Wordfence Intelligence Weekly WordPress Vulnerability Report (October 9, 2023 to October 15, 2023)
Last week, there were 103 vulnerabilities disclosed in 85 WordPress Plugins and no WordPress themes, with 7 of those being in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 46 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Individuals and Enterprises can use the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WordPress Core <6.3.2 – Authenticated (Subscriber+) Arbitrary Shortcode Execution
- WordPress Core 6.3 – 6.3.1 – Authenticated(Contributor+) Cross-Site Scripting via Footnotes Block
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
| Unpatched | 52 |
| Patched | 51 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
| Low Severity | 0 |
| Medium Severity | 91 |
| High Severity | 5 |
| Critical Severity | 7 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 46 |
| Cross-Site Request Forgery (CSRF) | 26 |
| Missing Authorization | 9 |
| Information Exposure | 6 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 3 |
| Unrestricted Upload of File with Dangerous Type | 2 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Improper Input Validation | 1 |
| Guessable CAPTCHA | 1 |
| URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
| Improper Preservation of Consistency Between Independent Representations of Shared State | 1 |
| External Control of File Name or Path | 1 |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
| Mika | 11 |
| Rio Darmawan | 8 |
| thiennv | 8 |
| Marco Wotschka (Wordfence Vulnerability Researcher) | 7 |
| Abdi Pranata | 6 |
| Rafie Muhammad | 5 |
| Lana Codes (Wordfence Vulnerability Researcher) | 5 |
| minhtuanact | 4 |
| LEE SE HYOUNG | 3 |
| Satoo Nakano | 2 |
| DoYeon Park | 2 |
| Skalucy | 2 |
| yuyudhn | 2 |
| Phd | 2 |
| Lokesh Dachepalli | 2 |
| Prasanna V Balaji | 2 |
| Le Ngoc Anh | 2 |
| Elliot | 2 |
| Ala Arfaoui | 1 |
| Nguyen Xuan Chien | 1 |
| James Golovich | 1 |
| WhiteCyberSec | 1 |
| Karolis Narvilas | 1 |
| Marc-Alexandre Montpas | 1 |
| Francesco Marano | 1 |
| qilin_99 | 1 |
| Nano | 1 |
| Vladislav Pokrovsky | 1 |
| Chloe Chamberland (Wordfence Vulnerability Researcher) | 1 |
| Edourard L | 1 |
| Revan Arifio | 1 |
| Jb Audras | 1 |
| Jonas Höbenreich | 1 |
| SeungYongLee | 1 |
| Enrico Marcolini | 1 |
| Claudio Marchesini | 1 |
| mascara7784 | 1 |
| Fioravante Souza | 1 |
| Jorge Costa | 1 |
| s5s | 1 |
| raouf_maklouf | 1 |
| Bob Matyas | 1 |
| Rafshanzani Suhada | 1 |
| Bae Song Hyun | 1 |
| Nguyen Anh Tien | 1 |
| Emili Castells | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
| AGP Font Awesome Collection | agp-font-awesome-collection |
| AI ChatBot | chatbot |
| AMP WP – Google AMP For WordPress | amp-wp |
| Accessibility Suite by Online ADA | online-accessibility |
| Add to Calendar Button | add-to-calendar-button |
| Amministrazione Trasparente | amministrazione-trasparente |
| ApplyOnline – Application Form Builder and Manager | apply-online |
| BuddyPress Global Search | buddypress-global-search |
| CITS Support svg, webp Media and TTF,OTF File Upload | cits-support-svg-webp-media-upload |
| CPT Shortcode Generator | cpt-shortcode |
| Campaign Monitor Forms by Optin Cat | campaign-monitor-wp |
| Caret Country Access Limit | caret-country-access-limit |
| Comments Ratings | comments-ratings |
| Comments – wpDiscuz | wpdiscuz |
| Constant Contact Forms by MailMunch | constant-contact-forms-by-mailmunch |
| Contact Form Generator : Creative form builder for WordPress | contact-form-generator |
| Contact Form With Captcha | contact-form-with-captcha |
| Copy or Move Comments | copy-or-move-comments |
| Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress | charitable |
| Easy Testimonial Slider and Form | easy-testimonial-rotator |
| Ebook Store | ebook-store |
| Embed Calendly | embed-calendly-scheduling |
| Etsy Shop | etsy-shop |
| Eupago Gateway For Woocommerce | eupago-gateway-for-woocommerce |
| EventPrime – Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
| Fast WP Speed | fast-wp-speed |
| Fattura24 | fattura24 |
| Feed Statistics | wordpress-feed-statistics |
| Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | form-maker |
| GEO my WordPress | geo-my-wp |
| Gallery – Image and Video Gallery with Thumbnails | gallery-album |
| Get Custom Field Values | get-custom-field-values |
| Gutenberg | gutenberg |
| HTML5 Maps | html5-maps |
| History Log by click5 | history-log-by-click5 |
| IMPress Listings | wp-listings |
| Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce | email-subscribers |
| Image Regenerate & Select Crop | image-regenerate-select-crop |
| Lazy Load for Videos | lazy-load-for-videos |
| LeadSquared Suite | leadsquared-suite |
| Libsyn Publisher Hub | libsyn-podcasting |
| Login Screen Manager | login-screen-manager |
| MailChimp Forms by MailMunch | mailchimp-forms-by-mailmunch |
| Master Addons for Elementor | master-addons |
| Migration, Backup, Staging – WPvivid | wpvivid-backuprestore |
| Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress | newsletter-bulk-email |
| Next Page | next-page |
| Nexter Extension | nexter-extension |
| PDF Block | pdf-block |
| Peter’s Custom Anti-Spam | peters-custom-anti-spam-image |
| PixFields | pixfields |
| Poll Maker – Best WordPress Poll Plugin | poll-maker |
| Post Gallery | simple-post-gallery |
| Print, PDF, Email by PrintFriendly | printfriendly |
| Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages | wplegalpages |
| Proofreading | proofreading |
| QR Twitter Widget | qr-twitter-widget |
| Remote Content Shortcode | remote-content-shortcode |
| Responsive Column Widgets | responsive-column-widgets |
| Responsive Tabs | responsive-tabs |
| Royal Elementor Addons and Templates | royal-elementor-addons |
| RumbleTalk Live Group Chat – HTML5 | rumbletalk-chat-a-chat-with-themes |
| Scroll post excerpt | scroll-post-excerpt |
| Sendle Shipping Plugin | official-sendle-shipping-method |
| Simple File List | simple-file-list |
| Simple Tweet | simple-tweet |
| Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management | simple-urls |
| Slick Contact Forms | slick-contact-forms |
| Snap Pixel | snap-pixel |
| Sort SearchResult By Title | sort-searchresult-by-title |
| SpiderVPlayer | player |
| Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics | taggbox-widget |
| Thumbnail Slider With Lightbox | wp-responsive-slider-with-lightbox |
| Tweeple | tweeple |
| Ultimate Taxonomy Manager | ultimate-taxonomy-manager |
| User Submitted Posts – Enable Users to Submit Posts from the Front End | user-submitted-posts |
| Video Playlist For YouTube | video-playlist-for-youtube |
| WP Attachments | wp-attachments |
| WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting | erp |
| WP GoToWebinar | wp-gotowebinar |
| WP Lightbox 2 | wp-lightbox-2 |
| WP Open Street Map | wp-open-street-map |
| WP ULike – Most Advanced WordPress Marketing Toolkit | wp-ulike |
| WordPress Backup & Migration | wp-migration-duplicator |
| which template file | which-template-file |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Accessibility Suite by Online ADA
Source: wordfence.com
