Chloe ChamberlandWORDFENCE:2B401844FA2C8353174B5E28537B21D2

HistoryMar 16, 2023 - 1:53 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 6, 2023 to Mar 12, 2023)

2023-03-1613:53:38

Chloe Chamberland

www.wordfence.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

JSON

Last week, there were 60 vulnerabilities disclosed in 40 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 16 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	3
Patched	57

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	53
High Severity	6
Critical Severity	1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Cross-Site Request Forgery (CSRF)	24
Missing Authorization	17
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	9
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	2
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	1
Server-Side Request Forgery (SSRF)	1
Incorrect Privilege Assignment	1
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	1
Reliance on Untrusted Inputs in a Security Decision	1
Improper Authorization	1
Deserialization of Untrusted Data	1
Information Exposure	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
[Marco Wotschka
(Wordfence Vulnerability Researcher)](<https://www.wordfence.com/threat-intel/vulnerabilities/researchers/marco-wotschka>)	15
Mika	5
Erwan LR	3
Rafshanzani Suhada	3
Rafie Muhammad	2
yuyudhn	2
Nguyen Xuan Chien	1
Nicholas Ferreira	1
Lana Codes	1
FearZzZz	1
Rio Darmawan	1
Omar Badran	1
thiennv	1
Daniel Ruf	1
Alex Sanford	1
Abdi Pranata	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

Vulnerability Details

LeadSnap <= 1.23 - Unauthenticated PHP Object Injection via AJAX

CVE ID: CVE Unknown CVSS Score: 9.8 (Critical) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aefbebce-9433-455d-b27c-93088b0c8494>

Multiple E-plugins (Various Versions) - Authenticated (Subscriber+) Privilege Escalation

CVE ID: CVE-2020-36666 CVSS Score: 8.8 (High) Researcher/s: Omar Badran Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/629d4809-1dd2-4b67-8d8d-9c55f5240f94>

WP Dark Mode <= 4.0.7 - Authenticated (Subscriber+) Local File Inclusion via 'style'

CVE ID: CVE-2023-0467 CVSS Score: 8.8 (High) Researcher/s: Alex Sanford Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d43234d0-5f44-4484-a8d6-16d43d1db51e>

GiveWP <= 2.25.1 - Unauthenticated CSV Injection

CVE ID: CVE-2023-22719 CVSS Score: 8.3 (High) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6368c397-0570-4304-a764-869bacc526c7>

WP Statistics <= 13.2.16 - Authenticated (Admin+) SQL Injection

CVE ID: CVE-2023-0955 CVSS Score: 7.2 (High) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0ffd60d2-ae8d-4738-a4f4-6df6e0ffa8c6>

Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'create_mollie_account'

CVE ID: CVE Unknown CVSS Score: 7.1 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d4491b89-2120-4edb-a396-e45ba09b3b99>

Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'create_mollie_profile'

Complianz - GDPR/CCPA Cookie Consent <= 6.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE ID: CVE-2023-1069 CVSS Score: 6.4 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7397898c-8d43-4399-9c2b-22f9287aa12d>

Weaver Xtreme Theme Support <= 5.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7431ee0f-f485-48a4-9cdd-8fb2ac43e216>

Cookie Notice & Compliance for GDPR / CCPA <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cookies_revoke_shortcode' Shortcode

CVE ID: CVE-2023-0823 CVSS Score: 6.4 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/914de8f3-e052-4256-af14-4a08eaa464b8>

Daily Prayer Time <= 2023.03.08 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE ID: CVE-2023-27631 CVSS Score: 6.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/95691873-a16a-4e41-9456-41fa07efd6ce>

GiveWP <= 2.25.1 - Authenticated (Author+) Stored Cross-Site Scripting

CVE ID: CVE-2022-40211 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b30261e0-1fa1-4794-98f6-851532b7615c>

GiveWP <= 2.25.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via give_form_grid shortcode

CVE ID: CVE-2023-23668 CVSS Score: 6.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cc5f7a07-8117-4305-a72c-6afed80b6bcf>

W4 Post List <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'w4pl[no_items_text]'

CVE ID: CVE-2023-27413 CVSS Score: 6.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/feb9af10-7df2-4eb1-8546-debaa925df42>

GiveWP <= 2.25.1 - Cross-Site Request Forgery to Cross-Site Scripting via render_dropdown

CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a0381b1-9b63-41cb-8125-d22274b98867>

Webmention <= 4.0.8 - Reflected Cross-Site Scripting via 'replytocom'

Real Estate 7 Theme <= 3.3.4 - Unauthenticated Arbitrary Email Sending

CVE ID: CVE Unknown CVSS Score: 5.8 (Medium) Researcher/s: FearZzZz Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5778ba3d-6670-47ad-ae65-50b6fb8e5db0>

Popup box <= 3.4.4 - Reflected Cross-Site Scripting via 'ays_pb_tab' Parameter

CVE ID: CVE-2023-27414 CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/01f60df7-0602-4a00-9905-a91348811dfe>

Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'pt_cancel_subscription'

CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/060f31ab-cfa4-4ca8-846a-de76848b28fb>

Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'update_profile_preference'

HT Easy GA4 ( Google Analytics 4 ) <= 1.0.6 - Cross-Site Request Forgery via plugin_activation

CVE ID: CVE-2023-23802 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2fa2fcda-69f4-4095-b23c-6e6f1613adb0>

Updraft Plus <= 1.22.24 - Cross-Site Request Forgery via updraft_ajaxrestore

Daily Prayer Time <= 2023.03.08 - Cross-Site Request Forgery

CVE ID: CVE-2023-27632 CVSS Score: 5.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9060bb2a-b9d9-466d-bb8d-14173a51d145>

Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'paytium_sw_save_api_keys'

GiveWP <= 2.25.1 - Cross-Site Request Forgery via process_bulk_action

GiveWP <= 2.25.1 - Authenticated (Contributor+) Arbitrary Content Deletion

CVE ID: CVE-2023-23672 CVSS Score: 5.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a9af1429-32c5-4907-acf4-83efc6727bb8>

Mass Delete Unused Tags <= 2.0.0 - Cross-Site Request Forgery via plugin_mass_delete_unused_tags_init

CVE ID: CVE-2023-27430 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abf4cfb9-745a-4b4f-8862-54ef561904d6>

Mass Delete Taxonomies <= 3.0.0 - Cross-Site Request Forgery via mp_plugin_mass_delete_tags_init

Auto Prune Posts <= 1.8.0 - Cross-Site Request Forgery via admin_menu

CVE ID: CVE-2023-27423 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f15af4eb-5752-4a85-babd-cee7e89c329d>

Drag and Drop Multiple File Upload PRO <= 2.10.9 - Directory Traversal

CVE ID: CVE-2023-1112 CVSS Score: 5.3 (Medium) Researcher/s: Nicholas Ferreira Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1add47ea-6a7b-443a-b31d-3bb6c0d5d72d>

Formidable Forms <= 6.0.1 - IP Spoofing via HTTP header

CVE ID: CVE-2023-0816 CVSS Score: 5.3 (Medium) Researcher/s: Daniel Ruf Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/909b5421-210d-427a-94a0-e1ea25880cec>

CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.6 - Information Exposure

CVE ID: CVE-2023-1263 CVSS Score: 5.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e01b4259-ed8d-44a4-9771-470de45b14a8>

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Cross-Site Request Forgery via 'attach_rule'

CVE ID: CVE-2023-1343 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/11f74b86-a050-4247-b310-045bf48fd4bd>

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'uucss_update_rule'

CVE ID: CVE-2023-1339 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19f126f8-1d59-44b5-8e0e-c37f1fbedf5a>

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'attach_rule'

CVE ID: CVE-2023-1338 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1bb55b22-a0d0-424f-8e4f-57d3f239c149>

301 Redirects - Easy Redirect Manager <= 2.72 - Cross-Site Request Forgery via dismiss_notice

CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2253cb38-3688-4e4d-afd1-582c8743c89a>

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Cross-Site Request Forgery via 'uucss_update_rule'

CVE ID: CVE-2023-1344 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/263153c9-61c5-4df4-803b-8d274e2a5e35>

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'clear_page_cache'

CVE ID: CVE-2023-1333 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2cba74f7-7183-4297-8f04-4818c01358ef>

Clone <= 2.3.7 - Cross-Site Request Forgery via wp_ajax_tifm_save_decision

CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/314d3e0c-ba29-4795-a646-40e0acfc3405>

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Cross-Site Request Forgery via 'clear_uucss_logs'

CVE ID: CVE-2023-1340 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/488e26e2-d4d7-4036-a672-53c2d4c9d39b>

Popup Maker <= 1.18.0 - Cross-Site Request Forgery via init

Affiliate Super Assistent <= 1.5.1 - Cross-Site Request Forgery to Settings Update and Cache Clearing

CVE ID: CVE-2023-27417 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/54dbd2f4-717c-4e01-afe4-c8cceca52650>

cformsII <= 15.0.4 - Cross-Site Request Forgery leading to Settings Updates

CVE ID: CVE-2023-25449 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5798de72-b589-4474-82b2-df6ef26325a3>

Side Menu Lite <= 4.0 - Cross-Site Request Forgery to Item Deletion

CVE ID: CVE-2023-27418 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/799b1f12-05f3-4b8b-9e1f-45c676e4f2a0>

Clone <= 2.3.7 - Missing Authorization via wp_ajax_tifm_save_decision

CVE ID: CVE-2023-25486 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b6db928-f8ff-4e78-bfc7-51f1d1ccd1fa>

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Cross-Site Request Forgery via 'ucss_connect'

CVE ID: CVE-2023-1342 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7c66894a-8d0f-4946-ae4d-bffd35f3ffb7>

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'clear_uucss_logs'

CVE ID: CVE-2023-1337 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a52325f9-51b5-469c-865e-73a22002d46f>

External Links <= 2.57 - Cross-Site Request Forgery via action_admin_action_wpel_dismiss_notice

Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'check_for_verified_profiles'

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Cross-Site Request Forgery via 'clear_page_cache'

CVE ID: CVE-2023-1346 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b228f8b1-dd68-41ee-bc49-6a62e5267233>

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'ajax_deactivate'

CVE ID: CVE-2023-1336 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b2296800-93d6-48fa-aa09-3d28fa6371d7>

GiveWP <= 2.25.1 - Cross-Site Request Forgery via give_cache_flush

GiveWP <= 2.25.1 - Cross-Site Request Forgery via save

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Cross-Site Request Forgery via 'queue_posts'

CVE ID: CVE-2023-1345 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d16fa590-1409-4f04-b8b7-0cce17412a5f>

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Cross-Site Request Forgery via 'ajax_deactivate'

CVE ID: CVE-2023-1341 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d95b01c3-5db4-40ac-8787-0db58a9cc3a6>

Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'paytium_notice_dismiss'

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'ucss_connect'

CVE ID: CVE-2023-1335 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eba48c51-87d9-4e7e-b4c1-0205cd96d033>

Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'check_mollie_account_details'

RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'queue_posts'

CVE ID: CVE-2023-1334 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f3108ef4-f889-4ae1-b86f-cedf46dcea19>

GiveWP <= 2.25.1 - Authenticated (Admin+) Server-Side Request Forgery via give_get_content_by_ajax_handler

CVE ID: CVE-2022-40312 CVSS Score: 4.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2379a029-cc0d-4fa2-9aeb-47a4abd6b51a>

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence's highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 6, 2023 to Mar 12, 2023) appeared first on Wordfence.