WordPress Vulnerability Report – July 5, 2023

Written by

Dan Knauss
on

July 5, 2023

Last Updated on July 5, 2023

This week, 70 total vulnerabilities emerged in public disclosure. They may affect over one million WordPress sites. There are 36 plugin vulnerabilities that have security patches available, so run those updates!

Additionally, there are 33 plugin vulnerabilities and one theme vulnerability with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Formidable Forms

Plugin Slug: formidable
Installations: 300,000+
Vulnerability: Auth. Remote Code Execution (RCE)
Patched in Version: 6.3.1
Severity Score: Critical

The vulnerability has been patched, so you should update to version 6.3.1.

Chaty

Plugin Slug: chaty
Installations: 200,000+
Vulnerability: Authenticated Stored Cross Site Scripting (XSS)
Patched in Version: 3.1.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.1.2.

Ultimate Member

Plugin Slug: ultimate-member
Installations: 200,000+
Vulnerability: Unauthenticated Privilege Escalation
Patched in Version: 2.6.7
Severity Score: Critical

The vulnerability has been patched, so you should update to version 2.6.7.

EmbedPress

Plugin Slug: embedpress
Installations: 80,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 3.8.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.8.0.

Login/Signup Popup

Plugin Slug: easy-login-woocommerce
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.4.

Social Login and Register

Plugin Slug: miniorange-login-openid
Installations: 30,000+
Vulnerability: Authentication Broken Authentication
Patched in Version: 7.6.5
Severity Score: Critical

The vulnerability has been patched, so you should update to version 7.6.5.

Subscribe2

Plugin Slug: subscribe2
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 10.41
Severity Score: Medium

The vulnerability has been patched, so you should update to version 10.41.

Subscribe2

Plugin Slug: subscribe2
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 10.41
Severity Score: Medium

The vulnerability has been patched, so you should update to version 10.41.

Contact Form & Lead Form Elementor Builder

Plugin Slug: lead-form-builder
Installations: 20,000+
Vulnerability: Broken Access Control
Patched in Version: 1.8.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.8.5.

Supsystic Popup

Plugin Slug: popup-by-supsystic
Installations: 20,000+
Vulnerability: Prototype Pollution
Patched in Version: 1.10.19
Severity Score: High

The vulnerability has been patched, so you should update to version 1.10.19.

WPGraphQL

Plugin Slug: wp-graphql
Installations: 20,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 1.14.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.14.6.

WP ERP

Plugin Slug: erp
Installations: 9,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.12.4
Severity Score: High

The vulnerability has been patched, so you should update to version 1.12.4.

Active Directory Integration / LDAP Integration

Plugin Slug: ldap-login-for-intranet-sites
Installations: 5,000+
Vulnerability: Unauthenticated LDAP Injection
Patched in Version: 4.1.6
Severity Score: High

The vulnerability has been patched, so you should update to version 4.1.6.

MStore API

Plugin Slug: mstore-api
Installations: 5,000+
Vulnerability: Unauth. SQL Injection
Patched in Version: 4.0.2
Severity Score: Critical

The vulnerability has been patched, so you should update to version 4.0.2.

Poll Maker

Plugin Slug: poll-maker
Installations: 5,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 4.6.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.6.3.

Th Product Compare

Plugin Slug: th-product-compare
Installations: 5,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.2.6.

Waitlist WooCommerce ( Back in stock notifier )

Plugin Slug: waitlist-woocommerce
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.5.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.5.3.

Short URL

Plugin Slug: shorten-url
Installations: 2,000+
Vulnerability: Authenticated Stored Cross Site Scripting (XSS)
Patched in Version: 1.6.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.6.5.

Short URL

Plugin Slug: shorten-url
Installations: 2,000+
Vulnerability: SQL Injection
Patched in Version: 1.6.5
Severity Score: High

The vulnerability has been patched, so you should update to version 1.6.5.

WP Inventory Manager

Plugin Slug: wp-inventory-manager
Installations: 2,000+
Vulnerability: Inventory Items Deletion via Cross Site Request Forgery (CSRF)
Patched in Version: 2.1.0.14
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.0.14.

Kanban Boards for WordPress

Plugin Slug: kanban
Installations: 1,000+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: 2.5.21
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.5.21.

Request a Quote

Plugin Slug: request-a-quote
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.11
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.3.11.

LiquidPoll

Plugin Slug: wp-poll
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 3.3.69
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.3.69.

Front User Submit / Front Editor

Plugin Slug: front-editor
Installations: 200+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: 3.8.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.8.5.

TrustProfile

Plugin Slug: trustprofile
Installations: 200+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.25
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.25.

Knowledge Center

Plugin Slug: knowledge-center
Installations: 20+
Vulnerability: Authenticated Cross Site Scripting (XSS)
Patched in Version: 2.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.8.

Catalyst Connect Zoho CRM Client Portal

Plugin Slug: catalyst-connect-client-portal
Installations: 10+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: 2.1.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.0.

ARMember

Plugin: ARMember
Plugin Slug: armember-membership
Vulnerability: Stored Cross Site Scripting (XSS) on Common Messages Settings
Patched in Version: 4.0.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.0.5.

AutomateWoo

Plugin: AutomateWoo
Plugin Slug: automatewoo
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.7.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.7.6.

AutomateWoo

Plugin: AutomateWoo
Plugin Slug: automatewoo
Vulnerability: Broken Access Control
Patched in Version: 5.7.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.7.6.

Houzez CRM

Plugin: Houzez CRM
Plugin Slug: houzez-crm
Vulnerability: SQL Injection
Patched in Version: 1.3.5
Severity Score: Critical

The vulnerability has been patched, so you should update to version 1.3.5.

Salon Booking System

Plugin: Salon booking system
Plugin Slug: salon-booking-system
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 8.4.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 8.4.8.

LearnDash LMS

Plugin: LearnDash LMS
Plugin Slug: sfwd-lms
Vulnerability: Authenticated IDOR to Account Takeover
Patched in Version: 4.6.0.1
Severity Score: High

The vulnerability has been patched, so you should update to version 4.6.0.1.

WooCommerce Order Barcodes

Plugin: WooCommerce Order Barcodes
Plugin Slug: woocommerce-order-barcodes
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.6.5.

WooCommerce Ship to Multiple Addresses

Plugin: WooCommerce Ship to Multiple Addresses
Plugin Slug: woocommerce-shipping-multiple-addresses
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.8.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.8.6.

WP Post Author

Plugin: WP Post Author
Plugin Slug: wp-post-author
Vulnerability: Privilege Escalation
Patched in Version: 3.3.0
Severity Score: Critical

The vulnerability has been patched, so you should update to version 3.3.0.

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Side Cart Woocommerce

Plugin Slug: side-cart-woocommerce
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Enhanced Text Widget

Plugin Slug: enhanced-text-widget
Installations: 50,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Duplicate Post Page Menu & Custom Post Type

Plugin Slug: duplicate-post-page-menu-custom-post-type
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Zippy

Plugin Slug: zippy
Installations: 10,000+
Vulnerability: PHP Object Injection
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Form Builder

Plugin Slug: contact-form-add
Installations: 6,000+
Vulnerability: CSV Injection
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Enable SVG, WebP & ICO Upload

Plugin Slug: enable-svg-webp-ico-upload
Installations: 6,000+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

SW Product Bundles

Plugin Slug: sw-product-bundles
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

ApplyOnline – Application Form Builder and Manager

Plugin Slug: apply-online
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Email download link

Plugin Slug: email-download-link
Installations: 5,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Post Hit Counter

Plugin Slug: post-hit-counter
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Layer Slider

Plugin Slug: slider-slideshow
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Google Sheet Connector

Plugin Slug: wc-gsheetconnector
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WCP OpenWeather

Plugin Slug: wcp-openweather
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WP Abstracts

Plugin Slug: wp-abstracts-manuscripts-manager
Installations: 400+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WP Abstracts

Plugin Slug: wp-abstracts-manuscripts-manager
Installations: 400+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Post to CSV by BestWebSoft

Plugin Slug: post-to-csv
Installations: 300+
Vulnerability: CSV Injection
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Caldera Forms Google Sheets Connector

Plugin Slug: gsheetconnector-caldera-forms
Installations: 200+
Vulnerability: Access Code Update via Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Autochat

Plugin Slug: auyautochat-for-wp
Installations: 70+
Vulnerability: Unauth. Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

Quiz Expert

Plugin Slug: quiz-expert
Installations: 50+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

AN_GradeBook

Plugin: AN_GradeBook
Plugin Slug: an-gradebook
Vulnerability: Authenticated SQL Injection
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Booked

Plugin: Booked
Plugin Slug: booked
Vulnerability: Unauth. Appointment Data Exposure
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Editorial Calendar

Plugin: Editorial Calendar
Plugin Slug: editorial-calendar
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Editorial Calendar

Plugin: Editorial Calendar
Plugin Slug: editorial-calendar
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

File Manager Advanced Shortcode

Plugin: File Manager Advanced Shortcode
Plugin Slug: file-manager-advanced-shortcode
Vulnerability: Unauth. Remote Code Execution (RCE)
Patched in Version: No Fix
Severity Score: Critical

The vulnerability has not been patched. You should deactivate the plugin.

Image Map Pro Lite

Plugin: Image Map Pro
Plugin Slug: image-map-pro-lite
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Image Map Pro

Plugin: Image Map Pro
Plugin Slug: image-map-pro-lite
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Noo Timetable

Plugin: NOO Timetable
Plugin Slug: noo-timetable
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Noo Timetable

Plugin: NOO Timetable
Plugin Slug: noo-timetable
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

SP Project & Document Manager

Plugin: SP Project & Document Manager
Plugin Slug: sp-client-document-manager
Vulnerability: Auth. Insecure Direct Object References (IDOR)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

SP Project & Document Manager

Plugin: SP Project & Document Manager
Plugin Slug: sp-client-document-manager
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

SP Project & Document Manager

Plugin: SP Project & Document Manager
Plugin Slug: sp-client-document-manager
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Web3

Plugin: Web3 – Crypto wallet Login & NFT token gating
Plugin Slug: web3-authentication
Vulnerability: Authentication Bypass Vulnerability
Patched in Version: No Fix
Severity Score: Critical

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WPJobBoard

Plugin: WPJobBoard
Plugin Slug: wpjobboard
Vulnerability: Unauth. Blind SQL Injection
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

The7 — Website and eCommerce Builder for WordPress

Theme: The7
Theme Slug: dt-the7
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should switch themes.

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

Source link

WordPress Core Vulnerabilities — Patched

Explore more