= 1.7.1 – Unauthenticated SQL Injection

ReviewX – Multi-criteria Rating & Reviews for WooCommerce <= 1.6.8 – Authenticated (Subscriber+) SQL Injection

YARPP <= 5.30.2 – Authenticated (Subscriber+) Local File Inclusion

Accessibility Suite by Online ADA <= 4.11 – Authenticated (Subscriber+) SQL Injection

Avirato hotels online booking engine <= 5.0.5 – Authenticated (Subscriber+) SQL Injection

Contact Form to DB by BestWebSoft <= 1.7.0 – Authenticated (Contributor+) SQL Injection via cntctfrmtdb_department

Kiwiz – Certification de facturation – Woocommerce <= 2.1.3 – Unauthenticated Arbitrary File Download

miniOrange’s Google Authenticator <= 5.6.5 – Missing Authorization to Plugin Settings Change

Jetpack CRM <= 5.3.1 – Cross-Site Request Forgery and PHAR Deserialization

The School Management – Education & Learning Management <= 4.1 – Authenticated (Administrator+) SQL Injection

Ad Inserter <= 2.7.25 – Authenticated (Admin+) PHP Object Injection

Shortcode IMDB <= 6.0.8 – Authenticated (Administrator+) SQL Injection

WP Cerber Security <= 9.1 – Unauthenticated Stored Cross-Site Scripting

Video List Manager <= 1.7 – Authenticated (Admin+) SQL Injection

Help Desk WP <= 1.2.0 – Authenticated (Editor+) Stored Cross-Site Scripting

Booking calendar, Appointment Booking System <= 3.2.6 – Authenticated (Administrator+) SQL Injection via *_selected

NEX-Forms <= 8.3.3 – Authenticated (Administrator+) SQL Injection

Ebook Store <= 5.775 – Missing Authorization via ebook_store_export_orders

f(x) TOC <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Easy Slider Revolution <= 1.0.0 – Authenticated (Author+) Stored Cross-Site Scripting via esrcpt_slider_allow_iframes_filter

Button Builder – Buttons X <= 0.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Uji Popup <= 1.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via uji_popup_code shortcode

WPJAM Basic <= 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

ActiveCampaign – Forms, Site Tracking, Live Chat <= 8.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Mail Subscribe List <= 2.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via smlsubform shortcode

BBSpoiler <= 2.01 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Product Slider For WooCommerce Lite <= 1.1.7 – Authenticated(Contributor+) Stored Cross-Site Scripting via Meta Keys

Wp-D3 <= 2.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Social Share Boost <= 4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via ssboost shortcode

WP Links Page <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

WP-FormAssembly <= 2.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Mega Addons For WPBakery Page Builder <= 4.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

WP Popups – WordPress Popup builder <= 2.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Ultimate Carousel For Elementor <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

Custom Post Type List Shortcode <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

File Gallery <= 1.8.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via file_gallery_shortcode

Ultimate Carousel For WPBakery Page Builder <= 2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

FormCraft <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via fcb shortcode

Post Shortcode <= 2.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Kaya QR Code Generator <= 1.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via qrCode attribute

vSlider Multi Image Slider <= 4.1.2 – Cross-Site Request Forgery

WP Docs <= 1.9.8 – Missing Authorization via multiple AJAX actions

Membership Database <= 1.0 – Reflected Cross-Site Scripting

CMS Tree Page View <= 1.6.7 – Reflected Cross-Site Scripting

Church Admin <= 3.7.5 – Reflected Cross-Site Scripting

Update Image Tag Alt Attribute <= 2.4.5 – Reflected Cross-Site Scripting

Charitable <= 1.7.0.10 – Reflected Cross-Site Scripting

WCP Contact Form <= 3.1.0 – Reflected Cross-Site Scripting via tab parameter

Google Analytics Top Content Widget <= 1.5.5 – Reflected Cross-Site Scripting

RapidExpCart <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

ChatBot <= 4.4.4 – Unauthenticated Stored Cross-Site Scripting via Cross-Site Request Forgery

WooCommerce Easy Duplicate Product <= 0.3.0.0 – Reflected Cross-Site Scripting via wedp_duplicated

Tablesome <= 1.0.8 – Reflected Cross-Site Scripting

YellowPencil Visual CSS Style Editor <= 7.5.8 – Reflected Cross-Site Scripting liveLink

Sloth Logo Customizer <= 2.0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Modal Dialog <= 3.5.14 – Reflected Cross-Site Scripting

Thumbnail carousel slider <= 1.1.9 – Reflected Cross-Site Scripting

Yml for Yandex Market <= 3.10.7 – Reflected Cross-Site Scripting

Woocommerce Email Report <= 2.4 – Unauthenticated Cross-Site Scripting

Stock Exporter for WooCommerce <= 1.1.0 – Reflected Cross-Site Scripting

Query Wrangler <= 1.5.51 – Reflected Cross-Site Scripting via page parameter

Video Grid <= 1.21 – Reflected Cross-Site Scripting

RapidExpCart <= 1.0 – Authenticated (Level 8/Administrator+) Stored Cross-Site Scripting

Video Grid <= 1.21 – Reflected Cross-Site Scripting

Responsive Filterable Portfolio <= 1.0.19 – Reflected Cross-Site Scripting

Japanized For WooCommerce <= 2.5.6 – Reflected Cross-Site Scripting

PropertyHive <= 1.5.48 – Reflected Cross-Site Scripting via date_post_id

Thumbnail carousel slider <= 1.1.9 – Reflected Cross-Site Scripting

ARMember <= 4.0 – Reflected Cross-Site Scripting

WP Responsive Tabs horizontal vertical and accordion Tabs <= 1.1.15 – Reflected Cross-Site Scripting

Themify Portfolio Post <= 1.2.2 – Authenticated (Editor+) Stored Cross-Site Scripting

TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting

TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting

YourChannel <= 1.2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting

Motors – Car Dealer & Classified Ads <= 1.4.4 – Cross-Site Request Forgery via Multiple Functions

LearnPress – Export/Import Courses <= 4.0.2 – Reflected Cross-Site Scripting

PowerPress <= 10.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Smart WooCommerce Search <= 2.5.0 – Missing Authorization

ShopEngine <= 4.1.1 – Cross-Site Request Forgery

Freshdesk (official) <= 1.7 – Open Redirect

Locatoraid Store Locator <= 3.9.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Active Directory Integration / LDAP Integration <= 4.1.0 – Unauthenticated Information Disclosure

CMP – Coming Soon & Maintenance <= 4.1.7 – Maintenance Mode Bypass

Helpie FAQ <= 1.9.6 – Reflected Cross-Site Scripting

Formilla Live Chat <= 1.3.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaID’

Dave’s WordPress Live Search <= 4.8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Yatra <= 2.1.13 – Authenticated (Administrator+) Stored Cross-Site Scripting

Ebook Store <= 5.775 – Authenticated (Administrator+) Stored Cross-Site Scripting

WP Original Media Path <= 2.4.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Verified Reviews (Avis Vérifiés) <= 2.3.13 – Authenticated (Administrator+) Stored Cross-Site Scripting

Login Page Styler <= 6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

WP Custom Author URL <= 1.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Formilla Edge <= 1.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaPluginID’

Captcha Them All <= 1.3.3 – Authenticated (Admin+) Stored Cross-Site Scripting

WP Login Box <= 2.0.2 – Authenticated (Admin+) Stored Cross-Site Scripting

Subscribers – Free Web Push Notifications <= 1.5.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Pretty Url <= 1.5.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Flyzoo Chat <= 2.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Robokassa payment gateway for Woocommerce <= 1.4.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

White Label Branding for Elementor Page Builder <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Category Specific RSS feed Subscription <= v2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Formilla Chat and Marketing Automation <= 1.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaToolsID’

Semalt Blocker <= 1.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

SparkPost <= 3.2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

EZP Maintenance Mode <= 1.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Redirect After Login <= 0.1.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

GPS Plotter <= 5.1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

WP-dTree <= 4.4.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Panorama – WordPress Project Management Plugin <= 1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Continuous announcement scroller <= 13.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

ApexChat <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Simple Tooltips <= 2.1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Cab Grid <= 1.5.15 – Authenticated (Administrator+) Stored Cross-Site Scripting

Image Optimizer WD <= 1.0.26 – Authenticated (Administrator+) Stored Cross-Site Scripting

BizLibrary <= 1.1 – Authenticated (Admin+) Stored Cross-Site Scripting

Easy Ad Manager <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

eRocket <= 1.2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Ninja Tables <= 4.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

GDPR Compliance & Cookie Consent <= 1.2 – Cross-Site Request Forgery

Image Optimizer by 10web <= 1.0.25 – Directory Traversal to Information Exposure

Essential Blocks <= 4.0.6 – Missing Authorization via get

Album Gallery – WordPress Gallery <= 1.4.9 – Cross-Site Request Forgery via album-gallery-column-settings.php

Layer Slider <= 1.1.9.6 – Cross-Site Request Forgery via save_slide_ajax

Enable/Disable Auto Login when Register <= 1.1.0 Cross-Site Request Forgery

Zendesk Support for WordPress <= 1.8.4 – Cross-Site Request Forgery

LIQUID SPEECH BALLOON <= 1.1.8 – Cross-Site Request Forgery to Settings Update

Ninja Tables <= 4.3.4 – Cross-Site Request Forgery

Clock In Portal <= 2.1 – Cross-Site Request Forgery To Staff Deletion

Clock In Portal <= 2.1 – Cross-Site Request Forgery to Holidays Deletion

WP Docs <= 1.9.8 – Cross-Site Request Forgery to folder management

Pearl <= 1.3.4 – Cross-Site Request Forgery via stm_hb_save_settings

WooCommerce Order Status Change Notifier <= 1.1.0 – Authenticated (Subscriber+) Arbitrary Order Status Update

Woocommerce Product Designer <= 4.3.3 – Cross-Site Request Forgery

Kodex Posts likes <= 2.4.3 – Cross-Site Request Forgery

Reservation.Studio widget <= 1.0.9 – Cross-Site Request Forgery via plugin settings

BadgeOS <= 3.7.1.6 – Cross-Site Request Forgery

Essential Blocks <= 4.0.6 – Missing Authorization via template_count

Gallery Metabox <= 1.5 – Cross-Site Request Forgery via gallery_remove

Essential Blocks <= 4.0.6 – Missing Authorization via templates

SiteAlert (Formerly WP Health) <= 1.9.7 – Cross-Site Request Forgery

OoohBoi Steroids for Elementor <= 2.1.4 – Missing Authorization leading to Authenticated (Subscriber+) Image Upload

Clock In Portal <= 2.1 – Cross-Site Request Forgery To Designation Deletion

Form Block <= 1.0.1 – Cross-Site Request Forgery

Clock In Portal <= 2.1 – Cross-Site Request Forgery to Designation Deletion

Essential Blocks <= 4.0.6 – Cross-Site Request Forgery via save

Clock In Portal <= 2.1 – Cross-Site Request Forgery to Staff Deletion

Clock In Portal <= 2.1 – Cross-Site Request Forgery To Holiday Deletion

Simple Share Buttons Adder <= 8.4.6 – Cross-Site Request Forgery

Stream <= 3.9.2 – Cross-Site Request Forgery

Essential Blocks <= 4.0.6 – Missing Authorization via save

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 17, 2023 to Apr 23, 2023) appeared first on Wordfence.