Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 24, 2023 to Apr 30, 2023)
Last week, there were 77 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 40 |
Patched | 37 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 65 |
High Severity | 10 |
Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 44 |
Cross-Site Request Forgery (CSRF) | 9 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 8 |
Missing Authorization | 7 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 3 |
Deserialization of Untrusted Data | 2 |
Server-Side Request Forgery (SSRF) | 2 |
Improper Neutralization of Formula Elements in a CSV File | 1 |
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Lana Codes | 7 |
Mika | 6 |
Yuki Haruma | 5 |
qilin_99 | 4 |
Pavitra Tiwari | 4 |
Erwan LR | 4 |
Justiice | 3 |
minhtuanact | 3 |
László Radnai | 3 |
Shreya Pohekar | 3 |
thiennv | 3 |
Nguyen Xuan Chien | 2 |
Ramuel Gall | 2 |
Abdi Pranata | 2 |
Marco Wotschka | 2 |
Ivy | 2 |
Le Ngoc Anh | 2 |
Nguyen Xuan Hoa | 1 |
LEE SE HYOUNG | 1 |
rezaduty | 1 |
TomS | 1 |
Pavak Tiwari | 1 |
daniloalbuqrque | 1 |
yuyudhn | 1 |
Taurus Omar | 1 |
qerogram | 1 |
Felipe Restrepo Rodriguez | 1 |
deokhunKim | 1 |
Phạm Ngọc Khánh | 1 |
Lucio Sá | 1 |
Nguyen Duy Quoc Khanh | 1 |
Trần Quốc Trường An | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AJAX Thumbnail Rebuild | ajax-thumbnail-rebuild |
Advanced Category Template | advanced-category-template |
Advanced Youtube Channel Pagination | advanced-youtube-channel-pagination |
Arconix Shortcodes | arconix-shortcodes |
Autoptimize | autoptimize |
BSK Forms Blacklist | bsk-gravityforms-blacklist |
Bit File Manager – 100% free file manager for WordPress | file-manager |
Booking Manager | booking-manager |
CM On Demand Search And Replace | cm-on-demand-search-and-replace |
CRM Memberships | crm-memberships |
Chronosly Events Calendar | chronosly-events-calendar |
ClickFunnels | clickfunnels |
Custom 404 Pro | custom-404-pro |
Customizer Export/Import | customizer-export-import |
Decon WP SMS | decon-wp-sms |
Depicter Slider – Responsive Image Slider, Video Slider & Post Slider | depicter |
Display custom fields in the frontend – Post and User Profile Fields | shortcode-to-display-post-and-user-data |
Dynamically Register Sidebars | dynamically-register-sidebars |
Easy Bet | easy-bet |
Elementor Website Builder | elementor |
Emails & Newsletters with Jackmail | jackmail-newsletters |
Extensions for Leaflet Map | extensions-leaflet-map |
Forms Ada – Form Builder | forms-ada-form-builder |
HTTP Headers | http-headers |
Image Optimizer by 10web – Image Optimizer and Compression plugin | image-optimizer-wd |
Inactive User Deleter | inactive-user-deleter |
Integration for Contact Form 7 HubSpot | cf7-hubspot |
Ko-fi Button | ko-fi-button |
Logo Scheduler – Great for holidays, events, and more | logo-scheduler-great-for-holidays-events-and-more |
Maintenance Switch | maintenance-switch |
Mass Email To users | mass-email-to-users |
NS Coupon To Become Customer | ns-coupon-to-become-customer |
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress | ninja-forms |
Orbit Fox by ThemeIsle | themeisle-companion |
Photo Gallery Slideshow & Masonry Tiled Gallery | wp-responsive-photo-gallery |
Plugins List | plugins-list |
Progress Bar | progress-bar |
Push Notifications for WordPress by PushAssist | push-notification-for-wp-by-pushassist |
REST API TO MiniProgram | rest-api-to-miniprogram |
Rating-Widget: Star Review System | rating-widget |
Recipe Maker For Your Food Blog from Zip Recipes | zip-recipes |
SEO ALert | seo-alert |
Shield Security – Smart Bot Blocking & Intrusion Prevention | wp-simple-firewall |
Simple Giveaways – Grow your business, email lists and traffic with contests | giveasap |
Stock Sync for WooCommerce | stock-sync-for-woocommerce |
Stream | stream |
Thumbnail Slider With Lightbox | wp-responsive-slider-with-lightbox |
Thumbs Rating | thumbs-rating |
Tiempo.com | tiempocom |
Tippy | tippy |
URL Params | url-params |
Ultimate Addons for Contact Form 7 | ultimate-addons-for-contact-form-7 |
Updraft | updraft |
User IP and Location | user-ip-and-location |
Video XML Sitemap Generator | video-xml-sitemap-generator |
WP BrowserUpdate | wp-browser-update |
WP Directory Kit | wpdirectorykit |
WP Inventory Manager | wp-inventory-manager |
WP Page Numbers | wp-page-numbers |
WP Search Analytics | search-analytics |
WP Visitor Statistics (Real Time Traffic) | wp-stats-manager |
WP-CORS | wp-cors |
WooCommerce Multivendor Marketplace – REST API | wcfm-marketplace-rest-api |
Woocommerce Tip/Donation | woo-tipdonation |
XML for Google Merchant Center | xml-for-google-merchant-center |
YARPP – Yet Another Related Posts Plugin | yet-another-related-posts-plugin |
Zephyr Project Manager | zephyr-project-manager |
wordpress vertical image slider plugin | wp-vertical-image-slider |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Arya Multipurpose | arya-multipurpose |
Mocho Blog | mocho-blog |
Viable Blog | viable-blog |
Vulnerability Details
Custom 404 Pro
Source: wordfence.com