Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023)
Last week, there were 58 vulnerabilities disclosed in 43 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 27 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Easy Digital Downloads 3.1 – 3.1.1.4.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 14 |
Patched | 44 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 48 |
High Severity | 8 |
Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 31 |
Missing Authorization | 9 |
Cross-Site Request Forgery (CSRF) | 5 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3 |
Server-Side Request Forgery (SSRF) | 2 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
Improper Authentication | 1 |
Information Exposure | 1 |
Unverified Password Change | 1 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
Deserialization of Untrusted Data | 1 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Dave Jong | 7 |
Lana Codes | 7 |
yuyudhn | 4 |
Le Ngoc Anh | 3 |
Mika | 3 |
Rafie Muhammad | 3 |
Junsu Yeo | 2 |
Erwan LR | 2 |
LEE SE HYOUNG | 2 |
Chien Vuong | 2 |
deokhunKim | 2 |
Alex Sanford | 2 |
Fioravante Souza | 1 |
Nguyen Xuan Chien | 1 |
Ivan Kuzymchak | 1 |
Yash Kanchhal | 1 |
WPScanTeam | 1 |
Sanjay Das | 1 |
Marco Wotschka | 1 |
Taurus Omar | 1 |
Nguyen Anh Tien | 1 |
Suprit S Pandurangi | 1 |
Skalucy | 1 |
Ramuel Gall | 1 |
thiennv | 1 |
Phd | 1 |
Pablo Sanchez | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Add to Feedly | add-to-feedly |
Advanced Custom Fields (ACF) | advanced-custom-fields |
Advanced Custom Fields Pro | advanced-custom-fields-pro |
Advanced Woo Search | advanced-woo-search |
Albo Pretorio On line | albo-pretorio-on-line |
AnyWhere Elementor | anywhere-elementor |
CM Pop-Up banners for WordPress | cm-pop-up-banners |
Community by PeepSo – Social Network, Membership, Registration, User Profiles | peepso-core |
Contact Form 7 extension for Google Map fields | cf7-google-map |
Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free | cryptocurrency-donation-box |
Custom 404 Pro | custom-404-pro |
DX Delete Attached Media | dx-delete-attached-media |
Easy Appointments | easy-appointments |
Easy Digital Downloads – Simple eCommerce for Selling Digital Files | easy-digital-downloads |
FV Flowplayer Video Player | fv-wordpress-flowplayer |
Fast & Effective Popups & Lead-Generation for WordPress – HollerBox | holler-box |
Hostel | hostel |
Image Optimizer by 10web – Image Optimizer and Compression plugin | image-optimizer-wd |
Library Viewer | library-viewer |
Login rebuilder | login-rebuilder |
Loginizer | loginizer |
Manager for Icomoon | manager-for-icomoon |
Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress | metform |
Multi Rating | multi-rating |
Newsletter Popup | newsletter-popup |
OSM – OpenStreetMap | osm |
Otter – Gutenberg Blocks – Page Builder for Gutenberg Editor & FSE | otter-blocks |
Participants Database | participants-database |
Photo Gallery by Ays – Responsive Image Gallery | gallery-photo-gallery |
Product Addons & Fields for WooCommerce | woocommerce-product-addon |
Spiffy Calendar | spiffy-calendar |
TK Google Fonts GDPR Compliant | tk-google-fonts |
TP Education | tp-education |
UserAgent-Spy | useragent-spy |
WOLF – WordPress Posts Bulk Editor and Manager Professional | bulk-editor |
WP Directory Kit | wpdirectorykit |
WP Docs | wp-docs |
WP EasyPay – Square for WordPress | wp-easy-pay |
WP Fastest Cache | wp-fastest-cache |
WP Job Portal – A Complete Job Board | wp-job-portal |
WP-FormAssembly | formassembly-web-forms |
WPO365 | Mail Integration for Office 365 / Outlook | mail-integration-365 |
WPPizza – A Restaurant Plugin | wppizza |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Editorialmag | editorialmag |
JupiterX | jupiterx |
TheGem | thegem |
Vulnerability Details
Easy Digital Downloads 3.1 – 3.1.1.4.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation
Affected Software: Easy Digital Downloads – Simple eCommerce for Selling Digital Files
CVE ID: CVE-2023-30869
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e3e07c8-8fd0-4966-8276-aece794b75b2
Otter – Gutenberg Blocks
Source: wordfence.com