Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023)
Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Individuals and Enterprises can use the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 68 |
Patched | 41 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 91 |
High Severity | 15 |
Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 47 |
Cross-Site Request Forgery (CSRF) | 25 |
Missing Authorization | 17 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
Unrestricted Upload of File with Dangerous Type | 3 |
Improper Authorization | 3 |
Information Exposure | 3 |
Deserialization of Untrusted Data | 2 |
Authorization Bypass Through User-Controlled Key | 1 |
Server-Side Request Forgery (SSRF) | 1 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
Improper Privilege Management | 1 |
Authentication Bypass by Primary Weakness | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
LEE SE HYOUNG | 14 |
Lana Codes (Wordfence Vulnerability Researcher) | 12 |
Rafie Muhammad | 8 |
Abdi Pranata | 7 |
Mika | 5 |
Nguyen Xuan Chien | 4 |
thiennv | 4 |
Francesco Carlucci | 4 |
Le Ngoc Anh | 4 |
Rio Darmawan | 3 |
Marco Wotschka (Wordfence Vulnerability Researcher) | 3 |
Revan Arifio | 3 |
Jonas Höbenreich | 2 |
Emili Castells | 2 |
Skalucy | 2 |
Shuning Xu | 1 |
qilin_99 | 1 |
niclo | 1 |
Ala Arfaoui | 1 |
Taihei Shimamine | 1 |
Milad Hacking | 1 |
Alexander Concha | 1 |
NGÔ THIÊN AN | 1 |
Phd | 1 |
Alex Thomas (Wordfence Vulnerability Researcher) | 1 |
minhtuanact | 1 |
Nguyen Anh Tien | 1 |
DoYeon Park | 1 |
Dimas Maulana | 1 |
emad | 1 |
juweihuitao | 1 |
Dmitrii Ignatyev | 1 |
Krzysztof Zając | 1 |
Elliot | 1 |
Theodoros Malachias | 1 |
trein | 1 |
TP Cyber Security | 1 |
Rafshanzani Suhada | 1 |
Joshua Chan | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
404 Solution | 404-solution |
Add Custom Body Class | add-custom-body-class |
Add Shortcodes Actions And Filters | add-actions-and-filters |
Advanced Local Pickup for WooCommerce | advanced-local-pickup-for-woocommerce |
Ajax Archive Calendar | ajax-archive-calendar |
ApplyOnline – Application Form Builder and Manager | apply-online |
Appointment Calendar | appointment-calendar |
Archivist – Custom Archive Templates | archivist-custom-archive-templates |
Ashe Extra | ashe-extra |
Auto Login New User After Registration | auto-login-new-user-after-registration |
BetterLinks – Shorten, Track and Manage any URL | betterlinks |
Booster for WooCommerce | woocommerce-jetpack |
Broken Link Checker | Finder | broken-link-finder |
CPO Shortcodes | cpo-shortcodes |
Category SEO Meta Tags | category-seo-meta-tags |
Comments – wpDiscuz | wpdiscuz |
Contact Form Builder, Contact Widget | contact-forms-builder |
Contact Form builder with drag & drop for WordPress – Kali Forms | kali-forms |
Custom post types, Custom Fields & more | custom-post-types |
DX Delete Attached Media | dx-delete-attached-media |
Delete Usermetas | delete-usermetas |
Duplicate Theme | duplicate-theme |
E2Pdf – Export To Pdf Tool for WordPress | e2pdf |
EG-Attachments | eg-attachments |
Envo Extra | envo-extra |
Eonet Manual User Approve | eonet-manual-user-approve |
EventON | eventon-lite |
Freesoul Deactivate Plugins – Plugin manager and cleanup | freesoul-deactivate-plugins |
FreshMail For WordPress | freshmail-integration |
GeoDirectory – WordPress Business Directory Plugin, or Classified Directory | geodirectory |
Grid Plus – Unlimited grid layout | grid-plus |
Headline Analyzer | headline-analyzer |
Icons Font Loader | icons-font-loader |
Internal Link Building | internal-link-building-plugin |
Just Custom Fields | just-custom-fields |
Lava Directory Manager | lava-directory-manager |
MW WP Form | mw-wp-form |
Maileon for WordPress | xqueue-maileon |
Mediabay – Media Library Folders | mediabay-lite |
Minimum Purchase for WooCommerce | minimum-purchase-for-woocommerce |
Modern Footnotes | modern-footnotes |
Motors – Car Dealer, Classifieds & Listing | motors-car-dealership-classified-listings |
Novo-Map : your WP posts on custom google maps | novo-map |
Open Graph Metabox | open-graph-metabox |
Popup by Supsystic | popup-by-supsystic |
Post Meta Data Manager | post-meta-data-manager |
Product Category Tree | product-category-tree |
Protección de Datos RGPD | click-datos-lopd |
Recip.ly Plugin | reciply |
Rocket Font | rocket-font |
SALESmanago | salesmanago |
Simple Calendar – Google Calendar Plugin | google-calendar-events |
Simple Table Manager | simple-table-manager |
Skype Legacy Buttons | skype-online-status |
Smart App Banner | smart-app-banner |
Smart Online Order for Clover | clover-online-orders |
Smooth Scroll Links [SSL] | smooth-scrolling-links-ssl |
Social Media Share Buttons & Social Sharing Icons | ultimate-social-media-icons |
Social proof testimonials and reviews by Repuso | social-testimonials-and-reviews-widget |
Soisy Pagamento Rateale | soisy-pagamento-rateale |
Super Testimonials | super-testimonial |
TCD Google Maps | tcd-google-maps |
Tab Ultimate | tabs-pro |
Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics | taggbox-widget |
Team Showcase | team-showcase |
Templately – Templates Cloud for Elementor & Gutenberg : 4000+ Free & Premium Designs! | templately |
The Awesome Feed – Custom Feed | wp-facebook-feed |
Theme Blvd Shortcodes | theme-blvd-shortcodes |
Theme Switcha – Easily Switch Themes for Development and Testing | theme-switcha |
Thumbnail Slider With Lightbox | wp-responsive-slider-with-lightbox |
Track Google Analytics 4, Facebook Pixel & Conversions API via Google Tag Manager for WooCommerce | enhanced-e-commerce-for-woocommerce-store |
Triberr | triberr-wordpress-plugin |
Ultimate Addons for WPBakery | Ultimate_VC_Addons |
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds | userfeedback-lite |
Userback | userback |
WC Captcha | wc-captcha |
WC Serial Numbers – Ultimate License Manager Plugin for Selling, Licensing & Securely Delivering Digital Products with WooCommerce | wc-serial-numbers |
WDSocialWidgets | spider-facebook |
WOLF – WordPress Posts Bulk Editor and Manager Professional | bulk-editor |
WP EXtra | wp-extra |
WP Full Stripe Free | wp-full-stripe-free |
WP Hotel Booking | wp-hotel-booking |
WP Post Columns | wp-post-columns |
WP Radio – Worldwide Online Radio Stations Directory for WordPress | wp-radio |
Web Push Notifications – Webpushr | webpushr-web-push-notifications |
Webmaster Tools | webmaster-tools |
WhatsApp Share Button | |
Who Hit The Page – Hit Counter | who-hit-the-page-hit-counter |
Widgets for Google Reviews | wp-reviews-plugin-for-google |
WooCommerce Ninja Forms Product Add-ons | woocommerce-ninjaforms-product-addons |
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more | woo-pdf-invoice-builder |
WooCommerce Stripe Payment Gateway | woocommerce-gateway-stripe |
Wp Ultimate Review | wp-ultimate-review |
iPanorama 360 – WordPress Virtual Tour Builder | ipanorama-360-virtual-tour-builder-lite |
mpOperationLogs | mpoperationlogs |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
themify-ultra | themify-ultra |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Recip.ly
Source: wordfence.com