Last week, there were 55 vulnerabilities disclosed in 46 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 15 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WPvivid Backup Plugin <= 0.9.90 – Missing Authorization via start_staging and get_staging_progress
• MultiVendorX <= 4.0.25 – Improper Authorization on REST Routes via save_settings_permission
• PowerPress <= 11.0.10 – Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	16
Patched	39

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	37
High Severity	16
Critical Severity	2

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	18
Cross-Site Request Forgery (CSRF)	7
Missing Authorization	6
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	5
Deserialization of Untrusted Data	5
Information Exposure	4
Authorization Bypass Through User-Controlled Key	3
Server-Side Request Forgery (SSRF)	2
Improper Control of Generation of Code (‘Code Injection’)	1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Incorrect Privilege Assignment	1
Improper Authorization	1
Unverified Password Change	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Lana Codes (Wordfence Vulnerability Researcher)	20
foobar7	5
Marco Wotschka (Wordfence Vulnerability Researcher)	5
Yan&Co ApS	2
Vladislav Pokrovsky	2
Chloe Chamberland (Wordfence Vulnerability Researcher)	1
Nguyen Anh Tien	1
Do Xuan Trung	1
osama-hamad	1
Rafie Muhammad	1
Dmitrii Ignatyev	1
Alex Thomas (Wordfence Vulnerability Researcher)	1
teo23mal	1
David Anderson	1
Pablo Sanchez	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
10Web Map Builder for Google Maps	wd-google-maps
Allow PHP in Posts and Pages	allow-php-in-posts-and-pages
Awesome Weather Widget	awesome-weather
BAN Users	ban-users
Booking Calendar	booking
Booking calendar, Appointment Booking System	booking-calendar
Booster for WooCommerce	woocommerce-jetpack
Checkout Field Editor	woocommerce-checkout-field-editor
Comments – wpDiscuz	wpdiscuz
Crayon Syntax Highlighter	crayon-syntax-highlighter
DoLogin Security	dologin
Dropbox Folder Share	dropbox-folder-share
Enable Media Replace	enable-media-replace
Essential Addons for Elementor	essential-addons-for-elementor-lite
Essential Blocks Pro	essential-blocks-pro
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates	essential-blocks
Feeds for YouTube (YouTube video, channel, and gallery plugin)	feeds-for-youtube
File Manager Pro – Filester	filester
Google Maps Plugin by Intergeo	intergeo-maps
Horizontal scrolling announcement	horizontal-scrolling-announcement
JQuery Accordion Menu Widget	jquery-vertical-accordion-menu
Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation	zero-bs-crm
Leyka	leyka
Login with phone number	login-with-phone-number
MapPress Maps for WordPress	mappress-google-maps-for-wordpress
Migration, Backup, Staging – WPvivid	wpvivid-backuprestore
MultiVendorX – MultiVendor Marketplace Solution For WooCommerce	dc-woocommerce-multi-vendor
Page Builder: Pagelayer – Drag and Drop website builder	pagelayer
Photospace Responsive Gallery	photospace-responsive
PowerPress Podcasting plugin by Blubrry	powerpress
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress	quiz-master-next
Read More & Accordion	expand-maker
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF	shortpixel-image-optimiser
Simplr Registration Form Plus+	simplr-registration-form
Slimstat Analytics	wp-slimstat
Testimonial Slider Shortcode	testimonial-slider-shortcode
WP Customer Reviews	wp-customer-reviews
WP User Control	wp-user-control
WS Facebook Like Box Widget	ws-facebook-likebox
Welcart e-Commerce	usc-e-shop
WooCommerce	woocommerce
WooCommerce Beta Tester	woocommerce-beta-tester
WooCommerce CVR Payment Gateway	woocommerce-cvr-payment-gateway
WooCommerce EAN Payment Gateway	woocommerce-ean-payment-gateway
WooCommerce Subscription	woocommerce-subscriptions
WordPress File Upload	wp-file-upload
woocommerce-checkout-field-editor	woocommerce-checkout-field-editor

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Allow PHP in Posts and Pages <= 3.0.4 – Authenticated (Subscriber+) Remote Code Execution via Shortcode

---

Dropbox Folder Share <= 1.9.7 – Unauthenticated Local File Inclusion

---

Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Blind SQL Injection via Shortcode

---

Welcart e-Commerce <= 2.8.21 – Authenticated(level_5+) SQL Injection via get_logs

---

Simplr Registration Form Plus+ <= 2.4.5 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change

---

Login with phone number <= 1.4.8 – Cross-Site Request Forgery to User Password Change

---

Essential Addons for Elementor <= 5.8.8 – Authenticated (Contributor+) Privilege Escalation

---

BAN Users <= 1.5.3 – Missing Authorization to Authenticated (Subscriber+) Settings Update & Privilege Escalation

---

Horizontal scrolling announcement <= 9.2 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

File Manager Pro – Filester – <= 1.7.6 – Cross-Site Request Forgery to Arbitrary File Rename

---

MultiVendorX <= 4.0.25 – Improper Authorization on REST Routes via ‘save_settings_permission’

---

WPvivid Backup Plugin <= 0.9.90 – Missing Authorization via ‘start_staging’ and ‘get_staging_progress’

---

Essential Blocks <= 4.2.0 – Unauthenticated PHP Object Injection via products

---

Essential Blocks <= 4.2.0 – Unauthenticated PHP Object Injection via queries

---

Read More & Accordion <= 3.2.2 – Authenticated (Administrator+) PHP Object Injection

---

Booking calendar, Appointment Booking System <= 3.2.8 – Multiple Authenticated(Editor+) SQL Injection

---

Dropbox Folder Share <= 1.9.7 – Unauthenticated Server-Side Request Forgery via ‘link’

---

WooCommerce Beta Tester < 2.2.4 – Authenticated (Administrator+) SQL Injection

---

Enable Media Replace <= 4.1.2 – Authenticated(Editor+) PHP Object Injection

---

ShortPixel Image Optimizer <= 5.4.1 – Authenticated(Editor+) PHP Object Injection

---

Booking Calendar <= 9.7.3 – Unauthenticated Stored Cross-Site Scripting

---

Testimonial Slider Shortcode <= 1.1.8 – Authenticated (Contributor+) Cross-Site Scripting Vulnerability via Shortcode

---

Feeds for YouTube <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Awesome Weather Widget <= 3.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Crayon Syntax Highlighter <= 2.8.4 – Authenticated (Contributor+) Server Side Request Forgery

---

WS Facebook Like Box Widget <= 5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Booster for WooCommerce <= 7.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

PowerPress <= 11.0.10 – Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL

---

JQuery Accordion Menu Widget <= 3.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

MapPress Maps for WordPress <= 2.88.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Google Maps Plugin by Intergeo <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Horizontal scrolling announcement <= 9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Jetpack CRM <= 5.5.0 – Authenticated (Client+) Stored Cross-Site Scripting

---

PageLayer <= 1.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

WooCommerce <= 7.8.2 – Sensitive Information Exposure

---

wpDiscuz <= 7.6.3 – Insecure Direct Object Reference to Post Rating Increase/Decrease

---

wpDiscuz <= 7.6.3 – Insecure Direct Object Reference to Comment Rating Increase/Decrease

---

Leyka <= 3.30.3 – Authenticated (Subscriber+) Sensitive Information Exposure

---

WP User Control <= 1.5.3 – Insecure Password Reset Mechanism

---

WooCommerce <= 7.0.0 – Authenticated(Shop Manager+) Sensitive Information Exposure

---

WordPress File Upload <= 4.23.2 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

Jetpack CRM <= 5.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Photospace Responsive <= 2.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Migration, Backup, Staging – WPvivid <= 0.9.90 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

WP Customer Reviews <= 3.6.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WooCommerce Subscription < 4.6.0 – Cross-Site Request Forgery

---

DoLogin Security <= 3.7 – Missing Authorization on Dashboard Widget

---

WooCommerce EAN Payment Gateway < 6.1.0 – Missing Authorization to Authenticated (Contributor+) EAN Update

---

Quiz And Survey Master <= 8.1.15 – Cross-Site Request Forgery via ‘display_results’

---

10Web Map Builder for Google Maps <= 1.0.73 – Cross-Site Request Forgery to Notice Dismissal

---

10Web Map Builder for Google Maps <= 1.0.73 – Missing Authorization to Notice Dismissal

---

Checkout Field Editor (Premium) < 1.7.5 – Cross-Site Request Forgery

---

Booster for WooCommerce <= 7.1.0 – Authenticated (Subscriber+) Information Disclosure via Shortcode

---

Checkout Field Editor <= 1.7.4 – Cross-Site Request Forgery to Checkout Fields Update

---

WooCommerce CVR Payment Gateway < 6.1.0 – Missing Authorization to Authenticated (Contributor+) CVR Update

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023) appeared first on Wordfence.

On August 18, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two PHP Object Injection vulnerabilities in the Essential Blocks plugin for WordPress, a plugin with over 100,000 installations.

We received a response three days later and sent over our full disclosure on August 23, 2023. A patched version of the free plugin, 4.2.1, was released on August 29, 2023 with version 1.1.1 for the Pro version released the same day.

We issued a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on August 18, 2023. Sites still running the free version of Wordfence received the same protection on September 17, 2023. We recommend that all Wordfence users update to the patched version, 4.2.1 (1.1.1 for Pro), as soon as possible as this will entirely eliminate the vulnerabilities.

Vulnerability Summary from Wordfence Intelligence

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Technical Analysis

The Essential Blocks plugin provides more than 40 blocks to its users including sliders, buttons, pricing tables, maps and others. An API is provided to query for posts and products via the queries and products API endpoints which do not require authentication.

Unfortunately, query data and attributes were passed in PHP’s serialized string format and were subsequently unserialized by the functions get_posts (for the queries endpoint) and get_products (for the products endpoint) in /includes/API/PostBlock.php and /includes/API/Product.php, respectively.

get_posts function

get_products function

Attackers could utilize this to inject a PHP object with properties of their choosing. The presence of a PHP POP chain can make it possible for an attacker to execute arbitrary code, create and delete files and potentially ultimately take over a vulnerable site. Fortunately, no POP chain is present in the Essential Blocks plugin, which means an attacker would require another plugin or theme installed on the vulnerable site with a POP chain present in order to fully exploit these vulnerabilities. It is worth mentioning that POP chains can sometimes be found in popular plugins and libraries which include destructor methods that perform cleanup tasks when an Object is destroyed or deserialized.

Despite the lack of a POP chain in the Essential Blocks plugin itself, and the complexity involved in exploiting these types of vulnerabilities, a successful attack often leads to severe consequences. We explain how PHP Object Injections work in this blog post, if you are interested to find out more about their inner workings.

Timeline

August 17, 2023 – The Wordfence Threat Intelligence team discovers two PHP Object Injection vulnerabilities in the Essential Blocks plugin.
August 18, 2023 – We release a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers and initiate the disclosure process.
August 23, 2023 – We send the full disclosure to the plugin developer.
August 29, 2023 – A patched version of the Essential Blocks plugin, 4.2.1 (1.1.1 for Pro), is released.
September 17, 2023 – The firewall rule becomes available to free Wordfence users.

Conclusion

In this blog post, we covered two PHP Object Injection vulnerabilities in the Essential Blocks plugin affecting versions 4.2.0 and earlier in the Free version of the plugin and versions 1.1.0 and earlier in the Pro version. These vulnerabilities allow unauthenticated threat actors to query the plugin’s API using serialized malicious payloads that are subsequently deserialized. They have been fully addressed in version 4.2.1 of the free version of the plugin and 1.1.1 of the Pro version of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Essential Blocks.

All Wordfence running Wordfence Premium, Wordfence Care, and Wordfence Response, have been protected against these vulnerabilities as of August 18, 2023. Users still using the free version of Wordfence received protection on September 17, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

The post Two PHP Object Injection Vulnerabilities Fixed in Essential Blocks appeared first on Wordfence.

Last week, there were 107 vulnerabilities disclosed in 89 WordPress Plugins and 5 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• Form Maker by 10Web <= 1.15.19 – Unauthenticated Arbitrary File Upload
• Media Library Assistant <= 3.09 – Unauthenticated Local/Remote File Inclusion & Remote Code Execution

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	44
Patched	63

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	2
Medium Severity	89
High Severity	11
Critical Severity	5

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	35
Cross-Site Request Forgery (CSRF)	31
Missing Authorization	24
Unrestricted Upload of File with Dangerous Type	3
Authorization Bypass Through User-Controlled Key	2
Deserialization of Untrusted Data	2
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	2
External Control of File Name or Path	1
Improper Input Validation	1
Server-Side Request Forgery (SSRF)	1
Improper Privilege Management	1
Improper Neutralization of Formula Elements in a CSV File	1
Improper Encoding or Escaping of Output	1
Information Exposure	1
Improper Authorization	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rio Darmawan	11
Mika	10
Abdi Pranata	10
Rafshanzani Suhada	7
thiennv	5
yuyudhn	4
Rafie Muhammad	4
LEE SE HYOUNG	3
Le Ngoc Anh	3
NGÔ THIÊN AN	3
Nguyen Xuan Chien	3
Marco Wotschka (Wordfence Vulnerability Researcher)	2
Revan Arifio	2
Lana Codes (Wordfence Vulnerability Researcher)	2
Skalucy	2
Elliot	2
FearZzZz	2
qilin_99	2
Pepitoh	1
Shuning Xu	1
deokhunKim	1
DoYeon Park	1
spacecroupier	1
Nguyen Anh Tien	1
Debangshu Kundu	1
Arpeet Rathi	1
Ravi Dharmawan	1
Theodoros Malachias	1
Alexander Concha	1
Pedro José Navas Pérez	1
Alex Sanford	1
emad	1
Emili Castells	1
Pavitra Tiwari	1
Alex Concha	1
László Radnai	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
AcyMailing – Newsletter & mailing automation for WordPress	acymailing
All in One B2B for WooCommerce	all-in-one-b2b-for-woocommerce
Analytify – Google Analytics Dashboard For WordPress (GA4 made easy)	wp-analytify
Auto Amazon Links – Amazon Associates Affiliate Plugin	amazon-auto-links
Automatic YouTube Gallery	automatic-youtube-gallery
Back To The Top Button	back-to-the-top-button
BackupBliss – Backup Migration Staging	backup-backup
BitPay Checkout for WooCommerce	bitpay-checkout-for-woocommerce
Bulk NoIndex & NoFollow Toolkit	bulk-noindex-nofollow-toolkit-by-mad-fish
CP Blocks	cp-blocks
Carousel Slider	carousel-slider
Click To Tweet	click-to-tweet
Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms	fluentform
Cookie Notice & Consent	cookie-notice-consent
Customizable WordPress Gallery Plugin – Modula Image Gallery	modula-best-grid-gallery
Directorist – WordPress Business Directory Plugin with Classified Ads Listings	directorist
Duplicate Post Page Menu & Custom Post Type	duplicate-post-page-menu-custom-post-type
EWWW Image Optimizer	ewww-image-optimizer
Easy Form by AYS	easy-form
Easy WP Cleaner	easy-wp-cleaner
Email posts to subscribers	email-posts-to-subscribers
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor	embedpress
Export Import Menus	export-import-menus
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder	form-maker
Goods Catalog	goods-catalog
Hide admin notices – Admin Notification Center	wp-admin-notification-center
Insert Estimated Reading Time	insert-estimated-reading-time
Laposta Signup Basic	laposta-signup-basic
Laposta Signup Embed	laposta-signup-embed
Leadster	leadster-marketing-conversacional
Live News	live-news-lite
Locations	locations
MailMunch – Grow your Email List	mailmunch
Media Library Assistant	media-library-assistant
My Account Page Editor	my-account-page-editor
MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce	mycryptocheckout
Notice Bar	notice-bar
Order Delivery Date for WP e-Commerce	order-delivery-date
Outbound Link Manager	outbound-link-manager
POEditor	poeditor
Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress	wp-user-avatar
PeproDev CF7 Database	pepro-cf7-database
Poll Maker – Best WordPress Poll Plugin	poll-maker
Premium Starter Templates	astra-pro-sites
RSVPMaker	rsvpmaker
Realbig For WordPress	realbig-media
Regpack	regpack
Rescue Shortcodes	rescue-shortcodes
Restrict – membership, site, content and user access restrictions for WordPress	restricted-content
SAML Single Sign On – SSO Login Standard	miniorange-saml-20-single-sign-on
SIS Handball	sis-handball
SendPress Newsletters	sendpress
Simple Download Counter	simple-download-counter
Simple Membership	simple-membership
Slider Pro	sliderpro
Social Share, Social Login and Social Comments Plugin – Super Socializer	super-socializer
Staff / Employee Business Directory for Active Directory	ldap-ad-staff-employee-directory-search
StagTools	stagtools
Starter Templates — Elementor, WordPress & Beaver Builder Templates	astra-sites
Stock Quotes List	stock-quotes-list
Sunshine Photo Cart	sunshine-photo-cart
Swifty Bar, sticky bar by WPGens	swifty-bar
TelSender – Сontact form 7, Events, Wpforms and wooccommerce to telegram bot	telsender
Tilda Publishing	tilda-publishing
Travel Map	travelmap-blog
UniConsent CMP for GDPR CPRA GPP TCF	uniconsent-cmp
Use Memcached	use-memcached
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds	userfeedback-lite
User Submitted Posts – Enable Users to Submit Posts from the Front End	user-submitted-posts
VS Contact Form	very-simple-contact-form
WP Accessibility Helper (WAH)	wp-accessibility-helper
WP Crowdfunding	wp-crowdfunding
WP Custom Post Template	wp-custom-post-template
WP Directory Kit	wpdirectorykit
WP Gallery Metabox	wp-gallery-metabox
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts	wedevs-project-manager
WP iCal Availability	wp-ical-availability
WP-dTree	wp-dtree-30
WRC Pricing Tables – WordPress Responsive CSS3 Pricing Tables	wrc-pricing-tables
WiserNotify Social Proof & FOMO Notification, WooCommerce Sales Popup, Review Popups, Notification Bars & Urgency Widgets	wiser-notify
WooCommerce PensoPay	woo-pensopay
Woocommerce Support System	wc-support-system
WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds	another-wordpress-classifieds-plugin
WordPress File Sharing Plugin	user-private-files
WordPress Social Login	wordpress-social-login
iFolders – Ultimate Folder Manager for Media, Pages, Posts & etc	ifolders
rtMedia for WordPress, BuddyPress and bbPress	buddypress-media
wordpress publish post email notification	publish-post-email-notification
wpCentral	wp-central

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Attorney	attorney
Flatsome	flatsome
Raise Mag	raise-mag
Wishful Blog	wishful-blog
Woodmart	woodmart

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Media Library Assistant <= 3.09 – Unauthenticated Local/Remote File Inclusion & Remote Code Execution

---

RSVPMaker <= 10.6.6 – Unauthenticated PHP Object Injection

---

All in One B2B for WooCommerce <= 1.0.3 – Unauthenticated Privilege Escalation

---

Flatsome <= 3.17.5 – Unauthenticated PHP Object Injection

---

Form Maker by 10Web <= 1.15.19 – Unauthenticated Arbitrary File Upload

---

WP Project Manager <= 2.6.0 – Authenticated (Subscriber+) SQL Injection

---

Export Import Menus <= 1.8.0 – Authenticated (Contributor+) Arbitrary File Upload

---

My Account Page Editor <= 1.3.1 – Authenticated (Subscriber+) Arbitrary File Upload

---

ProfilePress <= 4.13.2 – Limited Privilege Escalation via ‘acceptable_defined_roles’

---

Woocommerce Support System <= 1.2.0 – Missing Authorization

---

Woocommerce Support System <= 1.2.0 – Authenticated (Administrator+) SQL Injection via ‘orderby’

---

Travel Map <= 1.0.1 – Unauthenticated Cross-Site Scripting

---

Click To Tweet <= 2.0.14 – Unauthenticated Cross-Site Scripting

---

PeproDev CF7 Database <= 1.7.0 – Unauthenticated Stored Cross-Site Scripting via form submission

---

Simple Membership <= 4.3.5 – Reflected Cross-Site Scripting

---

User Feedback <= 1.0.7 – Unauthenticated Stored Cross-Site Scripting

---

All in One B2B for WooCommerce <= 1.0.3 – Cross-Site Request Forgery

---

Auto Amazon Links <= 5.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via style

---

Goods Catalog <= 2.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Rescue Shortcodes <= 2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Starter Templates <= 3.2.4 – Authenticated (Contributor+) Server-Side Request Forgery

---

Simple Download Counter <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

User Submitted Posts <= 20230901 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

WordPress Social Login <= 3.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20230811 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Notice Bar <= 3.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Locations <= 4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Attorney <= 3 – Reflected Cross-Site Scripting

---

Restrict <= 2.2.4 – Reflected Cross-Site Scripting

---

WooCommerce PensoPay <= 6.3.1 – Reflected Cross-Site Scripting via ‘pensopay_action’

---

WoodMart <= 7.2.4 – Reflected Cross-Site Scripting

---

AcyMailing SMTP Newsletter <= 8.6.2 – Reflected Cross-Site Scripting

---

Stagtools <= 2.3.7 – Reflected Cross-Site Scripting

---

Poll Maker <= 4.7.0 – Reflected Cross-Site Scripting

---

Wishful Blog <= 2.0.1 & Raise Mag <= 1.0.7 – Unauthenticated Cross-Site Scripting

---

Stock Quotes List <= 2.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Tilda Publishing <= 0.3.21 – Missing Authorization

---

Staff / Employee Business Directory for Active Directory <= 1.2.1 – Insufficient Escaping of Stored LDAP Values

---

Easy WP Cleaner <= 1.9 – Cross-Site Request Forgery

---

Contact Form for Plugin by Fluent Forms <= 5.0.8 – Insecure Direct Object Reference

---

Sunshine Photo Cart <= 3.0.5 – Insecure Direct Object Reference to Order Manipulation

---

TelSender <= 1.14.7 – Missing Authorization

---

WP Directory Kit <= 1.2.6 – Missing Authorization

---

Email posts to subscribers <= 6.2 – Missing Authorization to Sensitive Information Exposure

---

WRC Pricing Tables <= 2.3.7 – Missing Authorization

---

WiserNotify Social Proof <= 2.5 – Missing Authorization

---

EWWW Image Optimizer <= 7.2.0 – Sensitive Information Exposure

---

VS Contact Form <= 13.9 – Missing Authorization

---

BitPay Checkout for WooCommerce <= 4.1.0 – Missing Authorization

---

UniConsent Cookie Consent CMP for GDPR / CCPA <= 1.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WordPress File Sharing Plugin <= 2.0.3 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Insert Estimated Reading Time <= 1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Cookie Notice & Consent 1.6.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

SendPress Newsletters <= 1.22.3.31 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Swifty Bar, sticky bar by WPGens <= 1.2.10 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

wordpress publish post email notification <= 1.0.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

iFolders <= 1.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Order Delivery Date for WP e-Commerce <= 1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Email posts to subscribers <= 6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Back To The Top Button <= 2.1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Regpack <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Backup Migration <= 1.2.9 – Cross-Site Request Forgery

---

Automatic YouTube Gallery <= 2.3.3 – Missing Authorization via AJAX actions

---

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 – Missing Authorization via export_settings

---

Super Socializer <= 7.13.54 – Missing Authorization

---

Laposta Signup Embed <= 1.1.0 – Missing Authorization

---

CP Blocks <= 1.0.20 – Cross-Site Request Forgery to Settings Update

---

Leadster <= 1.1.2 – Cross-Site Request Forgery

---

EmbedPress <= 3.8.3 – Cross-Site Request Forgery

---

Live News <= 1.06 – Cross-Site Request Forgery

---

WP Gallery Metabox <= 1.0.0 – Cross-Site Request Forgery

---

wpCentral <= 1.5.7 – Cross-Site Request Forgery

---

Laposta Signup Embed <= 1.1.0 – Cross-Site Request Forgery

---

POEditor <= 0.9.4 – Cross-Site Request Forgery

---

Carousel Slider <= 2.2.2 – Missing Authorization

---

SIS Handball <= 1.0.45 – Cross-Site Request Forgery

---

Bulk NoIndex & NoFollow Toolkit <= 1.5 – Missing Authorization

---

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 – Missing Authorization to Settings Update

---

WP-dTree <= 4.4.5 – Cross-Site Request Forgery

---

Realbig <= 1.0.2 – Cross-Site Request Forgery

---

Order Delivery Date for WP e-Commerce <= 1.2 – Cross-Site Request Forgery

---

Click To Tweet <= 2.0.14 – Missing Authorization

---

Outbound Link Manager <= 1.2 – Cross-Site Request Forgery

---

Analytify Dashboard <= 5.1.0 – Missing Authorization to Opt-In

---

AWP Classifieds <= 4.3 – Cross-Site Request Forgery

---

Use Memcached <= 1.0.5 – Cross-Site Request Forgery

---

WP Custom Post Template <= 1.0 – Cross-Site Request Forgery

---

Laposta Signup Basic <= 1.4.1 – Missing Authorization

---

WP Accessibility Helper (WAH) <= 0.6.2.4 – Missing Authorization via AJAX action

---

Hide admin notices – Admin Notification Center <= 2.3.2 – Cross-Site Request Forgery

---

WP iCal Availability <= 1.0.3 – Cross-Site Request Forgery

---

Super Socializer <= 7.13.54 – Cross-Site Request Forgery

---

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 – Missing Authorization to Sensitive Information Exposure

---

SAML SP Single Sign On <= 5.0.4 – Missing Authorization to notice dismissal

---

WP Crowdfunding <= 2.1.4 – Missing Authorization via settings_reset

---

Laposta Signup Basic <= 1.4.1 – Cross-Site Request Forgery

---

Duplicate Post Page Menu & Custom Post Type <= 2.3.1 – Missing Authorization to Post Duplication

---

ProfilePress <= 4.13.1 Cross-Site Request Forgery via ‘admin_notice’

---

WP Crowdfunding <= 2.1.5 – Cross-Site Request Forgery

---

MyCryptoCheckout <= 2.125 – Cross-Site Request Forgery

---

Starter Templates <= 3.2.5 – Incorrect Authorization

---

Easy Form by AYS <= 1.3.8 – Cross-Site Request Forgery

---

MailMunch – Grow your Email List <= 3.1.2 – Cross-Site Request Forgery

---

Slider Pro <= 4.8.6 – Missing Authorization via AJAX actions

---

SendPress Newsletters <= 1.22.3.31 – Cross-Site Request Forgery

---

Directorist <= 7.7.1 – CSV Injection

---

Modula <= 2.7.4 – Incomplete Authorization via ‘save_image’ and ‘save_images’

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 4, 2023 to September 10, 2023) appeared first on Wordfence.

Wordfence recently launched Wordfence CLI, a high performance command line malware scanner, which makes use of our extensive set of malware detection signatures to rapidly scan file systems for infections.

In recent years, the WordPress community has seen a shift in emphasis towards prevention, rather than detection, of security incidents. This reflects the increased adoption of best practices such as Multi-Factor authentication, vulnerability management, and configuration hardening.

While we agree that prevention is always better than detection or remediation, one important concept in Cybersecurity is defense-in-depth, so it’s important to have a well thought-out incident response plan and adequate security monitoring in place. No security solution provides perfect protection against zero-day vulnerabilities, and even a fully locked-down site can be compromised if it shares resources with other sites that remain vulnerable. In today’s article, we’ll discuss our philosophy for securing websites, including several key cybersecurity challenges and concepts and how they relate to the case for malware scanners.

---

Security Should Serve Users, Not the Other Way Around

There’s an old saying that the best camera is the one you have on you, and likewise, the best security solution is the solution you’ll actually use. Users add to the complexity of securing systems, and it is easy to secure a system that nobody wants to use because it’s locked down. Security that’s easy to use and difficult to bypass is far better than security that’s difficult to use and impossible to bypass, and one guiding philosophy to cybersecurity is that nothing is truly impossible to bypass.

That’s why Wordfence prioritizes the user experience and strives to incorporate as many layers of security as possible into a package that’s easy to use for the vast majority of WordPress site owners. Traditionally this has meant plugin-based offerings. Despite the limitations of running security as a plugin, our many features, including our Web Application Firewall, Two Factor Authentication, Real-Time IP Blocklist, and Malware and Vulnerability scanner help secure over 4 million sites, detect millions of malicious files, and block billions of attacks each year.

In our 2022 Wordfence State of WordPress Security Report, we reported that our firewall blocked more than 159 Billion credential stuffing attacks, 23 Billion configuration scans, and about 12 billion attacks against vulnerabilities. You can also get a real-time view of the volume of attacks we are blocking on the Wordfence Intelligence Dashboard.

---

Assume Breach Mindset

While it might seem pessimistic, “assume breach” is a critical mindset in cybersecurity that involves planning mitigations in case a site is compromised. For many sites, even the most locked down ones, compromise is a matter of when, not if, and rapid detection is key to minimizing the damage. If your site has been compromised, it is important to find out as soon as possible to prevent the attacker from gaining ground and elevating privileges throughout the system. A well thought-out incident response plan is useless if you’re unaware that an incident is occurring.

The Solarwinds breach, for instance, remained undetected for more than a year, allowing threat actors to infect thousands of critical systems via a supply-chain attack. With adequate security monitoring and detection in place, this year-long infection could have been detected much sooner and impacted far fewer systems if detected earlier. This also highlights how even those striving to put forth the best security may still have gaps in coverage where an attacker can breach defenses.

---

Layered Security

No single solution will ever be perfect, and it is not possible to completely eliminate risk, only manage it. One of the most effective ways to manage risk is to layer defenses so that bypassing any one layer does not allow an attacker to take complete control. This is why, for instance, it is important to use both strong passwords and multifactor authentication, and why backups are important but not a replacement for intrusion detection.

Another example of this is the contrast between Cloud-based solutions versus our Web Application Firewall – a Cloud solution would be well-suited to providing DDOS protection and blocking some generic attacks, while our WAF benefits from running with the plugin because it can block attacks specifically targeted against WordPress vulnerabilities without unnecessarily blocking legitimate administrative traffic.

Our team has deployed hundreds of firewall rules that take advantage of our Web Application Firewall’s unique capabilities. Many of the privilege escalation and authentication bypass vulnerabilities we see have parameters and values that require specialized experience and techniques to adequately block. For instance, many privilege escalation vulnerabilities, such as the one we found in the JupiterX Theme, make use of administrative functionality that has been accidentally exposed to low-level users, often via an AJAX action.

With a generic ruleset from ModSecurity, attacks of this type couldn’t be blocked without entirely breaking most site functionality. Even the most advanced cloud firewalls able to scan POST parameters by terminating TLS at the edge would still prevent administrative users from performing necessary tasks. Thanks to our custom firewall rules, the Wordfence firewall is able to easily block malicious traffic without impacting site functionality, and thanks to our in-house vulnerability research we’re often the first to release firewall rules for new critical vulnerabilities.

---

Trusting Trust

An often overlooked concept in cybersecurity is the problem of “trusting trust.” On any given system, an attacker that can run code can tamper with any other code running at the same privilege level. This is often used as an argument against plugin-based malware scanners and admittedly does present a challenge since any attacker able to compromise a site to the point where they can execute code can run that code at the same level as a plugin.

Many of our users install Wordfence after they have become aware of a breach and successfully use our scanner for remediation. Most malware is still not sophisticated enough to evade detection in this way, and even malware that is designed to do so often fails to fully hide its tracks from detection. Additionally, based on research our team has done on WordPress threat actors, many are unwilling or unable to develop their own evasion payloads or pay the premium for off-the-shelf solutions.

Nonetheless, such tampering is becoming more common, and no plugin-based scanner is immune to it, but our plugin-based scanner still reliably detects an enormous amount of malware and we have the telemetry to prove it – roughly 1 million sites successfully used Wordfence to clean malware in 2022, based on the total number of sites we saw infections on compared the number of sites that remained infected at the end of the year.

Fortunately, even the most cleverly designed file-based malware can’t successfully hide from a scanner it can’t tamper with, and Wordfence CLI is an effective solution for sites that need this extra layer of detection.

---

Responsible Remediation

When it comes to remediation, a one-size-fits-all approach simply doesn’t work. Many sites have unique needs, custom code, or technical debt. Replacing core WordPress files and plugins with known clean versions can fix many issues, and our scanner offers the option to do this, but many infections will simply reoccur if the root cause is not addressed. Tools to automate remediation can be incredibly useful, but fully automated remediation can cause more problems than it solves while providing a false sense of security – there should always be a human making final remediation decisions. This is why our Wordfence Care and Wordfence Response offerings use skilled analysts to clean your website and get it back into working order, and we highly recommend these services to less experienced site owners, or site owners who simply want to trust the experts to handle remediation.

---

Continuous Improvement

Our malware signatures are designed to detect not only active infections but also artifacts generated by malware and other indicators of compromise. Our team of specialists constantly monitors new malware variants and we release dozens of new signatures every month to keep up with attackers. Since our signatures use carefully crafted regular expressions, each signature can detect thousands and oftentimes even millions of unique malicious files.

In the spirit of continuous improvement, we’ve launched an additional, user-friendly layer of security with our Wordfence CLI scanner. While it is designed for power users and administrators, it unlocks new possibilities for detection that were not available with our plugin scanner.

---

More Flexibility with Wordfence CLI

One of the most frequent requests we’ve received over the years was the ability to run scans programmatically via the command line rather than via the plugin. Not only does this mitigate tampering concerns and result in a massive performance boost, but it also allows for extended use cases – you can use it to scan backups outside of the webroot to ensure their integrity before restoring them, or to more thoroughly scan for database infections by running it against database exports, since scanning live databases tends to be extremely resource-intensive. You can use it to quickly scan just files that were recently modified by piping the results from the Linux find command to the Wordfence cli scanner, or exclude signatures from the scan in the rare cases where your custom code is detected by one of our signatures.

Wordfence CLI is open-source and can be fully customized or forked, and while our basic Free signature set may not be used for commercial purposes, it is designed to detect the most widespread indicators of compromise found on more than 90% of all infected sites. Bear in mind that most infections involve multiple malicious components, so for more comprehensive scanning and remediation, we recommend our Commercial signature set which detects more than 18 million unique malware variants in the wild.

Conclusion

In today’s article, we discussed some key components of our strategy for securing websites, including user experience, layered security, the assumption of breach, the problem of trusting trust, responsible remediation, and our drive for continuous improvement. Our goal is to provide the best security possible for your website, and that means providing security you’ll actually use.

While no single solution offers perfect protection, Wordfence offers prevention, detection, and remediation packages that will significantly improve your security posture while remaining compatible with other solutions. With the launch of Wordfence CLI, it is now possible to scan hundreds or even thousands of sites with a single, competitively priced license, all while conserving server resources.

The post Malware Scanning: An Essential Layer of Website Security appeared first on Wordfence.

On August 24, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) and a Blind SQL Injection vulnerability in the Slimstat Analytics plugin, which is actively installed on more than 100,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages or execute SQL queries by appending them to an existing SQL query using the plugin’s shortcode.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting and SQL Injection protection.

We contacted VeronaLabs on August 24, 2023, and we received a response on the same day. After providing full disclosure details, the developer released a patch on August 28, 2023. We would like to commend VeronaLabs for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Slimstat Analytics, version 5.0.10 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slimstat’ shortcode in versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Technical Analysis

Slimstat Analytics is a WordPress website traffic analytics plugin that offers several features for analyzing and monitoring traffic. It provides a shortcode ([slimstat]) that displays various types of statistics when added to a WordPress page or post.

Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the code reveals that the shortcode has several types based on the ‘f’ parameter. In vulnerable versions, the ‘top-all’ type does not adequately sanitize the user-supplied ‘w’ attribute, and then fails to escape the ‘class’ output derived from the ‘w’ parameter when it displays the statistics. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘w’ attribute.

public static function slimstat_shortcode($_attributes = '', $_content = '')
{
	shortcode_atts(array(
		'f' => '',    // recent, popular, count, widget
		'w' => '',    // column to use (for recent, popular and count) or widget to use
		's' => ' ',    // separator
		'o' => 0    // offset for counters
	), $_attributes);
line 724

$output = '<ul class="slimstat-shortcode ' . $f . implode('-', $w) . '">' . implode('', $output) . '</ul>';

The slimstat_shortcode method snippet in the wp_slimstat class

This makes it possible for threat actors with contributor-level access to a site to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or that a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.

Further examining the code, we also found a SQL Injection vulnerability within the same shortcode. Although the ‘w’ parameter will be converted into an array, it is not properly sanitized. This parameter is used for the column in the database query, and although the prepare function is used, the column is not specified as a placeholder, which makes it possible for an attacker to perform SQL injection attacks.

$w = self::string_to_array($w);

The slimstat_shortcode method snippet in the wp_slimstat class

public static function get_top($_column = 'id', $_where = '', $_having = '', $_use_date_filters = true, $_as_column = '')
{
	// This function can be passed individual arguments, or an array of arguments
	if (is_array($_column)) {
		$_where            = !empty($_column['where']) ? $_column['where'] : '';
		$_having           = !empty($_column['having']) ? $_column['having'] : '';
		$_use_date_filters = !empty($_column['use_date_filters']) ? $_column['use_date_filters'] : true;
		$_as_column        = !empty($_column['as_column']) ? $_column['as_column'] : '';
		$_column           = $_column['columns'];
	}

	$group_by_column = $_column;

	if (!empty($_as_column)) {
		$_column = "$_column AS $_as_column";
	} else {
		$_as_column = $_column;
	}

	$_where = self::get_combined_where($_where, $_as_column, $_use_date_filters);

	// prepare the query
	$sql = $GLOBALS['wpdb']->prepare("
		SELECT $_column, COUNT(*) counthits
		FROM {$GLOBALS['wpdb']->prefix}slim_stats
		WHERE $_where
		GROUP BY $group_by_column $_having
		ORDER BY counthits DESC
		LIMIT 0, %d", self::$filters_normalized['misc']['limit_results']);
	return self::get_results($sql, ((!empty($_as_column) && $_as_column != $_column) ? $_as_column : $_column),
		'counthits DESC', ((!empty($_as_column) && $_as_column != $_column) ? $_as_column : $_column),
		'SUM(counthits) AS counthits');
}

The get_top method in the wp_slimstat_db class

Since no data from the SQL query was returned in the response, an attacker would need to use a Time-Based blind approach to extract information from the database. This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database. This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities.

Disclosure Timeline

August 24, 2023 – Wordfence Threat Intelligence team discovers the stored XSS and SQL Injection vulnerabilities in Slimstat Analytics.
August 24, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
August 26, 2023 – The vendor confirms the inbox for handling the discussion.
August 26, 2023 – We send over the full disclosure details for the XSS vulnerability.
August 27, 2023 – We send over the full disclosure details for the SQL injection vulnerability.
August 27, 2023 – The vendor acknowledges the report and begins working on a fix.
August 28, 2023 – The fully patched version, 5.0.10, is released.

Conclusion

In this blog post, we have detailed stored XSS and SQL Injection vulnerabilities within the Slimstat Analytics plugin affecting versions 5.0.9 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page, and extract sensitive information from a database. These vulnerabilities have been fully addressed in version 5.0.10 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Slimstat Analytics.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

The post Over 100,000 WordPress Websites Affected by XSS and SQLi Vulnerabilities in Slimstat Analytics Plugin appeared first on Wordfence.

Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

 

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	37
Patched	27

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	2
Medium Severity	53
High Severity	6
Critical Severity	3

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	29
Missing Authorization	12
Cross-Site Request Forgery (CSRF)	11
Unrestricted Upload of File with Dangerous Type	5
Server-Side Request Forgery (SSRF)	1
URL Redirection to Untrusted Site (‘Open Redirect’)	1
Improper Input Validation	1
Authorization Bypass Through User-Controlled Key	1
Improper Control of Generation of Code (‘Code Injection’)	1
Use of Less Trusted Source	1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rio Darmawan	11
Rafie Muhammad	5
Lana Codes (Wordfence Vulnerability Researcher)	4
thiennv	3
LEE SE HYOUNG	3
Mika	2
Zlrqh	2
Dmitrii	2
László Radnai	2
Elliot	2
Marco Wotschka (Wordfence Vulnerability Researcher)	2
Bartłomiej Marek	2
Tomasz Swiadek	2
Abdi Pranata	2
Phd	1
Emili Castells	1
Pavitra Tiwari	1
Ramuel Gall (Wordfence Vulnerability Researcher)	1
FearZzZz	1
emad	1
Prasanna V Balaji	1
deokhunKim	1
yuyudhn	1
Le Ngoc Anh	1
Dipak Panchal	1
mehmet	1
Lokesh Dachepalli	1
Jonas Höbenreich	1
Enrico Marcolini	1
Animesh Gaurav	1
Jonatas Souza Villa Flor	1
Ravi Dharmawan	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Activity Log	aryo-activity-log
AffiliateWP	AffiliateWP
All-in-One WP Migration Box Extension	all-in-one-wp-migration-box-extension
All-in-One WP Migration Dropbox Extension	all-in-one-wp-migration-dropbox-extension
All-in-One WP Migration Google Drive Extension	all-in-one-wp-migration-gdrive-extension
All-in-One WP Migration OneDrive Extension	all-in-one-wp-migration-onedrive-extension
Better Elementor Addons	better-elementor-addons
Bridge Core	bridge-core
Ditty – Responsive News Tickers, Sliders, and Lists	ditty-news-ticker
DoLogin Security	dologin
Easy Coming Soon	easy-coming-soon
Easy Newsletter Signups	easy-newsletter-signups
Email Encoder – Protect Email Addresses and Phone Numbers	email-encoder-bundle
Fast & Effective Popups & Lead-Generation for WordPress – HollerBox	holler-box
FileOrganizer – Manage WordPress and Website Files	fileorganizer
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager	folders
Font Awesome 4 Menus	font-awesome-4-menus
Forminator – Contact Form, Payment Form & Custom Form Builder	forminator
GiveWP – Donation Plugin and Fundraising Platform	give
GuruWalk Affiliates	guruwalk-affiliates
Happy Addons for Elementor Pro	happy-elementor-addons-pro
Import XML and RSS Feeds	import-xml-feed
Localize Remote Images	localize-remote-images
Login and Logout Redirect	login-and-logout-redirect
LuckyWP Scripts Control	luckywp-scripts-control
Maintenance Switch	maintenance-switch
MakeStories (for Google Web Stories)	makestories-helper
Metform Elementor Contact Form Builder	metform
Multi-column Tag Map	multi-column-tag-map
Olive One Click Demo Import	olive-one-click-demo-import
Order Tracking – WordPress Status Tracking Plugin	order-tracking
Ovic Product Bundle	ovic-product-bundle
Popup Builder – Create highly converting, mobile friendly marketing popups.	popup-builder
Popup box	ays-popup-box
PowerPress Podcasting plugin by Blubrry	powerpress
Prevent files / folders access	prevent-file-access
Pricing Deals for WooCommerce	pricing-deals-for-woocommerce
RSVPMaker	rsvpmaker
Remove/hide Author, Date, Category Like Entry-Meta	removehide-author-date-category-like-entry-meta
Responsive Gallery Grid	responsive-gallery-grid
Sermon’e – Sermons Online	sermone-online-sermons-management
Simple 301 Redirects by BetterLinks	simple-301-redirects
Site Reviews	site-reviews
Sitekit	sitekit
Slimstat Analytics	wp-slimstat
Smarty for WordPress	smarty-for-wordpress
Snap Pixel	snap-pixel
Social Media Share Buttons & Social Sharing Icons	ultimate-social-media-icons
Social Share Boost	social-share-boost
Surfer – WordPress Plugin	surferseo
URL Shortener by MyThemeShop	mts-url-shortener
Ultimate Addons for Contact Form 7	ultimate-addons-for-contact-form-7
WP Bannerize Pro	wp-bannerize-pro
WP GoToWebinar	wp-gotowebinar
WP Search Analytics	search-analytics
WP Super Minify	wp-super-minify
WP Synchro – WordPress Migration Plugin for Database & Files	wpsynchro
WP Users Media	wp-users-media
WP-dTree	wp-dtree-30
WordPress Ecommerce For Creating Fast Online Stores – By SureCart	surecart
authLdap	authldap

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Arya Multipurpose Pro	arya-multipurpose-pro
Everest News Pro	everest-news-pro

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Forminator <= 1.24.6 – Unauthenticated Arbitrary File Upload

---

Import XML and RSS Feeds <= 2.1.4 – Unauthenticated Remote Code Execution

---

RSVPMarker <= 10.6.6 – Unauthenticated SQL Injection

---

Folders <= 2.9.2 – Authenticated (Author+) Arbitrary File Upload in handle_folders_file_upload

---

Give – Donation Plugin <= 2.33.0 – Authenticated(Give Manager+) Privilege Escalation

---

Olive One Click Demo Import <= 1.0.9 – Authenticated (Administrator+) Arbitrary File Upload in olive_one_click_demo_import_save_file

---

DoLogin Security <= 3.6 – Unauthenticated Stored Cross-Site Scripting

---

Prevent files / folders access <= 2.5.1 – Authenticated (Administrator+) Arbitrary File Upload in mo_media_restrict_page

---

Import XML and RSS Feeds <= 2.1.3 – Authenticated (Admin+) Arbitrary File Upload

---

Easy Newsletter Signups <= 1.0.4 – Missing Authorization

---

Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Sitekit <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sitekit_iframe ‘ shortcode

---

Font Awesome 4 Menus <= 4.7.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Email Encoder <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Login and Logout Redirect <= 2.0.2 – Open Redirect

---

Arya Multipurpose Pro <= 1.0.8 – Reflected Cross-Site Scripting

---

Social Media & Share Icons <= 2.8.3 – Reflected Cross-Site Scripting

---

URL Shortener by MyThemeShop <= 1.0.17 – Reflected Cross-Site Scripting via ‘page’

---

Sermon’e – Sermons Online <= 1.0.0 – Reflected Cross-Site Scripting

---

WP-dTree <= 4.4.5 – Reflected Cross-Site Scripting

---

Everest News Pro <= 1.1.7 – Reflected Cross-Site Scripting

---

Bridge Core <= 3.0.9 – Reflected Cross-Site Scripting

---

Ditty <= 3.1.24 – Reflected Cross-Site Scripting

---

Happy Elementor Addons Pro <= 2.8.0 – Reflected Cross-Site Scripting

---

Ultimate Addons for Contact Form 7 <= 3.1.32 – Reflected Cross-Site Scripting via ‘page’

---

Order Tracking Pro <= 3.3.6 – Reflected Cross-Site Scripting

---

WP Bannerize Pro <= 1.6.9 – Reflected Cross-Site Scripting

---

WP Search Analytics <= 1.4.7 – Reflected Cross-Site Scripting via ‘render_stats_page’

---

PowerPress <= 11.0.6 – Authenticated (Contributor+) Server-Side Request Forgery via wp_ajax_powerpress_media_info

---

Site Reviews <= 6.10.2 – Missing Authorization

---

Responsive Gallery Grid <= 2.3.10 – Cross-Site Request Forgery

---

LuckyWP Scripts Control <= 1.2.1 – Missing Authorization via multiple AJAX actions

---

Maintenance Switch <= 1.5.2 – Cross-Site Request Forgery via ‘admin_action_request’

---

Simple 301 Redirects <= 2.0.7 – Cross-Site Request Forgery via ‘clicked’

---

Surfer <= 1.1.2.298 – Missing Authorization

---

Pricing Deals for WooCommerce <= 2.0.3.2 – Missing Authorization via vtprd_ajax_clone_rule

---

Ovic Product Bundle <= 1.1.2 – Missing Authorization

---

Multiple ServMask Plugins <= (Various Versions) – Missing Authorization to Access Token Update

---

Localize Remote Images <= 1.0.9 – Cross-Site Request Forgery via admin menu

---

Multi-column Tag Map <= 17.0.26 – Missing Authorization

---

Activity Log <= 2.8.7 – IP Address Spoofing

---

Order Tracking Pro <= 3.3.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

GuruWalk Affiliates <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

---

SureCart <= 2.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

---

Smarty for WordPress <= 3.1.35 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WP GoToWebinar <= 14.45 – Authenticated (Administrator+) Cross-Site Scripting

---

HollerBox <= 2.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Popup Builder <= 4.1.15 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Snap Pixel <= 1.5.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Easy Coming Soon <= 2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

---

Popup Box <= 3.7.1 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

WP Users Media <= 4.2.3 – Cross-Site Request Forgery in wpusme_save_settings

---

Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via ‘mf_first_name’ shortcode

---

Social Share Boost <= 4.5 – Cross-Site Request Forgery via ‘syntatical_settings_content’

---

Better Elementor Addons <= 1.3.5 – Missing Authorization

---

WP Users Media <= 4.2.3 – Missing Authorization via wpusme_save_settings

---

WP Super Minify <= 1.5.1 – Cross-Site Request Forgery via ‘wpsmy_admin_options’

---

Remove/hide Author, Date, Category Like Entry-Meta <= 2.1 – Cross-Site Request Forgery

---

MakeStories (for Google Web Stories) <= 2.8.0 – Cross-Site Request Forgery via ‘ms_set_options’

---

AffiliateWP <= 2.14.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation

---

authLdap <= 2.5.8 – Cross-Site Request Forgery

---

WP Migration Plugin DB & Files – WP Synchro <= 1.9.1 – Cross-Site Request Forgery

---

authLdap <= 2.5.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

FileOrganizer <= 1.0.2 – Authenticated (Admin+) Arbitrary File Access

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023) appeared first on Wordfence.