Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023)
Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
| Unpatched | 37 |
| Patched | 27 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
| Low Severity | 2 |
| Medium Severity | 53 |
| High Severity | 6 |
| Critical Severity | 3 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 29 |
| Missing Authorization | 12 |
| Cross-Site Request Forgery (CSRF) | 11 |
| Unrestricted Upload of File with Dangerous Type | 5 |
| Server-Side Request Forgery (SSRF) | 1 |
| URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
| Improper Input Validation | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Use of Less Trusted Source | 1 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
| Rio Darmawan | 11 |
| Rafie Muhammad | 5 |
| Lana Codes (Wordfence Vulnerability Researcher) | 4 |
| thiennv | 3 |
| LEE SE HYOUNG | 3 |
| Mika | 2 |
| Zlrqh | 2 |
| Dmitrii | 2 |
| László Radnai | 2 |
| Elliot | 2 |
| Marco Wotschka (Wordfence Vulnerability Researcher) | 2 |
| Bartłomiej Marek | 2 |
| Tomasz Swiadek | 2 |
| Abdi Pranata | 2 |
| Phd | 1 |
| Emili Castells | 1 |
| Pavitra Tiwari | 1 |
| Ramuel Gall (Wordfence Vulnerability Researcher) | 1 |
| FearZzZz | 1 |
| emad | 1 |
| Prasanna V Balaji | 1 |
| deokhunKim | 1 |
| yuyudhn | 1 |
| Le Ngoc Anh | 1 |
| Dipak Panchal | 1 |
| mehmet | 1 |
| Lokesh Dachepalli | 1 |
| Jonas Höbenreich | 1 |
| Enrico Marcolini | 1 |
| Animesh Gaurav | 1 |
| Jonatas Souza Villa Flor | 1 |
| Ravi Dharmawan | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
| Activity Log | aryo-activity-log |
| AffiliateWP | AffiliateWP |
| All-in-One WP Migration Box Extension | all-in-one-wp-migration-box-extension |
| All-in-One WP Migration Dropbox Extension | all-in-one-wp-migration-dropbox-extension |
| All-in-One WP Migration Google Drive Extension | all-in-one-wp-migration-gdrive-extension |
| All-in-One WP Migration OneDrive Extension | all-in-one-wp-migration-onedrive-extension |
| Better Elementor Addons | better-elementor-addons |
| Bridge Core | bridge-core |
| Ditty – Responsive News Tickers, Sliders, and Lists | ditty-news-ticker |
| DoLogin Security | dologin |
| Easy Coming Soon | easy-coming-soon |
| Easy Newsletter Signups | easy-newsletter-signups |
| Email Encoder – Protect Email Addresses and Phone Numbers | email-encoder-bundle |
| Fast & Effective Popups & Lead-Generation for WordPress – HollerBox | holler-box |
| FileOrganizer – Manage WordPress and Website Files | fileorganizer |
| Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | folders |
| Font Awesome 4 Menus | font-awesome-4-menus |
| Forminator – Contact Form, Payment Form & Custom Form Builder | forminator |
| GiveWP – Donation Plugin and Fundraising Platform | give |
| GuruWalk Affiliates | guruwalk-affiliates |
| Happy Addons for Elementor Pro | happy-elementor-addons-pro |
| Import XML and RSS Feeds | import-xml-feed |
| Localize Remote Images | localize-remote-images |
| Login and Logout Redirect | login-and-logout-redirect |
| LuckyWP Scripts Control | luckywp-scripts-control |
| Maintenance Switch | maintenance-switch |
| MakeStories (for Google Web Stories) | makestories-helper |
| Metform Elementor Contact Form Builder | metform |
| Multi-column Tag Map | multi-column-tag-map |
| Olive One Click Demo Import | olive-one-click-demo-import |
| Order Tracking – WordPress Status Tracking Plugin | order-tracking |
| Ovic Product Bundle | ovic-product-bundle |
| Popup Builder – Create highly converting, mobile friendly marketing popups. | popup-builder |
| Popup box | ays-popup-box |
| PowerPress Podcasting plugin by Blubrry | powerpress |
| Prevent files / folders access | prevent-file-access |
| Pricing Deals for WooCommerce | pricing-deals-for-woocommerce |
| RSVPMaker | rsvpmaker |
| Remove/hide Author, Date, Category Like Entry-Meta | removehide-author-date-category-like-entry-meta |
| Responsive Gallery Grid | responsive-gallery-grid |
| Sermon’e – Sermons Online | sermone-online-sermons-management |
| Simple 301 Redirects by BetterLinks | simple-301-redirects |
| Site Reviews | site-reviews |
| Sitekit | sitekit |
| Slimstat Analytics | wp-slimstat |
| Smarty for WordPress | smarty-for-wordpress |
| Snap Pixel | snap-pixel |
| Social Media Share Buttons & Social Sharing Icons | ultimate-social-media-icons |
| Social Share Boost | social-share-boost |
| Surfer – WordPress Plugin | surferseo |
| URL Shortener by MyThemeShop | mts-url-shortener |
| Ultimate Addons for Contact Form 7 | ultimate-addons-for-contact-form-7 |
| WP Bannerize Pro | wp-bannerize-pro |
| WP GoToWebinar | wp-gotowebinar |
| WP Search Analytics | search-analytics |
| WP Super Minify | wp-super-minify |
| WP Synchro – WordPress Migration Plugin for Database & Files | wpsynchro |
| WP Users Media | wp-users-media |
| WP-dTree | wp-dtree-30 |
| WordPress Ecommerce For Creating Fast Online Stores – By SureCart | surecart |
| authLdap | authldap |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
| Arya Multipurpose Pro | arya-multipurpose-pro |
| Everest News Pro | everest-news-pro |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Forminator
Source: wordfence.com
