Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 23 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• JupiterX Core <= 3.3.8 – Unauthenticated Privilege Escalation

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	17
Patched	26

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	35
High Severity	6
Critical Severity	2

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	16
Missing Authorization	13
Cross-Site Request Forgery (CSRF)	8
Unrestricted Upload of File with Dangerous Type	2
Reliance on Untrusted Inputs in a Security Decision	1
Authentication Bypass Using an Alternate Path or Channel	1
Use of Less Trusted Source	1
Improper Privilege Management	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafshanzani Suhada	6
Abdi Pranata	3
Rio Darmawan	3
Rafie Muhammad	3
Mahesh Nagabhairava	2
Nguyen Xuan Chien	2
yuyuddn	1
Bob Matyas	1
Carlos David Garrido León	1
Skalucy	1
Nithissh S	1
Animesh Gaurav	1
Muhammad Daffa	1
konagash	1
Dipak Panchal	1
Bartłomiej Marek	1
Tomasz Swiadek	1
An Dang	1
Erwan LR	1
Mika	1
Lana Codes (Wordfence Vulnerability Researcher)	1
Dmitrii Ignatyev	1
Revan Arifio	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Category Slider for WooCommerce	woo-category-slider-grid
Collapse-O-Matic	jquery-collapse-o-matic
Cookies by JM	cookies-by-jm
DX-auto-save-images	dx-auto-save-images
DoLogin Security	dologin
ElementsKit Elementor addons	elementskit-lite
FTP Access	ftp-access
FV Flowplayer Video Player	fv-wordpress-flowplayer
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager	folders
Herd Effects – fake notifications and social proof plugin	mwp-herd-effect
Hide My WP Ghost – Security Plugin	hide-my-wp
Jupiter X Core	jupiterx-core
Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages	page-builder-add
Leyka	leyka
Lock User Account	lock-user-account
Master Addons for Elementor	master-addons
MasterStudy LMS WordPress Plugin – for Online Courses and Education	masterstudy-lms-learning-management-system
Min Max Control – Min Max Quantity & Step Control for WooCommerce	woo-min-max-quantity-step-control-single
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor	post-and-page-builder
Posts Like Dislike	posts-like-dislike
Premmerce User Roles	premmerce-user-roles
Push Notification for Post and BuddyPress	push-notification-for-post-and-buddypress
ReviewX – Multi-criteria Rating & Reviews for WooCommerce	reviewx
Royal Elementor Addons and Templates	royal-elementor-addons
Save as Image plugin by Pdfcrowd	save-as-image-by-pdfcrowd
Save as PDF plugin by Pdfcrowd	save-as-pdf-by-pdfcrowd
Secure Admin IP	secure-admin-ip
Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management	simple-urls
Slimstat Analytics	wp-slimstat
Sticky Social Media Icons	sticky-social-media-icons
Translate WordPress with GTranslate	gtranslate
URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress	url-shortify
Vertical marquee plugin	vertical-marquee-plugin
Void Elementor Post Grid Addon for Elementor Page builder	void-elementor-post-grid-addon-for-elementor-page-builder
WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders	adminify
WP VK-付费内容插件（付费阅读/资料/工具软件资源管理）	wp-vk
gAppointments – Appointment booking addon for Gravity Forms	gAppointments
iThemes Sync	ithemes-sync

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

JupiterX Core <= 3.3.5 – Unauthenticated Arbitrary File Upload

---

JupiterX Core <= 3.3.8 – Unauthenticated Privilege Escalation

---

Folders <= 2.9.2 – Authenticated (Author+) Arbitrary File Upload

---

Premmerce User Roles <= 1.0.12 – Missing Authorization via role management functions

---

Master Addons for Elementor <= 2.0.3 – Missing Authorization

---

MasterStudy LMS <= 3.0.17 – Privilege Escalation

---

Simple URLs <= 117 – Unauthenticated Cross-Site Scripting

---

URL Shortify <= 1.7.5 – Unauthenticated Stored Cross-Site Scripting via Referrer Header

---

Collapse-O-Matic <= 1.8.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Simple URLs <= 117 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

FTP Access <= 1.0 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

---

gAppointments – Appointment booking addon for Gravity Forms <= 1.9.7 – Reflected Cross-Site Scripting

---

Min Max Control <= 4.5 – Reflected Cross-Site Scripting

---

Elements kit Elementor addons <= 2.9.1 – Missing Authorization

---

FV Flowplayer Video Player <= 7.5.37.7212 – Insufficient Input Validation to Unauthenticated Stored Cross-Site Scripting and Arbitrary Usermeta Update

---

Void Elementor Post Grid Addon for Elementor Page builder <= 2.1.10 – Missing Authorization to Review Notice Dismissal

---

Push Notification for Post and BuddyPress <= 1.63 – Missing Authorization to Unauthenticated Admin Notice Dismissal

---

Hide My WP Ghost <= 5.0.25 – CAPTCHA Bypass in brute_math_authenticate

---

Posts Like Dislike <= 1.1.1 – Missing Authorization to Authenticated (Subscriber+) Plugin Setting Reset

---

Secure Admin IP <= 2.0 – Missing Authorization via ‘saveSettings’

---

DoLogin Security <= 3.6 – IP Address Spoofing

---

Vertical Marquee Plugin <= 7.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Cookies by JM <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Slimstat Analytics <= 5.0.8 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

---

Save as PDF plugin by Pdfcrowd <= 2.16.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

---

GTranslate <= 3.0.3 – Authenticated (Administrator+) Cross-Site Scripting via Multiple Parameters

---

WP Adminify <= 3.1.5 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Save as Image plugin by Pdfcrowd <= 2.16.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

---

Leyka <= 3.30.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Landing Page Builder <= 1.5.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WP VK-付费内容插件 <= 1.3.3 – Cross-Site Request Forgery via AJions

---

iThemes Sync <= 2.1.13 – Cross-Site Request Forgery and Missing Authorization via ‘hide_authenticate_notice’

---

Simple URLs <= 117 – Missing Authorization via AJAX actions

---

DX-auto-save-images <= 1.4.0 – Cross-Site Request Forgery

---

Royal Elementor Addons <= 1.3.75 – Cross-Site Request Forgery

---

Sticky Social Media Icons <= 2.0 – Missing Authorization via ajax_request_handle

---

ReviewX <= 1.6.17 – Missing Authorization in rx_coupon_from_submit

---

Herd Effects <= 5.2.3 – Cross-Site Request Forgery to Effect Deletion

---

Category Slider for WooCommerce <= 1.4.15 – Missing Authorization via notice dismissal functionality

---

Simple URLs <= 117 – Cross-Site Request Forgery via AJAX actions

---

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.24.1 – Cross-Site Request Forgery via submitDefaultEditor

---

Slimstat Analytics <= 5.0.5.1 – Missing Authorization via delete_pageview

---

Lock User Account <= 1.0.3 – Cross-Site Request Forgery to Account Lock/Unlock

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023) appeared first on Wordfence.

We’re incredibly excited to announce that we have launched a webhook integration for vulnerabilities as part of Wordfence Intelligence, which enables users to stay on top of the latest vulnerabilities being added to the Wordfence Intelligence WordPress Vulnerability database, all completely for free! This webhook feature makes it possible for users to receive real-time updates sent to a URL of their choice whenever new vulnerabilities are added to the Wordfence Intelligence WordPress Vulnerability Database, along with updates when vulnerability records are updated or deleted. In addition, our system can send new vulnerability notifications directly to a Slack or Discord channel based on pre-configured webhooks.

Wait, did you say free? Yes! This is a completely free to use feature. When we launched the public interface for Wordfence Intelligence and made API access to the vulnerability database free last December, our mission was to make our commercial high-quality WordPress vulnerability information easy to access for all users of the community and that mission hasn’t changed. Whether you’re an individual site owner making sure no vulnerabilities are present on your site, a security researcher looking to stay on top of the latest vulnerabilities, or an enterprise or developer looking to integrate quality vulnerability information into their platform or software, the Wordfence Intelligence Vulnerability Database is there to serve those needs for free.

Every vulnerability record added to the database is manually curated and validated by our team of highly credentialed and industry leading vulnerability researchers. We monitor as many vulnerability sources as possible including other WordPress vulnerability databases, changeset references, plugin closures, the CVE list, and more to ensure we remain on top of all the latest vulnerabilities affecting the WordPress ecosystem, as well as conducting our own in-house research to positively contribute to the security of the WordPress ecosystem. Our free database is one of the most complete WordPress vulnerability databases on the market with CVSS scores, detailed descriptions, succinct titles, references to affected code/changesets, and more, providing our users with the most accurate and high-quality information available to secure their sites or clients.

Getting Started With Webhooks Today

In order to get started with setting up a webhook integration, you need to have an account on http://www.wordfence.com which can be created at https://www.wordfence.com/sign-in/?action=register

Once registered and logged in, you can access http://www.wordfence.com/account/integrations where you should see the following page to manage the Webooks Integration:

Once ready to configure a webhook, you can click the ‘Add Webhook’ button in the top right corner where you should see the following prompt:

Here you have the option to configure what notifications you’d like to receive. ‘Create’ will send the entire JSON formatted record of any new vulnerability entries in our database to the configured URL, while ‘Replace’ will send the entire JSON formatted record of any modified vulnerabilities, and ‘Delete’ will send the UUID for any vulnerability records that have been deleted.

If you opt to format the data for Discord/Slack, you may only receive ‘Create’ events, which occur when new vulnerabilities are added to the database.

You also have the ability to generate and define a secret that can be used to sign any sent payloads with an HMAC signature, which can be used to verify the authenticity and integrity of the data being sent to your application.

Once a webhook has been configured, you’ll be able to view the last status code to verify things are running as expected, and have the option to edit, test, and view the logs for each configured webhook. You may also delete any webhook integration, or edit and disable any integrations. There is currently no limit to how many webhooks you can have configured.

If you are utilizing the webhook updates to maintain a local database of vulnerabilities, we recommend you do a one-time dump of vulnerabilities using the Wordfence Intelligence vulnerability API and then monitor the creations, updates, and deletions using a webhook integration.

If you’d simply like to stay on top of the latest vulnerabilities, we recommend using the Slack/Discord integration that pre-formats the data and sends it directly to the supplied webhook channel integration. The data will appear in your Slack/Discord channel like so:

You can find all of the technical documentation for creating webhook integrations at: https://www.wordfence.com/help/wordfence-intelligence-webhook-notifications/ 

Conclusion

We are incredibly excited about the launch of this feature as we know that it will enable more site owners, security researchers, developers, and enterprises to more effectively implement vulnerability monitoring and notifications. This in turn will have a positive impact on the WordPress ecosystem and security of the internet as a whole.

On a final note, we’d like to say a special thank you to our Premium, Care, and Response customers that make providing this vulnerability information to the community for free possible. Without your support and trust, we wouldn’t be able to provide completely free access to some of the best vulnerability information available on the market with the Wordfence Intelligence Vulnerability Database. All while continuing to create and provide integrations that make access to WordPress vulnerability information as seamless as possible for everyone.

The post Introducing Free Wordfence Intelligence WordPress Vulnerability Webhook Notifications! appeared first on Wordfence.