In case you missed it, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme and, plugin vulnerabilities known as Wordfence Intelligence Community Edition.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Our mission with Wordfence Intelligence Community Edition is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence Community Edition user interface and vulnerability API are completely free to access and utilize both personally and commercially.
Last week, there were 69 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below.
EZP Coming Soon Page <= 1.0.7.3 – Authenticated (Admin+) Stored Cross Site Scripting
Metform Elementor Contact Form Builder <= 3.1.2 – Unauthenticated Stored Cross-Site Scripting
IP Vault – WP Firewall <= 1.1 – Authenticated (Admin+) Stored Cross-Site Scripting
Gallery – Image and Video Gallery with Thumbnails <= 2.0.1 – Unauthenticated Stored Cross-Site Scripting
Magazine Edge <= 1.13 – Authenticated (Subscriber+) Arbitrary Plugin Activation
EmbedSocial – Social Media Feeds, Reviews and Galleries = 1.1.27 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Galleries by Angie Makes <= 1.67 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
WP Dark Mode <= 3.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
WP Private Message < 1.0.6 – Insecure Direct Object Reference
Custom Add User <= 2.0.2 – Reflected Cross-Site Scripting
Image Hover Effects Plugin – Caption Hover with Carousel <= 2.8 – Unauthenticated Stored Cross Site Scripting
Interactive Geo Maps <= 1.5.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Flexible Elementor Panel <= 2.3.8 – Cross Site Request Forgery
RankMath SEO <= 1.0.107.2 – Authenticated (Contributor+) Local File Inclusion
GS Books Showcase <= 1.3.0 – Authenticator (Contributor+) Stored Cross-Site Scripting via Shortcode
WP Tabs <= 2.1.14 – Cross Site Request Forgery
Marketing Performance <= 2.0.0 – Unauthenticated Stored Cross Site Scripting
Multi-column Tag Map <= 17.0.24 – Authenticated (Contributor+) Stored Cross Site Scripting
WP htpasswd <= 1.7 – Authenticated (Admin+) Stored Cross Site Scripting
WP Email Capture <= 3.9.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
Album and Image Gallery plus Lightbox <= 1.6.2 – Missing Authorization
WebinarIgnition <= 2.14.2 – Authenticated (Admin+) Stored Cross-Site Scripting
Namaste! LMS <= 2.5.9.3 – Authenticated (Admin+) Stored Cross-Site Scripting
WP Booking System <= 2.0.18 – Authenticated (Admin+) Stored Cross Site Scripting
Beautiful Cookie Consent Banner <= 2.10.0 – Unauthenticated Stored Cross-Site Scripting
User Activity <= 1.0.1 – IP Address Spoofing
Ocean Extra <= 2.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
1003 Mortgage Application <= 1.73 – Unauthenticated CSV Injection
Side Cart Woocommerce (Ajax) <= 2.1 – Cross-Site Request Forgery
Correos Oficial <= 1.3.0.0 – Unauthenticated Arbitrary File Download
Cost Calculator <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting
WP Statistics <= 13.2.10 – Authenticated (Subscriber+) SQL Injection
Posts and Users Stats <= 1.1.3 – Authenticated (Subscriber+) CSV Injection
Wufoo Shortcode <= 1.51 – Authenticated (Contributor+) Cross-Site Scripting via Shortcodes
GS Insever Portfolio <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
BackupBuddy <= 8.8.2 – Reflected Cross-Site Scripting
Print Invoice & Delivery Notes for WooCommerce <= 4.7.1 – Reflected Cross-Site Scripting
Watu Quiz <= 3.3.8 – Authenticated (Admin+) Stored Cross-Site Scripting
GeoDirectory <= 2.2.23 – Authenticated (Admin+) SQL Injection
Simple History <= 3.3.1 – Authenticated (Subscriber+) CSV Injection
Real Media Library: Media Library Folder & File Manager <= 4.18.28 – Authenticated (Author+) Stored Cross-Site Scripting
Usersnap <= 4.16 – Authenticated (Admin+) Stored Cross Site Scripting
EmbedStories <= 0.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
PHP Execution <= 1.0.0 – Cross Site Request Forgery
ShortPixel Adaptive Images <= 3.6.1 – Reflected Cross-Site Scripting
Beautiful Cookie Consent Banner <= 2.10.0 – Missing Authorization to Settings Update
Real Media Library: Media Library Folder & File Manager <= 4.18.28 – Authenticated (Author+) Stored Cross-Site Scripting
Formidable Form Builder <= 5.5.6 – Cross-Site Request Forgery
Robo Gallery Plugin <= 3.2.11 – Cross-Site Request Forgery
VK All in One Expansion Unit <= 9.85.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
We’re Open! <= 1.45 – Cross-Site Request Forgery
Opening Hours <= 2.3.0 – Authenticated (Admin+) Stored Cross-Site Scripting
Multi Rating <= 5.0.5 – Cross Site Request Forgery
Podlove Podcast Publisher <= 3.8.2 – Authenticated (Admin+) Stored Cross-Site Scripting
1003 Mortgage Application <= 1.73 – Authenticated (Subscriber+) Arbitrary File Download
Donation Block For PayPal <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Easy Digital Downloads <= 3.1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
PrivateContent <= 8.4.3 – Protection Mechanism Bypass
0mk Shortener <= 0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
Jobs for WordPress <= 2.5.10.2 – Authenticated (Author+) Cross Site Scripting
Arigato Autoresponder and Newsletter <= 2.1.7.1 – Authenticated (Admin+) Stored Cross-Site Scripting
GS Filterable Portfolio <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
GS Portfolio for Envato <= 1.3.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Kraken.io Image Optimizer <= 2.6.8 – Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
CC Custom Taxonomy <= 1.0.1 – Authenticated (Administrator+) Cross Site Scripting
Commenter Emails <= 2.6.1 – Unauthenticated CSV Injection
Similar Posts – Best Related Posts Plugin for WordPress <= 3.1.6 – Authenticated (Admin+) Stored Cross-Site Scripting
GS Products Slider for WooCommerce <= 1.5.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Auto YouTube Importer <= 1.0.3 – Cross-Site Request Forgery
If you’d like to receive this weekly vulnerability report by email, along with Wordfence Intelligence CE product updates, sign up to the Wordfence Intelligence Community Edition Newsletter by filling out this form below.
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence Community Edition leaderboard along with being mentioned in our weekly vulnerability report.