Last week, there were 139 vulnerabilities disclosed in 105 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation

This vulnerability is being actively exploited. We have blocked over 600 exploit attempts in the past 24 hours, and expect this to continue. You can read more about this here. 

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
47

Patched
92

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
2

Medium Severity
119

High Severity
13

Critical Severity
5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
64

Cross-Site Request Forgery (CSRF)
31

Missing Authorization
23

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
8

Deserialization of Untrusted Data
2

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
2

URL Redirection to Untrusted Site (‘Open Redirect’)
2

Use of Less Trusted Source
1

Incorrect Authorization
1

Unrestricted Upload of File with Dangerous Type
1

Improper Authorization
1

Authorization Bypass Through User-Controlled Key
1

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1

Unverified Password Change
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Lana Codes
Wordfence Vulnerability Researcher
14

Rafie Muhammad
12

minhtuanact
7

thiennv
6

Dave Jong
5

Mika
5

apple502j
4

Rio Darmawan
4

Abdi Pranata
4

yuyudhn
4

Marco Wotschka
Wordfence Vulnerability Researcher
4

Taihei Shimamine
4

Alex Thomas
Wordfence Vulnerability Researcher
4

Pavak Tiwari
3

Lokesh Dachepalli
3

Darius Sveikauskas
2

OZ1NG (TOOR, LISA)
2

Justiice
2

konagash
2

Jonas Höbenreich
2

Yash Kanchhal
2

Nguyen Xuan Chien
2

Chloe Chamberland 
Wordfence Vulnerability Researcher
2

Yuki Haruma
1

Taurus Omar
1

Nguyen Anh Tien
1

Ilyase Dehy
1

Aymane Mazguiti
1

Emili Castells
1

LEE SE HYOUNG
1

rezaduty
1

Le Ngoc Anh
1

Monkey Wrench Inc.
1

deokhunKim
1

Simone Onofri
1

Donato Onofri
1

Skalucy
1

Badromance 1337
1

Johan Kragt
1

Felipe Restrepo Rodriguez
1

WPScanTeam
1

Erwan LR
1

Mahesh Nagabhairava
1

rSolutions Security Team
1

easyBug
1

Shuya Ota
1

TEAM WEBoB of BoB 11th
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

10Web Social Post Feed
wd-facebook-feed

Active Directory Integration / LDAP Integration
ldap-login-for-intranet-sites

Add Posts to Pages
add-posts-to-pages

Announcement & Notification Banner – Bulletin
bulletin-announcements

Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
stopbadbots

Block Referer Spam
block-referer-spam

Booking Ultra Pro Appointments Booking Calendar Plugin
booking-ultra-pro

Brands for WooCommerce
brands-for-woocommerce

Button
button

CALL ME NOW
lokalyze-call-now

CM On Demand Search And Replace
cm-on-demand-search-and-replace

Column-Matic
column-matic

Community by PeepSo – Social Network, Membership, Registration, User Profiles
peepso-core

Complianz – GDPR/CCPA Cookie Consent
complianz-gdpr

Custom Base Terms
custom-base-terms

Custom Field Suite
custom-field-suite

DBargain
d-bargain

DevBuddy Twitter Feed
devbuddy-twitter-feed

Directorist – WordPress Business Directory Plugin with Classified Ads Listings
directorist

Don8
don8

Donations Made Easy – Smart Donations
smart-donations

Download Manager
download-manager

Download Monitor
download-monitor

Dyslexiefont Free
dyslexiefont

Easy Form by AYS
easy-form

Easy Hide Login
easy-hide-login

Elementor Website Builder
elementor

Essential Addons for Elementor
essential-addons-for-elementor-lite

ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
google-analytics-dashboard-for-wp

Featured Image Pro Post Grid
featured-image-pro

Forget About Shortcode Buttons
forget-about-shortcode-buttons

Free WordPress Lead Generation Opt in, Free Popups, Generated Lead Email Popup, Exit-Intent Popup – NotifyVisitors
notifyvisitors-lead-form

Frontend Post WordPress Plugin – AccessPress Anonymous Post
accesspress-anonymous-post

GTmetrix for WordPress
gtmetrix-for-wordpress

Get your number
get-your-number

GiveWP – Donation Plugin and Fundraising Platform
give

Google Site Verification plugin using Meta Tag
google-site-verification-using-meta-tag

Hide My WP Ghost – Security Plugin
hide-my-wp

Hostel
hostel

Hyphenator
hyphenator

Injection Guard
injection-guard

LetterPress – E-Mail campaigns, marketing and newsletter Plugin for WordPress
letterpress

Link Whisper Free
link-whisper

Locatoraid Store Locator
locatoraid

MW WP Form
mw-wp-form

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder
mailchimp-subscribe-sm

Manager for Icomoon
manager-for-icomoon

MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
google-analytics-for-wordpress

My WP Customize Admin/Frontend
my-wp

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
mailin

Order Your Posts Manually
order-your-posts-manually

Owl Carousel
owl-carousel

Pinterest RSS Widget
pinterest-rss-widget

Portfolio Gallery – Responsive Image Gallery
gallery-portfolio

Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions
buddyforms

Post Snippets – Custom WordPress Code Snippets Customizer
post-snippets

Post State Tags
post-state-tags

Pricing Table Builder – AP Pricing Tables Lite
ap-pricing-tables-lite

Pro Mime Types
pro-mime-types

Product page shipping calculator for WooCommerce
product-page-shipping-calculator-for-woocommerce

QuBot – Chatbot Builder with Templates
qubotchat

Quick Page/Post Redirect Plugin
quick-pagepost-redirect-plugin

Radio Station by netmix® – Manage and play your Show Schedule in WordPress!
radio-station

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
custom-registration-form-builder-with-submission-manager

Restaurant Menu – Food Ordering System – Table Reservation
menu-ordering-reservations

SALERT – Fake Sales Notification WooCommerce
salert

SEO by 10Web
seo-by-10web

ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization
shortpixel-adaptive-images

Simple Calendar – Google Calendar Plugin
google-calendar-events

Slimstat Analytics
wp-slimstat

Snow Monkey Forms
snow-monkey-forms

SoundCloud Is Gold
soundcloud-is-gold

Sunny Search
fast-search-powered-by-solr

Team Circle Image Slider With Lightbox
circle-image-slider-with-lightbox

Ultimate Addons for Contact Form 7
ultimate-addons-for-contact-form-7

VK All in One Expansion Unit
vk-all-in-one-expansion-unit

VK Blocks
vk-blocks

VK Blocks Pro
vk-blocks-pro

WCP Contact Form
wcp-contact-form

WP Abstracts
wp-abstracts-manuscripts-manager

WP All Backup
wp-all-backup

WP Category Post List Widget
wp-category-posts-list

WP Chinese Conversion
wp-chinese-conversion

WP Multi Store Locator
wp-multi-store-locator

WP Reactions Lite
wp-reactions-lite

WP Register Profile With Shortcode
wp-register-profile-with-shortcode

WP Replicate Post
wp-replicate-post

WP Responsive Tabs horizontal vertical and accordion Tabs
responsive-horizontal-vertical-and-accordion-tabs

WP-Chatbot for Messenger
wp-chatbot

WPCS – WordPress Currency Switcher Professional
currency-switcher

Web Stories for WordPress
UNKNOWN-CVE-2023-1979-1

Whydonate – FREE Donate button – Crowdfunding – Fundraising
wp-whydonate

Wise Chat
wise-chat

Woo Custom Emails
woo-custom-emails

Woodmart Core
woodmart-core

WordPress Online Booking and Scheduling Plugin – Bookly
bookly-responsive-appointment-booking-tool

YITH WooCommerce Gift Cards Premium
yith-woocommerce-gift-cards-premium

Yoast SEO Premium
wordpress-seo-premium

Yoast SEO: Local
wpseo-local

Zero Spam for WordPress
zero-spam

eBecas
ebecas

iframe popup
iframe-popup

itemprop WP for SERP/SEO Rich snippets
itempropwp

weebotLite
weebotlite

wordpress vertical image slider plugin
wp-vertical-image-slider

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Divi
Divi

Woodmart
woodmart

Vulnerability Details

Woodmart Core <= 1.0.36 – Missing Authorization to Privilege Escalation

Manager for Icomoon <= 2.0 – Unauthenticated Arbitrary File Upload via ‘upload’

Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation

Woodmart Core <= 1.0.36 – PHP Object Injection

Ultimate Addons for Contact Form 7 <= 3.1.23 – Unauthenticated SQL Injection via form_id

WP Replicate Post <= 4.0.2 – Authenticated (Contributor+) SQL Injection

Bookly <= 21.7.1 – Arbitrary File Deletion

Booking Ultra Pro <= 1.1.4 – Unauthenticated Stored Cross-Site Scripting

Zero Spam for WordPress <= 5.4.4 – Authenticated(Administrator+) SQL Injection

Active Directory Integration / LDAP Integration <= 4.1.4 – Authenticated (Administrator+) SQL Injection

Slimstat Analytics <= 5.0.4 – Authenticated (Administrator+) SQL Injection

Order Your Posts Manually <= 2.2.5 – Authenticated (Administrator+) SQL Injection via ‘sortdata’

AP Pricing Tables Lite <= 1.1.6 – Authenticated (Admin+) SQL Injection

WP Chinese Conversion <= 1.1.16 – Unauthenticated Stored Cross-Site Scripting

Zero Spam <= 5.4.4 – Authenticated (Administrator+) SQL Injection

QuBotChat <= 1.1.5 – Unauthenticated Stored Cross-Site Scripting

Directorist <= 7.5.3 – Authenticated (Administrator+) Local File Inclusion

Booking Ultra Pro <= 1.1.4 – Unauthenticated Stored Cross-Site Scripting

GiveWP <= 2.25.3 – Authenticated (Admin+) PHP Object Injection

RegistrationMagic <= 5.2.0.5 – Authenticated (Admin+) Insecure Direct Object Reference to Arbitrary User Password Change

YITH WooCommerce Gift Cards Premium <= 3.23.1 – Missing Authorization

Portfolio Gallery – Responsive Image Gallery <= 1.4.5 – Missing Authorization to Arbitrary Gallery Deletion

Hide My WP Ghost – Security Plugin <= 5.0.18 – IP Address Spoofing to Protection Mechanism Bypass

Pro Mime Types – Manage file media types <= 1.0.7 – Cross-Site Request Forgery via pmt_settings_section_callback_tab_1

VK Blocks <= 1.53.0.1 – Stored (Contributor+) Cross-Site Scripting in Post

Add Posts to Pages <= 1.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

WP Category Post List Widget <= 2.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

VK All in One Expansion Unit <= 9.88.1.0 – Stored (Contributor+) Cross-Site Scripting in CTA Post

Pinterest RSS Widget <= 2.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Post, Registration and Profile Form Builder – FrontEnd Editor BuddyForms – Easy WordPress Forms <= 2.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

VK All in One Expansion Unit <= 9.88.1.0 – Stored (Contributor+) Cross-Site Scripting in Profile Setting

SALERT <= 1.2.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting

ExactMetrics <= 7.14.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Brands for WooCommerce <= 3.7.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Owl Carousel <= 0.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Download Manager <= 3.2.70 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

WP Multi Store Locator <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Divi <= 4.20.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Google Analytics by Monster Insights <= 8.14.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

VK Blocks <= 1.53.0.1 – Stored (Contributor+) Cross-Site Scripting in Tag Edit

Locatoraid Store Locator <= 3.9.18 – Authenticated (Subscriber+) Stored Cross-Site Scripting

WoodMart <= 7.2.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Announcement & Notification Banner – Bulletin <= 3.7.0 – Cross-Site Request Forgery

Announcement & Notification Banner – Bulletin <= 3.6.0 – Missing Authorization Checks

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_script_save

Featured Image Pro Post Grid <= 5.14 – Reflected Cross-Site Scripting via page

Team Circle Image Slider With Lightbox <= 1.0.17 – Reflected Cross-Site Scripting

Radio Station <= 2.4.0.9 – Reflected Cross-Site Scripting

WP Abstracts <= 2.6.1 – Reflected Cross-Site Scripting

wordpress vertical image slider plugin <= 1.2.16 – Reflected Cross-Site Scripting

Menu – Ordering – Reservations <= 2.3.6 – Reflected Cross-Site Scripting via ‘redirect’

Donations Made Easy – Smart Donations <= 4.0.12 – Reflected Cross-Site Scripting

Slimstat Analytics <= 5.0.4 – Reflected Cross-Site Scripting

Order Your Posts Manually <= 2.2.5 – Reflected Cross-Site Scripting via ‘_user_request’

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_script_add

MailChimp Subscribe Forms <= 4.0.9.1 – Open Redirect

GTmetrix for WordPress <= 0.4.6 – Reflected Cross-Site Scripting via ‘report_id’ and ‘event_id’

Yoast SEO: Local <= 14.8 – Reflected Cross-Site Scripting

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.60 – Reflected Cross-Site Scripting via ‘lang’

10Web Social Post Feed <= 1.2.8 – Reflected Cross-Site Scripting

WP Responsive Tabs horizontal vertical and accordion Tabs <= 1.1.15 – Reflected Cross-Site Scripting

Post State Tags <= 2.0.6 – Cross-Site Request Forgery to Settings Reset

WP-Chatbot for Messenger <= 4.7 – Missing Authorization

Hyphenator <= 5.1.5 – Cross-Site Request Forgery to Settings Update

ShortPixel Adaptive Images <= 3.7.1 – Cross-Site Request Forgery via shortpixel_ai_handle_page_action

Elementor <= 3.13.1 – Missing Authorization to Settings Update

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_delete_snapshot

Order Your Posts Manually <= 2.2.5 – Reflected Cross-Site Scripting via ‘cat_id’

Download Monitor <= 4.7.60 – Sensitive Information Exposure via REST API

WP All Backup <= 2.4.3 – Cross-Site Request Forgery to Backup Storage Modification

WCP Contact Form <= 3.1.0 – Missing Authorization

WCP Contact Form <= 3.1.0 – Missing Authorization via downloadCsv

Link Whisper Free <= 0.6.3 – Missing Authorization via init()

Woo Custom Emails <= 2.2 – Missing Authorization to Unauthenticated Settings Change

Snow Monkey Forms <= 5.0.6 – Directory Traversal via ‘view’ REST endpiont

Injection Guard <= 1.2.1 – Missing Authorization to Whitelist Update

Yoast SEO Premium <= 20.4 – Missing Authorization to Zapier Key Reset

MW WP Form <= 4.4.2 – Directory Traversal via _file_upload

WP Register Profile With Shortcode <= 3.5.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Post Snippets <= 4.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘snippet_content’

SEO By 10Web <= 1.2.6 – Authenticated (Admin+) Stored Cross-Site Scripting

iframe popup <= 3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Get Your Number <= 1.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

eBecas <= 3.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Product page shipping calculator for WooCommerce <= 1.3.25 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

StopBadBots <= 7.31 – Authenticated (Administrator+) Stored Cross-Site Scripting

itemprop WP for SERP/SEO Rich snippets <= 3.5.201706131 – Authenticated (Administrator+) Stored Cross-Site Scripting

weebotLite <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

My WP Customize Admin/Frontend <= 1.21.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Easy Hide Login <= 1.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Easy Form by AYS <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

DevBuddy Twitter Feed <= 4.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Button <= 1.1.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

Custom Field Suite <= 2.6.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Column-Matic <= 1.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Don8 <= 0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Sunny Search <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Hostel <= 1.1.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Quick Page/Post Redirect <= 5.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

LetterPress <= 1.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

NotifyVisitors <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

DBargain <= 3.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Custom Base Terms <= 1.0.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘base’

CALL ME NOW <= 3.0 – Cross-Site Request Forgery

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via maybe_install_suggested_plugins

WoodMart <= 7.2.1 – Missing Authorization

Soundcloud Is Gold <= 2.5.1 – Missing Authorization to Soundcloud User Add

Injection Guard <= 1.2.1 – Cross-Site Request Forgery to Whitelist Update

Forget About Shortcode Buttons <= 2.1.2 – Missing Authorization via fasc_buttons

Simple Calendar <= 3.1.43 – Cross-Site Request Forgery to Transient Cache Clearing

Wise Chat <= 3.1.3 – Cross-Site Request Forgery

Easy Hide Login <= 1.0.8 – Cross-Site Request Forgery

Injection Guard <= 1.2.1 – Cross-Site Request Forgery via ig_update

WP Reactions Lite <= 1.3.8 – Cross-Site Request Forgery via AJAX action

Injection Guard <= 1.2.1 – Missing Authorization via ig_update

Web Stories for WordPress <= 1.31.0 – Insufficient Authorization

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_create_pages

Yoast SEO: Local <= 14.8 – Cross-Site Request Forgery

Community by PeepSo <= 6.0.9.0 – Cross-Site Request Forgery to Field Duplication

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_edit_item

Sunny Search <= 1.0.2 – Cross-Site Request Forgery to Settings Update

Booking Ultra Pro <= 1.1.4 – Missing Authorization via save_fields_settings

Download Manager <= 3.2.70 – Insufficient Authorization to Information Disclosure

Pro Mime Types <= 1.0.7 – Cross-Site Request Forgery

WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Deletion

SALERT <= 1.2.1 – Missing Authorization via salert_save_settings_with_ajax()

AccessPress Anonymous Post <= 2.8.4 – Authenticated (Contributor+) Arbitrary Redirect

WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Editing

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via run_sync

Dyslexiefont Free <= 1.0.0 – Cross-Site Request Forgery

WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Missing Authorization to Custom Drop-Down Currency Switcher Creation

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via cmplz_duplicate_cookiebanner

Whydonate – FREE Donate button <= 3.12.13 – Cross-Site Request Forgery

Google Site Verification plugin using Meta Tag <= 1.2 – Cross-Site Request Forgery

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via cmplz_delete_cookiebanner

CM On Demand Search And Replace <= 1.3.0 – Cross-Site Request Forgery

Block Referer Spam <= 1.1.9.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Active Directory Integration / LDAP Integration <= 4.1.4 – Cross-Site Request Forgery to SQL Injection

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023) appeared first on Wordfence.