Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 17, 2023 to Apr 23, 2023)
Last week, there were 152 vulnerabilities disclosed in 134 WordPress Plugins and 0 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. There were more unpatched vulnerabilities than patched last week, so it’s more important than ever to review those vulnerabilities in this report now to ensure your site is not affected and make the appropriate adjustments if your site is.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 81 |
Patched | 71 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 134 |
High Severity | 16 |
Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 93 |
Cross-Site Request Forgery (CSRF) | 30 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 11 |
Missing Authorization | 10 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
Deserialization of Untrusted Data | 2 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
Information Exposure | 1 |
Improper Access Control | 1 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Lana Codes | 30 |
Marco Wotschka | 11 |
Yuki Haruma | 9 |
yuyudhn | 7 |
Muhammad Daffa | 6 |
LEE SE HYOUNG | 6 |
Rio Darmawan | 6 |
Sajjad Shariati | 6 |
Shreya Pohekar | 5 |
minhtuanact | 5 |
Justiice | 4 |
Ramuel Gall | 4 |
TEAM WEBoB of BoB 11th | 3 |
Mika | 3 |
Ivan Kuzymchak | 3 |
Le Ngoc Anh | 3 |
Erwan LR | 3 |
Cat | 3 |
WPScanTeam | 2 |
Lokesh Dachepalli | 2 |
Nguyen Xuan Chien | 2 |
Joshua Martinelle | 1 |
Rafie Muhammad | 1 |
Rafshanzani Suhada | 1 |
Nguyen Huu Do | 1 |
Ryo Sato | 1 |
Skalucy | 1 |
Shezad Master | 1 |
zhangyunpei | 1 |
Yeting Li [email protected] | 1 |
Ameen Alkurdy | 1 |
Nithissh S | 1 |
Chien Vuong | 1 |
thiennv | 1 |
Alexander Schmid | 1 |
cydave | 1 |
easyBug | 1 |
Daniel Ruf | 1 |
Alex Thomas | 1 |
deokhunKim | 1 |
Lucio Sá | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AI ChatBot | chatbot |
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
Accessibility Suite by Online ADA | online-accessibility |
Accordion & FAQ – Helpie WordPress Frequently Asked Questions plugin | helpie-faq |
Active Directory Integration / LDAP Integration | ldap-login-for-intranet-sites |
ActiveCampaign – Forms, Site Tracking, Live Chat | activecampaign-subscription-forms |
Ad Inserter – Ad Manager & AdSense Ads | ad-inserter |
Album Gallery – WordPress Gallery | new-album-gallery |
ApexChat | apexchat |
Avirato hotels online booking engine | avirato-calendar |
BBSpoiler | bbspoiler |
BadgeOS | badgeos |
Best Travel Booking WordPress Plugin, Tour Booking System, Trip Booking WordPress Plugin – Yatra | yatra |
Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop | woo-altcoin-payment-gateway |
BizLibrary | bizlibrary |
Booking calendar, Appointment Booking System | booking-calendar |
Button Builder – Buttons X | buttons-x |
CMP – Coming Soon & Maintenance Plugin by NiteoThemes | cmp-coming-soon-maintenance |
CMS Tree Page View | cms-tree-page-view |
Cab Grid | cab-grid |
Captcha Them All | captcha-them-all |
Category Specific RSS feed Subscription | category-specific-rss-feed-menu |
Church Admin | church-admin |
Clock In Portal- Staff & Attendance Management | clock-in-portal |
Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress | contact-form-to-db |
Continuous announcement scroller | continuous-announcement-scroller |
Custom Post Type List Shortcode | custom-post-type-list-shortcode |
Customer Support Software, Live Chat, & Marketing Automation | formilla-chat-and-marketing |
Dave’s WordPress Live Search | daves-wordpress-live-search |
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress | charitable |
EZP Maintenance Mode | easy-pie-maintenance-mode |
Easy Ad Manager | easy-ad-manager |
Easy Slider Revolution | easy-slider-revolution |
Ebook Store | ebook-store |
Email posts to subscribers | email-posts-to-subscribers |
Enable/Disable Auto Login when Register | auto-login-when-resister |
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates | essential-blocks |
File Gallery | file-gallery |
Flyzoo Chat | flyzoo |
Form Block | form-block |
FormCraft – Contact Form Builder for WordPress | formcraft-form-builder |
Formilla Edge Targeted Messaging Platform for Sales and Marketing | formilla-edge |
Freshdesk (official) | freshdesk-support |
GDPR Compliance & Cookie Consent | gdpr-compliance-cookie-consent |
Gallery Metabox | gallery-metabox |
Google Analytics Top Content Widget | google-analytics-top-posts-widget |
Gps Plotter | gps-plotter |
Help Desk WP | helpdeskwp |
Image Optimizer by 10web – Image Optimizer and Compression plugin | image-optimizer-wd |
Japanized For WooCommerce | woocommerce-for-japan |
Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation | zero-bs-crm |
Kaya QR Code Generator | kaya-qr-code-generator |
Kiwiz – Certification de facturation – Woocommerce | woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz |
Kodex Posts likes | kodex-posts-likes |
LIQUID SPEECH BALLOON | liquid-speech-balloon |
Layer Slider | slider-slideshow |
LearnPress Export Import – WordPress extension for LearnPress | learnpress-import-export |
Live Chat by Formilla – Real-time Chat & Chatbots Plugin | formilla-live-chat |
Locatoraid Store Locator | locatoraid |
Login Page Styler | Custom Login | Custom WP Admin Login Page | Admin Security | Admin Protection | Login Page Customizer | Admin Login | Login Security | Login Redirect | Theme Login | Login Menu | Login Form | Admin Dashboard | Change Login Logo | Login | login-page-styler |
Mail Subscribe List | mail-subscribe-list |
Mega Addons For WPBakery Page Builder | mega-addons-for-visual-composer |
Membership Database | member-database |
Modal Dialog | modal-dialog |
Motors – Car Dealer, Classifieds & Listing | motors-car-dealership-classified-listings |
NEX-Forms – Ultimate Form Builder – Contact forms and much more | nex-forms-express-wp-form-builder |
Ninja Tables – Best Data Table Plugin for WordPress | ninja-tables |
OoohBoi Steroids for Elementor | ooohboi-steroids-for-elementor |
Panorama – WordPress Project Management Plugin | project-panorama-lite |
Post Shortcode | post-shortcode |
PowerPress Podcasting plugin by Blubrry | powerpress |
Pretty Url | pretty-url |
Product Slider For WooCommerce Lite | product-slider-for-woocommerce-lite |
PropertyHive | propertyhive |
Query Wrangler | query-wrangler |
RapidExpCart | rapidexpcart |
Redirect After Login | redirect-after-login |
Reservation.Studio widget | reservation-studio-widget |
Responsive Filterable Portfolio | responsive-filterable-portfolio |
ReviewX – Multi-criteria Rating & Reviews for WooCommerce | reviewx |
Robokassa payment gateway for Woocommerce | robokassa |
Semalt Blocker | semalt |
ShopEngine – Elementor WooCommerce Builder Addons, Variation Swatches, Wishlist, Products Compare – All in One Solution | shopengine |
Shortcode IMDB | shortcode-imdb |
Simple Share Buttons Adder | simple-share-buttons-adder |
Simple Tooltips | simple-tooltips |
SiteAlert – Uptime, Speed, and Security Monitoring for WordPress | my-wp-health-check |
Sloth Logo Customizer | sloth-logo-customizer |
Smart WooCommerce Search | smart-woocommerce-search |
Social Share Boost | social-share-boost |
SparkPost | sparkpost |
Stock Exporter for WooCommerce | stock-exporter-for-woocommerce |
Stream | stream |
Subscribers – Free Web Push Notifications | subscribers-com |
Tablesome – Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT ) | tablesome |
TaxoPress is the WordPress Tag, Category, and Taxonomy Manager | simple-tags |
The School Management – Education & Learning Management | school-management-system |
Themify Portfolio Post | themify-portfolio-post |
Thumbnail carousel slider | wp-responsive-thumbnail-slider |
Uji Popup | uji-popup |
Ultimate Carousel For Elementor | ultimate-carousel-for-elementor |
Ultimate Carousel For WPBakery Page Builder | ultimate-carousel-for-visual-composer |
Update Image Tag Alt Attribute | update-alt-attribute |
Verified Reviews (Avis Vérifiés) | netreviews |
Video Grid | video-grid |
Video List Manager | video-list-manager |
Visual CSS Style Editor | yellow-pencil-visual-theme-customizer |
WCP Contact Form | wcp-contact-form |
WP Cerber Security, Anti-spam & Malware Scan | wp-cerber |
WP Custom Author URL | wp-custom-author-url |
WP Docs | wp-docs |
WP Links Page | wp-links-page |
WP Login Box | wp-login-box |
WP Original Media Path | wp-original-media-path |
WP Popups – WordPress Popup builder | wp-popups-lite |
WP Responsive Tabs horizontal vertical and accordion Tabs | responsive-horizontal-vertical-and-accordion-tabs |
WP-FormAssembly | formassembly-web-forms |
WP-dTree | wp-dtree-30 |
WPJAM Basic | wpjam-basic |
White Label Branding for Elementor Page Builder | white-label-branding-elementor |
WooCommerce Easy Duplicate Product | woo-easy-duplicate-product |
WooCommerce Order Status Change Notifier | woocommerce-order-status-change-notifier |
Woocommerce Email Report | wooemailreport |
Woocommerce Products Designer by ORION – online product customizer for t-shirts, print cards, phone cases Lettering & Decals | woocommerce-products-designer |
WordPress Header Builder Plugin – Pearl | pearl-header-builder |
Wp-D3 | wp-d3 |
YARPP – Yet Another Related Posts Plugin | yet-another-related-posts-plugin |
YML for Yandex Market | yml-for-yandex-market |
YourChannel: Everything you want in a YouTube plugin. | yourchannel |
Zendesk Support for WordPress | zendesk |
eRocket | erocket |
f(x) TOC | fx-toc |
miniOrange’s Google Authenticator – WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login | miniorange-2-factor-authentication |
vSlider Multi Image Slider for WordPress | vslider |
Vulnerability Details
Email posts to subscribers
Source: wordfence.com