Wordfence Intelligence Weekly WordPress Vulnerability Report (August 7, 2023 to August 13, 2023)
Last week, there were 86 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-622, data redacted while we work with the developer to ensure this vulnerability gets patched.
- WAF-RULE-623, data redacted while we work with the developer to ensure this vulnerability gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 25 |
Patched | 61 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 63 |
High Severity | 19 |
Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 25 |
Missing Authorization | 21 |
Cross-Site Request Forgery (CSRF) | 20 |
Unrestricted Upload of File with Dangerous Type | 4 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
Improper Privilege Management | 3 |
Authorization Bypass Through User-Controlled Key | 2 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 2 |
Server-Side Request Forgery (SSRF) | 1 |
Improper Authorization | 1 |
Improper Authentication | 1 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 1 |
Deserialization of Untrusted Data | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Rafie Muhammad | 13 |
Lana Codes (Wordfence Vulnerability Researcher) | 11 |
Mika | 5 |
Marco Wotschka (Wordfence Vulnerability Researcher) | 4 |
Abdi Pranata | 4 |
Cat | 3 |
Rio Darmawan | 2 |
Aman Rawat | 2 |
thiennv | 2 |
Skalucy | 2 |
Jonas Höbenreich | 2 |
Erwan LR | 2 |
OZ1NG (TOOR, LISA) | 2 |
Ramuel Gall (Wordfence Vulnerability Researcher) | 2 |
Phd | 2 |
minhtuanact | 2 |
LEE SE HYOUNG | 2 |
Ivy | 1 |
Bob Matyas | 1 |
Rafshanzani Suhada | 1 |
deokhunKim | 1 |
Nguyen Hoang Nam | 1 |
Dmitrii Ignatyev | 1 |
Taihei Shimamine | 1 |
Satoo Nakano | 1 |
Ryotaro Imamura | 1 |
Mesh3l_911 | 1 |
Dmitrii | 1 |
Nguyen Xuan Chien | 1 |
Alexander Concha | 1 |
Daniel Ruf | 1 |
Robert DeVore | 1 |
Sayandeep Dutta | 1 |
Truoc Phan | 1 |
Robert Rowley | 1 |
tnt24 | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AI ChatBot | chatbot |
ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember |
Absolute Privacy | absolute-privacy |
Accordion and Accordion Slider | accordion-and-accordion-slider |
Advanced Custom Fields Pro | advanced-custom-fields-pro |
All Users Messenger | all-users-messenger |
BigBlueButton | bigbluebutton |
Biometric Login For WooCommerce | biometric-login-for-woocommerce |
Booking Package | booking-package |
Canto | canto |
Donations Made Easy – Smart Donations | smart-donations |
Easy Cookie Law | easy-cookie-law |
Easy!Appointments | easyappointments |
Email Template Designer – WP HTML Mail | wp-html-mail |
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor | embedpress |
FULL – Customer | full-customer |
Fusion Builder | fusion-builder |
Futurio Extra | futurio-extra |
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) | gdpr-cookie-compliance |
Gutenberg Blocks by Kadence Blocks – Page Builder Features | kadence-blocks |
Highcompress Image Compressor | high-compress |
ImageRecycle pdf & image compression | imagerecycle-pdf-image-compression |
JCH Optimize | jch-optimize |
Jupiter X Core | jupiterx-core |
Justified Gallery | justified-gallery |
Kangu para WooCommerce | kangu |
Leyka | leyka |
MailChimp Forms by MailMunch | mailchimp-forms-by-mailmunch |
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress | ninja-forms |
Online Booking & Scheduling Calendar for WordPress by vcita | meeting-scheduler-by-vcita |
POEditor | poeditor |
Photo Gallery by Ays – Responsive Image Gallery | gallery-photo-gallery |
PixTypes | pixtypes |
Popup by Supsystic | popup-by-supsystic |
Portfolio and Projects | portfolio-and-projects |
Post Grid Combo – 36+ Blocks for Gutenberg | post-grid |
Post Timeline | post-timeline |
Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS | pmpro-courses |
Premium Packages – Sell Digital Products Securely | wpdm-premium-packages |
Printful Integration for WooCommerce | printful-shipping-for-woocommerce |
Product Attachment for WooCommerce | woo-product-attachment |
Profile Builder – User Profile & User Registration Forms | profile-builder |
Rate my Post – WP Rating System | rate-my-post |
Real Estate Manager – Property Listing and Agent Management | real-estate-manager |
Realia | realia |
Responsive WordPress Slider – Avartan Slider Lite | avartan-slider-lite |
SB Child List | sb-child-list |
SendPress Newsletters | sendpress |
Sign-up Sheets | sign-up-sheets |
Stock Ticker | stock-ticker |
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid | the-post-grid |
Theme Demo Import | theme-demo-import |
Themesflat Addons For Elementor | themesflat-addons-for-elementor |
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | ultimate-member |
User Activity Log | user-activity-log |
User Activity Tracking and Log | user-activity-tracking-and-log |
Visual Website Collaboration, Feedback & Project Management – Atarim | atarim-visual-collaboration |
WP 404 Auto Redirect to Similar Post | wp-404-auto-redirect-to-similar-post |
WP Categories Widget | wp-categories-widget |
WP Like Button | wp-like-button |
WP Pipes | wp-pipes |
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more | woo-pdf-invoice-builder |
WxSync-标准云微信公众号文章免费采集-任意公众 style=”height: 40px; background-color: rgba(45, 45, 45, 0.05); width: 23.8959%; text-align: center;”>wxsync | |
YITH WooCommerce Waitlist | yith-woocommerce-waiting-list |
demon image annotation | demon-image-annotation |
flowpaper | flowpaper-lite-pdf-flipbook |
wSecure Lite | wsecure |
woocommerce-one-page-checkout | woocommerce-one-page-checkout |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Avada | Website Builder For WordPress & WooCommerce | Avada |
Betheme | betheme |
Business Pro | business-pro |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Kadence Blocks
Source: wordfence.com