In case you missed it, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence Community Edition.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Our mission with Wordfence Intelligence Community Edition is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence Community Edition user interface and vulnerability API are completely free to access and utilize both personally and commercially.
Last week, there were 71 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below.
ImageMagick Engine <= 1.7.5 – Cross-Site Request Forgery to PHAR Deserialization
Plugin for Google Reviews <= 2.2.3 – Authenticated (Subscriber+) SQL Injection
GigPress <= 2.3.28 – Authenticated (Subscriber+) SQL Injection
Auto Featured Image (Auto Post Thumbnail) <= 3.9.15 – Authenticated (Author+) Arbitrary File Upload
My Sticky Elements <= 2.0.8 – Authenticated (Admin+) SQL Injection
Redirection for Contact Form 7 <= 2.7.0 – Authenticated(Editor+) Privilege Escalation
Monolit <= 2.0.6 – Unauthenticated Stored Cross-Site Scripting
Gutenberg Forms <= 2.2.8.3 – Authenticated(Subscriber+) Sensitive Information Disclosure
Shortcodes Ultimate <= 5.12.6 – Authenticated (Subscriber+) Arbitrary File Read via Shortcode
Shortcodes Ultimate <= 5.12.6 – Authenticated (Subscriber+) Server-Side Request Forgery
Cost of Goods for WooCommerce <= 2.8.6 – Missing Authorization in save_costs
Icegram Express <= 5.5.2 – Unauthenticated CSV Injection
Quick Contact Form <= 8.0.3.1 – Cross-Site Request Forgery to Sensitive Information Disclosure
WP-Optimize <= 3.2.11 – Cross-Site Request Forgery
Cost of Goods for WooCommerce <= 2.8.6 – Cross-Site Request Forgery in save_costs
Scriptless Social Sharing <= 3.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options
Quick Contact Form <= 8.0.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
Icegram Collect <= 1.3.8 – Authenticated(Contributor+) Cross-Site Scripting via Shortcode
Interactive Geo Maps <= 1.5.9 – Authenticated (Editor+) Stored Cross-Site Scripting
Quebely <= 1.8.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘className’ Block Option
Visualizer <= 3.9.1 – Authenticated(Contributor+) Stored Cross-Site Scripting
Shortcodes Ultimate <= 5.12.6 – Authenticated (Contributor+) Stored Cross Site Scripting
WordPress Comments Import & Export <= 2.3.1 – CSV Injection
Pie Register <= 3.8.2.2 – Open Redirect
???????? <= 6.0.1 – Reflectedite Scripting
Link Juice Keeper <= 2.0.2 – Authenticated(Admin+) Stored Cross-Site Scripting
Chained Quiz <= 1.3.2.5 – Authenticated(Admin+) Stored Cross-Site Scripting
Quick Paypal Payments <= 5.7.25 – Authenticated (Administrator+) Stored Cross-Site Scripting
Arigato Autoresponder and Newsletter <= 2.7.1 – Authenticated(Admin+) Stored Cross-Site Scripting
Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_add_folder
0mk Shortener <= 0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting
Wicked Folders <= 2.18.16 – Missing Authorization on ajax_move_object
Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_save_state
Wicked Folders <= 2.18.16 – Missing Authorization on ajax_add_folder
Wicked Folders <= 2.18.16 – Missing Authorization via ajax_unassign_folders
Wicked Folders <= 2.18.16 – Missing Authorization on ajax_save_folder
Wicked Folders <= 2.18.16 – Missing Authorization via ajax_delete_folder
Wicked Folders <= 2.18.16 – Missing Authorization on ajax_edit_folder
Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_save_folder_order
Wicked Folders <= 2.18.16 – Cross-Site Request Forgery on ajax_save_folder
Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_edit_folder
Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_delete_folder
Auto Affiliate Links <= 6.2.1.5 – Authenticated(Subscriber+) Plugin Settings Change
Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_clone_folder
Wicked Folders <= 2.18.16 – Missing Authorization on ajax_save_folder_order
Wicked Folders <= 2.18.16 – Missing Authorization on ajax_save_sort_order
Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_save_sort_order
Wicked Folders <= 2.18.16 – Missing Authorization on ajax_clone_folder
WPCode <= 2.0.6 – Missing Authorization to Sensitive Key Disclosure/Update
Quiz And Survey Master <= 8.0.8 – Cross-Site Request Forgery to Arbitrary Media Deletion
Wicked Folders <= 2.18.16 – Missing Authorization via ajax_save_state
ShopLentor <= 2.5.1 – Cross-Site Request Forgery to Post Updates
Wicked Folders <= 2.18.16 – Cross-Site Request Forgery on ajax_move_object
Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_unassign_folders
CURCY <= 2.1.25 – Missing Authorization to Currency Exchange Retrieval
Vulnerability: eCommerce Product Catalog plugin for WordPress <= 3.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
Under Construction <= 3.96 – Cross-Site Request Forgery via admin_action_ucp_dismiss_notice
Booking Calendar Contact Form <= 1.2.34 – Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission
Booking Calendar Contact Form <= 1.2.34 – Cross-Site Request Forgery via cpdexbccf_feedback
Podlove Podcast Publisher <= 3.8.3 – Cross-Site Request Forgery
A2 Optimized WP <= 3.0.4 – Cross Site Request Forgery
Under Construction <= 3.96 – Cross-Site Request Forgery via admin_action_install_weglot
Void Contact Form 7 Widget For Elementor Page Builder <= 2.1.1 – Cross-Site Request Forgery in void_cf7_opt_in_user_data_track
Ajax Search Lite <= 4.10.3 – Missing Authorization leading to Authenticated (Subscriber+) Sensitive Information Disclosure
Google Maps CP <= 1.0.43 – Cross-Site Request Forgery via feedback_action
All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce <= 5.2.3 – Cross-Site Request Forgery
PayPal Brasil para WooCommerce <= 1.4.2 – Cross-Site Request Forgery
Google Maps CP <= 1.0.43 – Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission
Mercado Pago payments for WooCommerce <= 6.3.1 – Cross-Site Request Forgery
Album and Image Gallery plus Lightbox <= 1.6.2 – Cross-Site Request Forgery
ColorWay <= 4.2.3 – Cross Site Request Forgery
If you’d like to receive this weekly vulnerability report by email, along with Wordfence Intelligence CE product updates, sign up to the Wordfence Intelligence Community Edition Newsletter by filling out this form below.
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence Community Edition leaderboard along with being mentioned in our weekly vulnerability report.