Last week, there were 116 vulnerabilities disclosed in 88 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 35 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• Jetpack <= 12.1 – Authenticated (Author+) Arbitrary File Manipulation
• Formidable Forms <= 6.3 – Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
• Wordapp <= 1.5.0 – Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
• WAF-RULE-603 – data redacted while we work with the developer to ensure the vulnerability this rule protects against gets patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	68
Patched	48

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	3
Medium Severity	93
High Severity	16
Critical Severity	4

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	36
Cross-Site Request Forgery (CSRF)	35
Missing Authorization	22
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	6
Improper Input Validation	2
Improper Authorization	2
Authorization Bypass Through User-Controlled Key	2
Authentication Bypass Using an Alternate Path or Channel	2
URL Redirection to Untrusted Site (‘Open Redirect’)	1
Improper Privilege Management	1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Insufficient Verification of Data Authenticity	1
Server-Side Request Forgery (SSRF)	1
Use of Less Trusted Source	1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	1
Deserialization of Untrusted Data	1
Improper Control of Generation of Code (‘Code Injection’)	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Lana Codes (Wordfence Vulnerability Researcher)	22
Jonas Höbenreich	13
Mika	7
Rafie Muhammad	7
yuyudhn	6
LEE SE HYOUNG	6
thiennv	6
Alex Thomas (Wordfence Vulnerability Researcher)	4
Yuki Haruma	3
Ramuel Gall (Wordfence Vulnerability Researcher)	2
Dave Jong	2
Rafshanzani Suhada	2
Nguyen Xuan Chien	2
Rio Darmawan	2
Dongzhu Li	2
Emili Castells	2
Jerome Bruandet	2
Juampa Rodríguez	1
Le Hong Minh	1
Justiice	1
Skalucy	1
Elliot	1
40826d	1
Francesco Carlucci	1
konagash	1
TomS	1
Hamed	1
Le Ngoc Anh	1
Miguel Neto	1
TaeEun Lee	1
Vinay Kumar	1
Marco Wotschka (Wordfence Vulnerability Researcher)	1
Taihei Shimamine	1
minhtuanact	1
Mateus Machado Tesser	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Ajax Pagination and Infinite Scroll	malinky-ajax-pagination
B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More	b2bking-wholesale-for-woocommerce
BBS e-Popup	bbs-e-popup
Blog-in-Blog	blog-in-blog
Brizy – Page Builder	brizy
CRM Perks Forms – WordPress Form Builder	crm-perks-forms
CRM and Lead Management by vcita	crm-customer-relationship-management-by-vcita
Call Now Accessibility Button	accessibility-help-button
Call Now Icon Animate	call-now-icon-animate
Cart2Cart: Magento to WooCommerce Migration	cart2cart-magento-to-woocommerce-migration
Change WooCommerce Add To Cart Button Text	change-woocommerce-add-to-cart-button-text
Chilexpress woo oficial	chilexpress-oficial
Complianz – GDPR/CCPA Cookie Consent	complianz-gdpr
Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping	advanced-free-flat-shipping-woocommerce
Constant Contact Forms	constant-contact-forms
Contact Form Builder by vcita	contact-form-with-a-meeting-scheduler-by-vcita
Contact Form and Calls To Action by vcita	lead-capturing-call-to-actions-by-vcita
Custom Login Page | Temporary Users | Rebrand Login | Login Captcha	feather-login-page
Directorist – WordPress Business Directory Plugin with Classified Ads Listings	directorist
Disable WordPress Update Notifications and auto-update Email Notifications	disable-update-notifications
Display post meta, term meta, comment meta, and user meta	display-metadata
Donation Platform for WooCommerce: Fundraising & Donation Management	wc-donation-platform
Download Monitor	download-monitor
Dynamic QR Code Generator	dynamic-qr-code-generator
Dynamic Visibility for Elementor	dynamic-visibility-for-elementor
Event Registration Calendar By vcita	event-registration-calendar-by-vcita
Extended Post Status	extended-post-status
Favorites	favorites
File Manager Advanced Shortcode WordPress	file-manager-advanced-shortcode
Floating Action Button	floating-action-button
Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder	formidable
GDPR Cookie Consent Notice Box	cookie-consent-box
Google Fonts For WordPress	free-google-fonts
Gravityforms	gravityforms
Headless CMS	headless-cms
Interactive Image Map Plugin – Draw Attention	draw-attention
JS Job Manager	js-jobs
Jetpack – WP Security, Backup, Speed, & Growth	jetpack
Kanban Boards for WordPress	kanban
Kebo Twitter Feed	kebo-twitter-feed
LH Password Changer	lh-password-changer
LWS Hide Login	lws-hide-login
Login Configurator	login-configurator
Nested Pages	wp-nested-pages
Online Booking & Scheduling Calendar for WordPress by vcita	meeting-scheduler-by-vcita
Online Payments – Get Paid with PayPal, Square & Stripe	paypal-payment-button-by-vcita
Page Builder with Image Map by AZEXO	page-builder-by-azexo
Photo Gallery by 10Web – Mobile-Friendly Image Gallery	photo-gallery
Quick/Bulk Order Form for WooCommerce	woocommerce-bulk-order-form
ReviewX – Multi-criteria Rating & Reviews for WooCommerce	reviewx
Social Media Share Buttons & Social Sharing Icons	ultimate-social-media-icons
Social Share, Social Login and Social Comments Plugin – Super Socializer	super-socializer
SpamReferrerBlock	spamreferrerblock
TPG Redirect	tpg-redirect
TS Webfonts for さくらのレンタルサーバ	ts-webfonts-for-sakura
Telegram Bot & Channel	telegram-bot
Tutor LMS – eLearning and online course solution	tutor
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin	ultimate-member
Uncanny Toolkit for LearnDash	uncanny-learndash-toolkit
Unite Gallery Lite	unite-gallery-lite
User Email Verification for WooCommerce	woo-confirmation-email
VK Blocks	vk-blocks
WOLF – WordPress Posts Bulk Editor and Manager Professional	bulk-editor
WP Directory Kit	wpdirectorykit
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting	erp
WP Full Auto Tags Manager	wp-full-auto-tags-manager
WP Hide Post	wp-hide-post
WP Inventory Manager	wp-inventory-manager
WP Report Post	wp-report-post
WP User Switch	wp-user-switch
WP-Cache.com	wp-cachecom
WP-Cirrus	wp-cirrus
WPC Smart Wishlist for WooCommerce	woo-smart-wishlist
Web Directory Free	web-directory-free
WooCommerce Box Office	woocommerce-box-office
WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce	cartflows
Woocommerce Order address Print	woocommerce-order-address-print
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg	groundhogg
WordPress NextGen GalleryView	wordpress-nextgen-galleryview
WordPress Online Booking and Scheduling Plugin – Bookly	bookly-responsive-appointment-booking-tool
WordPress Social Login	wordpress-social-login
Wordapp	wordapp
Worthy – VG WORT Integration für WordPress	wp-worthy
Yandex Metrica Counter	counter-yandex-metrica
bbPress Toolkit	bbp-toolkit
bbp style pack	bbp-style-pack
premium-addons-pro	premium-addons-pro
wpForo Forum	wpforo

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
HashOne	hashone
Viral	viral
Viral News	viral-news

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Wordapp <= 1.5.0 – Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature

---

Tutor LMS <= 2.1.10 – Unauthenticated SQL Injection

---

Gravity Forms <= 2.7.3 – Unauthenticated PHP Object Injection

---

File Manager Advanced Shortcode WordPress <= 2.3.2 – Unauthenticated Arbitrary File Upload to Remote Code Execution via Shortcode

---

Directorist <= 7.5.4 – Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation

---

Feather Login Page 1.0.7 – 1.1.1 – Cross-Site Request Forgery to Privilege Escalation

---

Tutor LMS <= 2.2.0 – Authenticated (Student+) SQL Injection

---

ReviewX <= 1.6.13 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation

---

Tutor LMS <= 2.1.10 – Authenticated (Tutor Instructor+) SQL Injection

---

wpForo Forum <= 2.1.7 – Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents

---

Web Directory Free <= 1.6.7 – Authenticated (Contributor+) SQL Injection via post_id

---

WP User Switch <= 1.0.2 – Authenticated (Subscriber+) Authentication Bypass via Cookie

---

Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Authentication Bypass and Privilege Escalation

---

User Email Verification for WooCommerce <= 3.5.0 – Authentication Bypass

---

bbPress Toolkit <= 1.0.12 – Cross-Site Scripting

---

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Unauthenticated Stored Cross-Site Scripting

---

WP Report Post <= 2.1.2 – Authenticated (Editor+) SQL Injection

---

Groundhogg <= 2.7.10.3 – Authenticated (Administrator+) SQL Injection

---

Blog-in-Blog <= 1.1.1 – Authenticated (Editor+) Local File Inclusion via Shortcode

---

Cart2Cart: Magento to WooCommerce Migration <= 2.0.0 – Missing Authorization via setToken

---

Headless CMS <= 2.0.3 – Missing Authorization

---

Jetpack <= 12.1 – Authenticated (Author+) Arbitrary File Manipulation

---

B2BKing <= 4.6.00 – Missing Authorization to Authenticated(Subscriber+) Price Modification

---

Directorist <= 7.5.4 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task

---

Uncanny Toolkit for LearnDash <= 3.6.4.3 – Missing Authorization via review-banner-visibility REST route

---

Formidable Forms <= 6.3 – Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation

---

Contact Form Builder by vcita <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Page Builder by AZEXO <= 1.27.133 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

WooCommerce Box Office <= 1.1.50 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Contact Form and Calls To Action by vcita <= 2.6.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Favorites <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Display post meta, term meta, comment meta, and user meta <= 0.4.1 – Authenticated(Contributor+) Stored Cross-Site Scripting

---

CRM and Lead Management by vcita <= 2.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Page Builder by AZEXO <= 1.27.133 – Cross-Site Request Forgery to Post Creation/Modification/Deletion

---

Chilexpress woo oficial <= 1.2.9 – Reflected Cross-Site Scripting

---

CRM and Lead Management by vcita <= 2.6.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

---

Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

---

Contact Form and Calls To Action by vcita <= 2.6.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

---

Woocommerce Order address Print <= 3.2 – Reflected Cross-Site Scripting

---

Page Builder by AZEXO <= 1.27.133 – Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save

---

bbp style pack <= 5.5.5 – Reflected Cross-Site Scripting

---

Contact Form Builder by vcita <= 4.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

---

Social Share, Social Login and Social Comments <= 7.13.51 – Reflected Cross-Site Scripting

---

Dynamic QR Code Generator <= 0.0.5 – Reflected Cross-Site Scripting

---

WP Directory Kit <= 1.2.3 – Reflected Cross-Site Scripting via ‘search’

---

BBS e-Popup <= 2.4.5 – Reflected Cross-Site Scripting

---

Premium Addons PRO <= 2.8.24 – Reflected Cross-Site Scripting

---

Google Fonts For WordPress <= 3.0.0 – Reflected Cross-Site Scripting

---

Login Configurator <= 2.1 – Reflected Cross-Site Scripting

---

WP ERP <= 1.12.3 – Reflected Cross-Site Scripting

---

Blog-in-Blog <= 1.1.1 – Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode

---

Quick/Bulk Order Form for WooCommerce <= 3.5.7 – Authenticated (Shop manager+) Stored Cross-Site Scripting

---

Download Monitor <= 4.8.1 – Authenticated (Admin+) Server-Side Request Forgery

---

JS Job Manager <= 2.0.0 – Cross-Site Request Forgery via multiple functions

---

Groundhogg <= 2.7.10.3 – Cross-Site Request Forgery

---

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Settings Update and Media Upload

---

Dynamic Visibility for Elementor <= 5.0.5 – Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification

---

Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Non-Arbitrary User Deletion

---

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Account Logout

---

Worthy – VG WORT Integration für WordPress <= 1.6.5-6497609 – Cross-Site Request Forgery

---

Extended Post Status <= 1.0.19 – Missing Authorization via wp_insert_post_data

---

Change WooCommerce Add To Cart Button Text <= 1.3 – Missing Authorization via rexvs_settings_submit

---

Page Builder by AZEXO <= 1.27.133 – Missing Authorization to Post Creation

---

WordPress Social Login <= 3.0.4 – Reflected Cross-Site Scripting

---

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Cross-Site Request Forgery to Account Logout

---

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization on REST-API

---

WooCommerce Box Office <= 1.1.51 – Missing Authorization

---

Call Now Accessibility Button <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Yandex Metrica Counter <= 1.4.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Unite Gallery Lite <= 1.7.60 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Download SpamReferrerBlock <= 2.22 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Telegram Bot & Channel <= 3.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Kanban Boards for WordPress <= 2.5.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Call Now Icon Animate <= 0.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WordPress Social Login <= 3.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Bulk Order Form for WooCommerce <= 3.5.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

CRM Perks Forms <= 1.1.1 – Authenticated (Admin+) Stored Cross-Site Scripting

---

GDPR Cookie Consent Notice Box <= 1.1.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

TS Webfonts for さくらのレンタルサーバ <= 3.1.0 – Cross-Site Request Forgery

---

NextGen GalleryView <= 0.5.5 – Cross-Site Request Forgery

---

WP Report Post <= 2.1.2 – Cross-Site Request Forgery

---

Ajax Pagination and Infinite Scroll <= 2.0.1 – Cross-Site Request Forgery

---

VK Blocks <= 1.57.0.5 – Authenticated(Contributor+) Settings Update

---

Floating Action Button <= <=1.2.1 – Cross-Site Request Forgery

---

Photo Gallery <= 1.8.15 – Missing Authorization

---

Multiple Themes (Various Versions) – Missing Authorization to Arbitrary Plugin Activation

---

Draw Attention <= 2.0.11 – Missing Authorization to Arbitrary Post Featured Image Modification

---

LH Password Changer <= 1.55 – Cross-Site Request Forgery

---

Social Media & Share Icons <= 2.8.1 – Missing Authorization via handle_installation

---

Advanced Flat rate shipping Woocommerce <= 1.6.4.4 – Cross-Site Request Forgery via enableDisable and deletePost

---

Donation Platform for WooCommerce: Fundraising & Donation Management <= 1.2.9 – Cross-Site Request Forgery to Survey Submission

---

WP Hide Post <= 2.0.10 – Cross-Site Request Forgery via save_bulk_edit_data

---

WP Full Auto Tags Manager <= 2.2 – Cross-Site Request Forgery

---

WPC Smart Wishlist for WooCommerce <= 4.6.7 – Cross-Site Request Forgery via wishlist_add and wishlist_remove

---

Disable WordPress Update Notifications <= 2.3.3 – Cross-Site Request Forgery

---

Uncanny Toolkit for LearnDash <= 3.6.4.3 – Open Redirect

---

WP-Cirrus <= 0.6.11 – Cross-Site Request Forgery

---

LWS Hide Login <= 2.1.5 – Cross-Site Request Forgery

---

Constant Contact Forms <= 1.14.0 – Missing Authorization via constant_contact_optin_ajax_handler

---

bbPress Toolkit <= 1.0.12 – Cross-Site Request Forgery

---

WP Inventory Manager <= 2.1.0.13 – Cross-Site Request Forgery via delete_item

---

Ultimate Member <= 2.6.0 – Cross-Site Request Forgery to Form Duplication

---

WOLF <= 1.0.7 – Cross-Site Request Forgery via create_profile

---

Complianz | GDPR/CCPA Cookie Consent <= 6.4.5 – Cross-Site Request Forgery

---

VK Blocks <= 1.57.0.5 – Authenticated(Contributor+) Settings Update

---

B2BKing <= 4.6.00 – Missing Authorization to Authenticated(Subscriber+) Information Disclosure

---

Multiple Themes (Various Versions) – Cross-Site Request Forgery to Arbitrary Plugin Activation

---

Kebo Twitter Feed <= 1.5.12 – Cross-Site Request Forgery via kebo_twitter_menu_render

---

SpamReferrerBlock <= 2.22 – Cross-Site Request Forgery

---

TPG Redirect <= 1.0.6 – Cross-Site Request Forgery

---

WP-Cache.com <= 1.1.1 – Cross-Site Request Forgery

---

Bookly <= 21.7 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Nested Pages <= 3.2.3 – Missing Authorization to Authenticated (Editor+) Plugin Settings Reset

---

Brizy Page Builder <= 2.4.18 – IP Address Spoofing to Protection Mechanism Bypass

---

CartFlows <= 1.11.11 – Insecure Direct Object Reference to Arbitrary Post Deletion

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 29, 2023 to June 4, 2023) appeared first on Wordfence.

Alongside our usual work to discover, report, and remediate vulnerabilities in the WordPress ecosystem, the WordPress Threat Intelligence team has been conducting a deep-dive into WordPress plugin code with the objective of finding methods to bypass authentication and gain elevated privileges in WordPress plugins so we can help developers patch these vulnerabilities before threat actors can exploit them.

One such plugin we examined recently is Directorist, a popular tool used by over 10,000 WordPress sites to manage directory listings and classified ads.

On April 3, 2023, our team uncovered two significant vulnerabilities – an Arbitrary User Password Reset to Privilege Escalation, and an Insecure Direct Object Reference leading to Arbitrary Post Deletion. Both vulnerabilities were found to affect Directorist versions 7.5.4 and earlier.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting these vulnerabilities on April 4, 2023. Sites still using the free version of Wordfence received the same protection on May 4, 2023.

Unfortunately, on June 1, 2023, the plugin was closed due to developer unresponsiveness, and it currently remains unavailable for download from the repository. This presents an issue as site owners are unable to request an update directly via their WordPress dashboard. Given this situation, we advise site owners to either temporarily uninstall the plugin, or manually download the patched version, 7.5.5, and upload it to their sites for optimal protection. For this reason, we have intentionally kept specific vulnerability details to a minimum in this post.

Vulnerability Summaries from Wordfence Intelligence

Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation

The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. This is due to a lack of validation checks within login.php. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset the password of an arbitrary user and gain elevated (e.g., administrator) privileges.

Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task

The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. This is due to improper validation and authorization checks within the listing_task function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.

Technical Analysis

Password Reset Vulnerability

Directorist, created by wpWax, is designed to help businesses establish directory listings and classified ads on their WordPress sites. It includes a Login and Registration form that can be enabled using the [directorist_user_login] shortcode.

The Directorist Login and Registration form

This form features a “Recover Password” function, akin to the default WordPress “lost your password?” feature. In vulnerable versions, the underlying code lacks essential validation checks to ensure that the user attempting to reset a password is indeed the account owner. This could allow attackers with subscriber-level permissions or higher to reset the passwords of other users, including administrators, thereby gaining unauthorized elevated privileges and taking over the site.

Directorist “Recover Password” logic

Arbitrary Post Deletion Vulnerability

In addition, we found an arbitrary post deletion vulnerability in the plugin. Directorist listings are essentially custom WordPress posts. In vulnerable versions, the code designed to manage listing deletions lacks the necessary authorization checks to confirm the user is permitted to delete the listing and does not verify that the post being deleted is a Directorist listing. Consequently, this could enable threat actors with subscriber-level and above permissions to delete any post on a WordPress instance, including posts by administrators.

Directorist directory listing deletion logic

Disclosure Timeline

April 3, 2023 – The Wordfence Threat Intelligence team discovers and documents two vulnerabilities in Directorist.
April 4, 2023 – The Wordfence Threat Intelligence team releases firewall rules to Wordfence Premium, Wordfence Care, and Wordfence Response users and begins the responsible disclosure process.
May 4, 2023 – Wordfence Free users receive the firewall rules.
June 1, 2023 – The plugin developers release a patch in version 7.5.5 of Directorist.

Conclusion

In this blog post, we reviewed two vulnerabilities in our ongoing vulnerability research focused on bypassing authentication and gaining elevated privileges – an Arbitrary User Password Reset to Privilege Escalation that allows threat actors to gain full control of a WordPress instance, and a less-severe Insecure Direct Object Reference to Arbitrary Post Deletion, both in Directorist versions 7.5.4 and prior.

The Wordfence Threat Intelligence team reported these vulnerabilities to the Directorist team on April 4, 2023, following responsible disclosure protocols. The Directorist team addressed these vulnerabilities and released the patch in Directorist version 7.5.5 on June 1, 2023.

We recommend all users update their Directorist plugin to the newest version available, which is 7.5.5 at the time of this writing, immediately to secure their websites.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting these vulnerabilities on April 4, 2023. Sites still using the free version of Wordfence received the same protection on May 4, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

The post Critical Security Update: Directorist WordPress Plugin Patches Two High-risk Vulnerabilities appeared first on Wordfence.

On April 6, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities in Getwid – Gutenberg Blocks, a plugin installed on over 50,000 WordPress sites. The plugin’s developers responded immediately, and we sent over the full disclosure the same day. A patched version of the plugin, 1.8.4, was released on April 13, 2023.

The most serious vulnerability had a high severity because it allows authenticated users to perform Server Side Request Forgery (SSRF), which can result in full access to the hosted instance on some cloud configurations. Additionally, it may allow further penetration into internal networks in some enterprise configurations. The other vulnerability is much lower in severity and allows authenticated users to clear and update the site’s template cache.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule protecting against the Server Side Request Forgery (SSRF) on April 6, 2023. Wordfence Free users received the same protection on May 6, 2023.

Vulnerability Summary from Wordfence Intelligence

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Server Side Request Forgery via the get_remote_content REST API endpoint in versions up to, and including, 1.8.3. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the get_remote_templates function in versions up to, and including, 1.8.3. This makes it possible for authenticated attackers with subscriber-level permissions or above to flush the remote template cache. Cached template information can also be accessed via this endpoint but these are not considered sensitive as they are publicly accessible from the developer’s site.

Technical Analysis

Getwid – Gutenberg Blocks is a plugin offering a library of pre-generated blocks which it makes available to plugin users and retrieves remotely from the developer’s server. Unfortunately, this remote retrieval functionality, which utilized the REST API, only required an authenticated user in vulnerable versions, meaning that even subscriber-level users could make use of it.

While the rest routes for both vulnerabilities used a capability check in the permissions_check function, the capability checked was read, which all users, even subscribers, are assigned.

Pictured: The REST API Endpoints and the permissions_check function

On its own this was not a significant issue, but the get_remote_content function also failed to validate the URL passed in, meaning it could be used to retrieve information from any location via the server.

Pictured: The get_remote_content function

Only GET requests can be performed and the response data will only be rendered if it is JSON-formatted. However, sites hosted on Amazon AWS EC2 instances all have an endpoint which can be accessed internally and returns JSON-formatted credentials that can be used to access the instance.

Pictured: EC2 Credentials on a test box retrieved using this exploit. Click on the image to see it at full size

Sites running on AWS EC2 instances using IMDS (Instance Metadata Service) version 1 are vulnerable to this attack, while IMDSv2 offers preventative measures that prevent successful exploitation.

The second issue was significantly less severe and made use of the minimal capability check on the ‘get_remote_templates’ function. While this would likely have minimal impact on a site, it still compromises the site’s integrity to some extent.

Disclosure Timeline

April 6, 2023 – The Wordfence Threat Intelligence team releases a firewall rule to Wordfence Premium, Wordfence Care, and Wordfence Response users and begins the responsible disclosure process. We send over the full disclosure to the developers.
April 13, 2023 – The plugin developers release a patch in version 1.8.4 of Getwid.
May 6, 2023 – Wordfence Free users receive the firewall rule.

Conclusion

In this blog post, we detailed a Server Side Request Forgery (SSRF) vulnerability in Getwid version 1.8.3 and earlier. This vulnerability allows authenticated attackers with subscriber-level permissions or higher to send arbitrary GET requests from the website, which can be used to obtain critically sensitive information in some configurations. We also described a lower-severity vulnerability allowing subscribers to clear the local template cache.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting the SSRF vulnerability on April 6, 2023. Sites still using the free version of Wordfence received the same protection on May 6, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as the SSRF vulnerability poses a significant risk. If you or someone you know is hosted on AWS we also highly recommend migrating to IMDSv2 if you have not already, as it offers protection from not only this but the vast majority of SSRF vulnerabilities.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

The post Credential-Stealing Server Side Request Forgery Patched in Getwid appeared first on Wordfence.

Last week, there were 90 vulnerabilities disclosed in 77 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 – Arbitrary File Upload in File Manager
• ReviewX <= 1.6.13 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
• WAF-RULE-600 – Data redacted while we work with the developer to ensure the vulnerability gets patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	26
Patched	64

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	67
High Severity	16
Critical Severity	6

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	35
Cross-Site Request Forgery (CSRF)	23
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	11
Missing Authorization	6
Unrestricted Upload of File with Dangerous Type	3
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	2
Deserialization of Untrusted Data	2
Authentication Bypass Using an Alternate Path or Channel	2
Authorization Bypass Through User-Controlled Key	1
Information Exposure	1
Improper Authorization	1
Creation of Emergent Resource	1
Client-Side Enforcement of Server-Side Security	1
Guessable CAPTCHA	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafie Muhammad	16
Lana Codes (Wordfence Vulnerability Researcher)	11
Alex Thomas (Wordfence Vulnerability Researcher)	6
Rio Darmawan	4
Mika	4
yuyudhn	3
LEE SE HYOUNG	3
Marco Wotschka (Wordfence Vulnerability Researcher)	3
thiennv	3
Nguyen Xuan Chien	3
Chien Vuong	2
Hao Huynh	2
Skalucy	2
Erwan LR	2
Cat	2
Le Ngoc Anh	2
dc11	2
WON JOON HWANG	2
Muhammad Daffa	2
Nguyen Anh Tien	1
Bob Matyas	1
Marco Frison	1
My Le	1
Nithissh S	1
Emili Castells	1
Yuki Haruma	1
NGO VAN TU	1
Abdi Pranata	1
MyungJu Kim	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
AI ChatBot	chatbot
Abandoned Cart Lite for WooCommerce	woocommerce-abandoned-cart
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net	woo-bulk-editor
Bubble Menu – circle floating menu	bubble-menu
Button Generator – easily Button Builder	button-generation
Calculator Builder	calculator-builder
Conditional Menus	conditional-menus
Contact Form Entries – Contact Form 7, WPforms and more	contact-form-entries
Counter Box – WordPress plugin for countdown, timer, counter	counter-box
Custom Post Type Generator	custom-post-type-generator
Custom Twitter Feeds (Tweets Widget)	custom-twitter-feeds
Download Theme	download-theme
Duplicator Pro	duplicator-pro
Easy Admin Menu	easy-admin-menu
Easy Captcha	easy-captcha
Easy Google Maps	google-maps-easy
Elementor Website Builder – More than Just a Page Builder	elementor
EventPrime – Modern Events Calendar, Bookings and Tickets	eventprime-event-calendar-management
File Renaming on Upload	file-renaming-on-upload
Flickr Justified Gallery	flickr-justified-gallery
Float menu – awesome floating side menu	float-menu
Floating button	profit-button
Front End Users	front-end-only-users
Go Pricing – WordPress Responsive Pricing Tables	go_pricing
Google Map Shortcode	google-map-shortcode
Herd Effects – fake notifications and social proof plugin	mwp-herd-effect
IP Metaboxes	ip-metaboxes
Integration for Contact Form 7 and Zoho CRM, Bigin	cf7-zoho
JetFormBuilder — Dynamic Blocks Form Builder	jetformbuilder
LearnDash WordPress Plugin	sfwd-lms
Leyka	leyka
MStore API	mstore-api
MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder	mailchimp-subscribe-sm
Multiple Page Generator Plugin – MPG	multiple-pages-generator-by-porthas
Novelist	novelist
OAuth Single Sign On – SSO (OAuth Client)	miniorange-login-with-eve-online-google-facebook
Popup Box – new WordPress popup plugin	popup-box
Product Gallery Slider for WooCommerce	woo-product-gallery-slider
Product Vendors	woocommerce-product-vendors
QuBot – Chatbot Builder with Templates	qubotchat
QueryWall: Plug’n Play Firewall	querywall
Recently Viewed Products	recently-viewed-products
Responsive Tabs For WPBakery Page Builder (formerly Visual Composer)	responsive-tabs-for-wpbakery
SIS Handball	sis-handball
SKU Label Changer For WooCommerce	woo-sku-label-changer
Shopping Cart & eCommerce Store	wp-easycart
Side Menu Lite – add sticky fixed buttons	side-menu-lite
SlideOnline	slideonline
Slider Revolution	revslider
Sticky Buttons – floating buttons builder	sticky-buttons
SupportCandy – Helpdesk & Support Ticket System	supportcandy
This Day In History	this-day-in-history
Tutor LMS – eLearning and online course solution	tutor
UTM Tracker	utm-tracker
Uncanny Automator – Automate everything with the #1 no-code Automation tool for WordPress	uncanny-automator
Unite Gallery Lite	unite-gallery-lite
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)	unlimited-elements-for-elementor
Upload Resume	resume-upload-form
User Activity Log	user-activity-log
Video Contest WordPress Plugin	video-contest
WIP Custom Login	wip-custom-login
WP Coder – add custom html, css and js code	wp-coder
WP Tiles	wp-tiles
WP-Hijri	wp-hijri
WP-Matomo Integration (WP-Piwik)	wp-piwik
WS Form LITE – Drag & Drop Contact Form Builder for WordPress	ws-form
WooCommerce Product Categories Selection Widget	woocommerce-product-category-selection-widget
WooCommerce Shipping & Tax	woocommerce-services
WordPress Backup & Migration	wp-migration-duplicator
WordPress File Upload	wp-file-upload
WordPress File Upload Pro	wordpress-file-upload-pro
Wow Skype Buttons	mwp-skype
Yoast SEO: Local	wpseo-local
YouTube Playlist Player	youtube-playlist-player
seo-by-rank-math-pro	seo-by-rank-math-pro
woocommerce-follow-up-emails	woocommerce-follow-up-emails
woocommerce-warranty	woocommerce-warranty

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 – Arbitrary File Upload in File Manager

---

WooCommerce Follow-Up Emails <= 4.9.40 – Authenticated Arbitrary File Upload in Template Editing

---

Leyka <= 3.30 – Privilege Escalation via Admin Password Reset

---

Recently Viewed Products <= 1.0.0 – Unauthenticated PHP Object Injection

---

MStore API <= 3.9.1 – Authentication Bypass

---

MStore API <= 3.9.2 – Authentication Bypass

---

LearnDash LMS <= 4.5.3 – Authenticated (Contributor+) SQL Injection

---

Contact Form Entries <= 1.3.0 – Authenticated (Contributor+) SQL Injection via shortcode

---

OAuth Single Sign On – SSO (OAuth Client) <= 6.23.3 – Missing Authorization

---

SupportCandy <= 3.1.6 – Authenticated (Subscriber+) SQL Injection

---

Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Authenticated (Subscriber+) PHP Object Injection

---

Easy Captcha <= 1.0 – Missing Authorization via easy_captcha_update_settings

---

Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.2.3 – Authenticated (Admin+) SQL Injection

---

QueryWall <= 1.1.1 – Authenticated (Administrator+) SQL Injection

---

Slider Revolution <= 6.6.12 – Authenticated (Administrator+) Arbitrary File Upload

---

SupportCandy <= 3.1.6 – Authenticated (Admin+) SQL Injection

---

SIS Handball <= 1.0.45 – Authenticated (Administrator+) SQL Injection via ‘orderby’

---

Multiple Page Generator Plugin – MPG <= 3.3.19 – Authenticated (Administrator+) SQL Injection in projects_list and total_projects

---

WooCommerce Follow-Up Emails <= 4.9.50 – Authenticated (Follow-up emails manager+) SQL Injection

---

WooCommerce Product Vendors <= 2.1.76 – Authenticated (Vendor admin+) SQL Injection

---

WooCommerce Warranty Requests <= 2.1.6 – Reflected Cross-Site Scripting

---

Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Improper Authorization to Arbitrary File Upload

---

User Activity Log <= 1.6.1 – Authenticated(Administrator+) SQL Injection via txtsearch

---

WIP Custom Login <= 1.2.9 – Cross-Site Request Forgery via save_option

---

BEAR <= 1.1.3.1 – Cross-Site Request Forgery via Multiple Functions

---

WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_bulk_delete_product

---

WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_delete_product

---

Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Google Map Shortcode <= 3.1.2 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

---

Contact Form Entries <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via vx-entries shortcode

---

SlideOnline <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Yoast SEO: Local <= 14.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Responsive Tabs For WPBakery Page Builder <= 1.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

---

Duplicator Pro <= 4.5.11 – Reflected Cross-Site Scripting

---

EventPrime <= 2.8.6 – Reflected Cross-Site Scripting

---

WooCommerce Follow-Up Emails <= 4.9.40 – Reflected Cross-Site Scripting

---

This Day In History <= 3.10.1 – Reflected Cross-Site Scripting

---

Conditional Menus <= 1.2.0 – Reflected Cross-Site Scripting

---

WP-Hijri <= 1.5.1 – Reflected Cross-Site Scripting

---

Multiple Wow-Company Plugins (Various Versions) — Reflected Cross-Site Scripting via ‘page’ parameter

---

WooCommerce Product Categories Selection Widget <= 2.0 – Reflected Cross-Site Scripting

---

WooCommerce Product Vendors <= 2.1.76 – Reflected Cross-Site Scripting

---

Rank Math SEO PRO <= 3.0.35 – Reflected Cross-Site Scripting

---

Leyka <= 3.30 – Reflected Cross-Site Scripting

---

Easy Captcha <= 1.0 – Reflected Cross-Site Scripting

---

Front End Users <= 3.2.25 – Unauthenticated Cross-Site Scripting

---

IP Metaboxes <= 2.1.1 – Reflected Cross-Site Scripting

---

WooCommerce Shipping & Tax <= 2.2.4 – Stored Cross-Site Scripting

---

Easy Google Maps <= 1.11.7 – Cross-Site Request Forgery via AJAX action

---

Elementor <= 3.13.2 Authenticated(Contributor+) Arbitrary Post Type Creation via save_item

---

IP Metaboxes <= 2.1.1 – Unauthenticated Stored Cross-Site Scripting

---

Uncanny Automator <= 4.14 – Cross-Site Request Forgery via update_automator_connect

---

Tutor LMS <= 2.1.10 – Missing Authorization via multiple AJAX actions

---

Easy Google Maps <= 1.11.7 – Cross-Site Request Forgery

---

EventPrime <= 2.8.6 – Sensitive Information Exposure

---

Download Theme <= 1.0.9 – Cross-Site Request Forgery via dtwap_download()

---

SKU Label Changer For WooCommerce <= 3.0 – Missing Authorization

---

Button Generator – easily Button Builder <= 2.3.5 – Cross-Site Request Forgery

---

WS Form LITE <= 1.9.117 – CAPTCHA Bypass

---

Upload Resume <= 1.2.0 – Captcha Bypass via resume_upload_form

---

Unite Gallery Lite <= 1.7.59 – Authenticated(Administrator+) Local File Inclusion via ‘view’ parameter

---

WordPress File Upload / WordPress File Upload Pro <= 4.19.1 – Authenticated (Administrator+) Path Traversal

---

Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Missing Authorization to Limited Privilege Granting

---

AI ChatBot <= 4.5.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WordPress File Upload / WordPress File Upload Pro <= 4.19.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Custom Post Type Generator <= 2.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

---

QuBotChat <= 1.1.5 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

File Renaming on Upload <= 2.5.1 – Authenticated (Admin+) Stored Cross-Site Scripting

---

WP-Piwik <= 1.0.27 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Display Name

---

Novelist <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Book Information Fields

---

Video Contest WordPress Plugin <= 3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

MailChimp Subscribe Forms <= 4.0.9.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

AI ChatBot <= 4.5.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Easy Admin Menu <= 1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_bulk_activate_product

---

WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_duplicate_product

---

WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_deactivate_product

---

YouTube Playlist Player <= 4.6.4 – Cross-Site Request Forgery in ytpp_settings

---

WooCommerce Follow-Up Emails <= 4.9.40 – Cross-Site Request Forgery

---

WP Tiles <= 1.1.2 – Cross-Site Request Forgery

---

Video Contest WordPress Plugin <= 3.2 – Cross-Site Request Forgery

---

Flickr Justified Gallery <= 3.5 – Cross-Site Request Forgery via fjgwpp_settings()

---

Abandoned Cart Lite for WooCommerce <= 5.14.1 – Cross-Site Request Forgery via delete_expired_used_coupon_code

---

Custom Twitter Feeds (Tweets Widget) <= 1.8.4 – Cross-Site Request Forgery

---

WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_bulk_deactivate_product

---

WordPress Backup & Migration <= 1.4.0 – Missing Authorization via wt_delete_schedule

---

Product Gallery Slider for WooCommerce <= 2.2.8 – Cross-Site Request Forgery

---

Abandoned Cart Lite for WooCommerce <= 5.14.1 – Cross-Site Request Forgery via ts_reset_tracking_setting

---

JetFormBuilder <= 3.0.6 – Cross-Site Request Fogery via ‘do_admin_action’

---

UTM Tracker <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023) appeared first on Wordfence.

On May 20, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a Privilege Escalation vulnerability in WPDeveloper’s ReviewX plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker to grant themselves administrative privileges via a user meta update.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023.

We contacted WPDeveloper on May 20, 2023, and received a response the next day. After providing full disclosure details, the developer released a patch on May 22, 2023. We would like to commend the WPDeveloper development team for their prompt response and timely patch, which was released in just one day.

We urge users to update their sites with the latest patched version of ReviewX, which is version 1.6.14 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the ‘rx_set_screen_options’ function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role via the ‘wp_screen_options[option]’ and ‘wp_screen_options[value]’ parameters during a screen option update.

Technical Analysis

ReviewX is a plugin that primarily enables customers to add ratings and reviews to WooCommerce stores, but it is also possible to use it with custom post types.

The reviews are listed on the WordPress admin page, which includes a screen option for how many reviews should be displayed per page for the admin user. Unfortunately, this feature was implemented insecurely, allowing all authenticated users to modify their capabilities, including granting themselves administrator capabilities.

Upon closer examination of the code, we see that the ‘rx_set_screen_options’ function, which updates a user’s per-page screen option, is hooked to the ‘admin_init’ action.

add_filter( 'admin_init', 'rx_set_screen_options' );

This hook is triggered on every admin page without any post type or page restrictions. This means that the ‘rx_set_screen_options’ hooked function is invoked on all admin pages, allowing users who otherwise do not have access to the plugin to also access the function, as the function itself does not contain any restrictions.

This makes it possible for any authenticated user with an account, such as a subscriber, to invoke the ‘rx_set_screen_options’ function.

function rx_set_screen_options() {
    if ( isset( $_POST['wp_screen_options'] ) && is_array( $_POST['wp_screen_options'] ) ) {
        check_admin_referer( 'screen-options-nonce', 'screenoptionnonce' );

        $user = wp_get_current_user();
		if ( ! $user ) {
			return;
        }
        
        $option = $_POST['wp_screen_options']['option'];
        $value  = $_POST['wp_screen_options']['value'];
        
        if ( sanitize_key( $option ) != $option ) {
			return;
        }

        update_user_meta( $user->ID, $option, $value );
    }
}

The function includes a nonce check, but it uses a general nonce that is available on every admin page where there is a screen option.

The most significant problem and vulnerability is caused by the fact that there are no restrictions on the option, so the user’s metadata can be updated arbitrarily, and there is no sanitization on the option value, so any value can be set, including an array value, which is necessary for the capability meta option.

This made it possible for authenticated users, such as subscribers, to supply the ‘wp_capabilities’ array parameter with any desired capabilities, such as administrator, during a screen option update.

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.

Disclosure Timeline

May 20, 2023 – Discovery of the Privilege Escalation vulnerability in ReviewX.
May 20, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
May 21, 2023 – The vendor confirms the inbox for handling the discussion.
May 21, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
May 22, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
May 23, 2023 – A fully patched version of the plugin, 1.6.14, is released.
June 21, 2023 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed a Privilege Escalation vulnerability within the ReviewX plugin affecting versions 1.6.13 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 1.6.14 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of ReviewX.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

The post WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin appeared first on Wordfence.