Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

 

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	37
Patched	27

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	2
Medium Severity	53
High Severity	6
Critical Severity	3

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	29
Missing Authorization	12
Cross-Site Request Forgery (CSRF)	11
Unrestricted Upload of File with Dangerous Type	5
Server-Side Request Forgery (SSRF)	1
URL Redirection to Untrusted Site (‘Open Redirect’)	1
Improper Input Validation	1
Authorization Bypass Through User-Controlled Key	1
Improper Control of Generation of Code (‘Code Injection’)	1
Use of Less Trusted Source	1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rio Darmawan	11
Rafie Muhammad	5
Lana Codes (Wordfence Vulnerability Researcher)	4
thiennv	3
LEE SE HYOUNG	3
Mika	2
Zlrqh	2
Dmitrii	2
László Radnai	2
Elliot	2
Marco Wotschka (Wordfence Vulnerability Researcher)	2
Bartłomiej Marek	2
Tomasz Swiadek	2
Abdi Pranata	2
Phd	1
Emili Castells	1
Pavitra Tiwari	1
Ramuel Gall (Wordfence Vulnerability Researcher)	1
FearZzZz	1
emad	1
Prasanna V Balaji	1
deokhunKim	1
yuyudhn	1
Le Ngoc Anh	1
Dipak Panchal	1
mehmet	1
Lokesh Dachepalli	1
Jonas Höbenreich	1
Enrico Marcolini	1
Animesh Gaurav	1
Jonatas Souza Villa Flor	1
Ravi Dharmawan	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Activity Log	aryo-activity-log
AffiliateWP	AffiliateWP
All-in-One WP Migration Box Extension	all-in-one-wp-migration-box-extension
All-in-One WP Migration Dropbox Extension	all-in-one-wp-migration-dropbox-extension
All-in-One WP Migration Google Drive Extension	all-in-one-wp-migration-gdrive-extension
All-in-One WP Migration OneDrive Extension	all-in-one-wp-migration-onedrive-extension
Better Elementor Addons	better-elementor-addons
Bridge Core	bridge-core
Ditty – Responsive News Tickers, Sliders, and Lists	ditty-news-ticker
DoLogin Security	dologin
Easy Coming Soon	easy-coming-soon
Easy Newsletter Signups	easy-newsletter-signups
Email Encoder – Protect Email Addresses and Phone Numbers	email-encoder-bundle
Fast & Effective Popups & Lead-Generation for WordPress – HollerBox	holler-box
FileOrganizer – Manage WordPress and Website Files	fileorganizer
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager	folders
Font Awesome 4 Menus	font-awesome-4-menus
Forminator – Contact Form, Payment Form & Custom Form Builder	forminator
GiveWP – Donation Plugin and Fundraising Platform	give
GuruWalk Affiliates	guruwalk-affiliates
Happy Addons for Elementor Pro	happy-elementor-addons-pro
Import XML and RSS Feeds	import-xml-feed
Localize Remote Images	localize-remote-images
Login and Logout Redirect	login-and-logout-redirect
LuckyWP Scripts Control	luckywp-scripts-control
Maintenance Switch	maintenance-switch
MakeStories (for Google Web Stories)	makestories-helper
Metform Elementor Contact Form Builder	metform
Multi-column Tag Map	multi-column-tag-map
Olive One Click Demo Import	olive-one-click-demo-import
Order Tracking – WordPress Status Tracking Plugin	order-tracking
Ovic Product Bundle	ovic-product-bundle
Popup Builder – Create highly converting, mobile friendly marketing popups.	popup-builder
Popup box	ays-popup-box
PowerPress Podcasting plugin by Blubrry	powerpress
Prevent files / folders access	prevent-file-access
Pricing Deals for WooCommerce	pricing-deals-for-woocommerce
RSVPMaker	rsvpmaker
Remove/hide Author, Date, Category Like Entry-Meta	removehide-author-date-category-like-entry-meta
Responsive Gallery Grid	responsive-gallery-grid
Sermon’e – Sermons Online	sermone-online-sermons-management
Simple 301 Redirects by BetterLinks	simple-301-redirects
Site Reviews	site-reviews
Sitekit	sitekit
Slimstat Analytics	wp-slimstat
Smarty for WordPress	smarty-for-wordpress
Snap Pixel	snap-pixel
Social Media Share Buttons & Social Sharing Icons	ultimate-social-media-icons
Social Share Boost	social-share-boost
Surfer – WordPress Plugin	surferseo
URL Shortener by MyThemeShop	mts-url-shortener
Ultimate Addons for Contact Form 7	ultimate-addons-for-contact-form-7
WP Bannerize Pro	wp-bannerize-pro
WP GoToWebinar	wp-gotowebinar
WP Search Analytics	search-analytics
WP Super Minify	wp-super-minify
WP Synchro – WordPress Migration Plugin for Database & Files	wpsynchro
WP Users Media	wp-users-media
WP-dTree	wp-dtree-30
WordPress Ecommerce For Creating Fast Online Stores – By SureCart	surecart
authLdap	authldap

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Arya Multipurpose Pro	arya-multipurpose-pro
Everest News Pro	everest-news-pro

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Forminator <= 1.24.6 – Unauthenticated Arbitrary File Upload

---

Import XML and RSS Feeds <= 2.1.4 – Unauthenticated Remote Code Execution

---

RSVPMarker <= 10.6.6 – Unauthenticated SQL Injection

---

Folders <= 2.9.2 – Authenticated (Author+) Arbitrary File Upload in handle_folders_file_upload

---

Give – Donation Plugin <= 2.33.0 – Authenticated(Give Manager+) Privilege Escalation

---

Olive One Click Demo Import <= 1.0.9 – Authenticated (Administrator+) Arbitrary File Upload in olive_one_click_demo_import_save_file

---

DoLogin Security <= 3.6 – Unauthenticated Stored Cross-Site Scripting

---

Prevent files / folders access <= 2.5.1 – Authenticated (Administrator+) Arbitrary File Upload in mo_media_restrict_page

---

Import XML and RSS Feeds <= 2.1.3 – Authenticated (Admin+) Arbitrary File Upload

---

Easy Newsletter Signups <= 1.0.4 – Missing Authorization

---

Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Sitekit <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sitekit_iframe ‘ shortcode

---

Font Awesome 4 Menus <= 4.7.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Email Encoder <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Login and Logout Redirect <= 2.0.2 – Open Redirect

---

Arya Multipurpose Pro <= 1.0.8 – Reflected Cross-Site Scripting

---

Social Media & Share Icons <= 2.8.3 – Reflected Cross-Site Scripting

---

URL Shortener by MyThemeShop <= 1.0.17 – Reflected Cross-Site Scripting via ‘page’

---

Sermon’e – Sermons Online <= 1.0.0 – Reflected Cross-Site Scripting

---

WP-dTree <= 4.4.5 – Reflected Cross-Site Scripting

---

Everest News Pro <= 1.1.7 – Reflected Cross-Site Scripting

---

Bridge Core <= 3.0.9 – Reflected Cross-Site Scripting

---

Ditty <= 3.1.24 – Reflected Cross-Site Scripting

---

Happy Elementor Addons Pro <= 2.8.0 – Reflected Cross-Site Scripting

---

Ultimate Addons for Contact Form 7 <= 3.1.32 – Reflected Cross-Site Scripting via ‘page’

---

Order Tracking Pro <= 3.3.6 – Reflected Cross-Site Scripting

---

WP Bannerize Pro <= 1.6.9 – Reflected Cross-Site Scripting

---

WP Search Analytics <= 1.4.7 – Reflected Cross-Site Scripting via ‘render_stats_page’

---

PowerPress <= 11.0.6 – Authenticated (Contributor+) Server-Side Request Forgery via wp_ajax_powerpress_media_info

---

Site Reviews <= 6.10.2 – Missing Authorization

---

Responsive Gallery Grid <= 2.3.10 – Cross-Site Request Forgery

---

LuckyWP Scripts Control <= 1.2.1 – Missing Authorization via multiple AJAX actions

---

Maintenance Switch <= 1.5.2 – Cross-Site Request Forgery via ‘admin_action_request’

---

Simple 301 Redirects <= 2.0.7 – Cross-Site Request Forgery via ‘clicked’

---

Surfer <= 1.1.2.298 – Missing Authorization

---

Pricing Deals for WooCommerce <= 2.0.3.2 – Missing Authorization via vtprd_ajax_clone_rule

---

Ovic Product Bundle <= 1.1.2 – Missing Authorization

---

Multiple ServMask Plugins <= (Various Versions) – Missing Authorization to Access Token Update

---

Localize Remote Images <= 1.0.9 – Cross-Site Request Forgery via admin menu

---

Multi-column Tag Map <= 17.0.26 – Missing Authorization

---

Activity Log <= 2.8.7 – IP Address Spoofing

---

Order Tracking Pro <= 3.3.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

GuruWalk Affiliates <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

---

SureCart <= 2.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

---

Smarty for WordPress <= 3.1.35 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WP GoToWebinar <= 14.45 – Authenticated (Administrator+) Cross-Site Scripting

---

HollerBox <= 2.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Popup Builder <= 4.1.15 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Snap Pixel <= 1.5.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Easy Coming Soon <= 2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

---

Popup Box <= 3.7.1 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

WP Users Media <= 4.2.3 – Cross-Site Request Forgery in wpusme_save_settings

---

Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via ‘mf_first_name’ shortcode

---

Social Share Boost <= 4.5 – Cross-Site Request Forgery via ‘syntatical_settings_content’

---

Better Elementor Addons <= 1.3.5 – Missing Authorization

---

WP Users Media <= 4.2.3 – Missing Authorization via wpusme_save_settings

---

WP Super Minify <= 1.5.1 – Cross-Site Request Forgery via ‘wpsmy_admin_options’

---

Remove/hide Author, Date, Category Like Entry-Meta <= 2.1 – Cross-Site Request Forgery

---

MakeStories (for Google Web Stories) <= 2.8.0 – Cross-Site Request Forgery via ‘ms_set_options’

---

AffiliateWP <= 2.14.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation

---

authLdap <= 2.5.8 – Cross-Site Request Forgery

---

WP Migration Plugin DB & Files – WP Synchro <= 1.9.1 – Cross-Site Request Forgery

---

authLdap <= 2.5.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

FileOrganizer <= 1.0.2 – Authenticated (Admin+) Arbitrary File Access

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023) appeared first on Wordfence.

On August 16, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin, which is actively installed on more than 300,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

We contacted The Newsletter Team on August 16, 2023, and we received a response on the next day. After providing full disclosure details, the developer released a patch on August 17, 2023. We would like to commend The Newsletter Team for their prompt response and timely patch, which was released on the same day.

We urge users to update their sites with the latest patched version of Newsletter, version 7.9.0 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘newsletter_form’ shortcode in versions up to, and including, 7.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Technical Analysis

The Newsletter plugin is a newsletter and email marketing system, with a drag and drop newsletter builder and many other features. It provides a shortcode ([newsletter_form]) that displays the newsletter subscription form when added to a WordPress page.

Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the code reveals that the shortcode has two types, one of which is the get_subscription_form_minimal method handling the minimal type in the NewsletterSubscription class. In vulnerable versions, this method does not adequately sanitize the user-supplied ‘class’ input, and also does not adequately escape the ‘class’ output when it displays the form. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘class’ attribute.

function shortcode_newsletter_form($attrs, $content) {

        if (isset($attrs['type']) && $attrs['type'] === 'minimal') {
            return $this->get_subscription_form_minimal($attrs);
        }

The shortcode_newsletter_form method snippet in the NewsletterSubscription class

function get_subscription_form_minimal($attrs) {
        if (!is_array($attrs)) {
            $attrs = [];
        }

        $attrs = array_merge(array('class' => '', 'referrer' => 'minimal',
            'button' => $this->get_text('subscribe', 'form'), 'button_color' => '',
            'button_radius' => '', 'placeholder' => $this->get_text('email', 'form')), $attrs);

        $form = '';

        $form .= '<div class="tnp tnp-subscription-minimal ' . $attrs['class'] . '">';
        $form .= '<form action="' . esc_attr($this->build_action_url('s')) . '" method="post"';
        if (!empty($attrs['id'])) {
            $form .= ' id="' . esc_attr($attrs['id']) . '"';
        }
        $form .= '>';

        $form .= $this->get_form_hidden_fields($attrs);

        $form .= '<input class="tnp-email" type="email" required name="ne" value="" placeholder="' . esc_attr($attrs['placeholder']) . '">';

        if (isset($attrs['button_label'])) {
            $label = $attrs['button_label'];
        } else if (isset($attrs['button'])) { // Backward compatibility
            $label = $attrs['button'];
        } else {
            $label = $this->get_text('subscribe', 'form');
        }

        $form .= '<input class="tnp-submit" type="submit" value="' . esc_attr($attrs['button']) . '"'
                . ' style="background-color:' . esc_attr($attrs['button_color']) . '">';

        $form .= $this->get_privacy_field('<div class="tnp-field tnp-privacy-field">', '</div>');

        $form .= "</form></div>n";

        return $form;
    }

The get_subscription_form_minimal method in the NewsletterSubscription class

This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or that a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.

Shortcode Exploit Possibilities

Some previous versions of WordPress contained a vulnerability that allowed shortcodes supplied by unauthenticated commenters to be rendered in certain rare configurations, though the vast majority of sites have been automatically upgraded to a patched release of WordPress as of this writing.

Disclosure Timeline

August 16, 2023 – Wordfence Threat Intelligence team discovers the stored XSS vulnerability in Newsletter.
August 16, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
August 17, 2023 – The vendor confirms the inbox for handling the discussion.
August 17, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
August 17, 2023 – The fully patched version, 7.9.0, is released.

Conclusion

In this blog post, we have detailed a stored XSS vulnerability within the Newsletter plugin affecting versions 7.8.9 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. The vulnerability has been fully addressed in version 7.9.0 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Newsletter.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

The post Stored Cross-Site Scripting Vulnerability Patched in Newsletter WordPress Plugin appeared first on Wordfence.

Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 23 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• JupiterX Core <= 3.3.8 – Unauthenticated Privilege Escalation

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	17
Patched	26

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	35
High Severity	6
Critical Severity	2

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	16
Missing Authorization	13
Cross-Site Request Forgery (CSRF)	8
Unrestricted Upload of File with Dangerous Type	2
Reliance on Untrusted Inputs in a Security Decision	1
Authentication Bypass Using an Alternate Path or Channel	1
Use of Less Trusted Source	1
Improper Privilege Management	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafshanzani Suhada	6
Abdi Pranata	3
Rio Darmawan	3
Rafie Muhammad	3
Mahesh Nagabhairava	2
Nguyen Xuan Chien	2
yuyuddn	1
Bob Matyas	1
Carlos David Garrido León	1
Skalucy	1
Nithissh S	1
Animesh Gaurav	1
Muhammad Daffa	1
konagash	1
Dipak Panchal	1
Bartłomiej Marek	1
Tomasz Swiadek	1
An Dang	1
Erwan LR	1
Mika	1
Lana Codes (Wordfence Vulnerability Researcher)	1
Dmitrii Ignatyev	1
Revan Arifio	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Category Slider for WooCommerce	woo-category-slider-grid
Collapse-O-Matic	jquery-collapse-o-matic
Cookies by JM	cookies-by-jm
DX-auto-save-images	dx-auto-save-images
DoLogin Security	dologin
ElementsKit Elementor addons	elementskit-lite
FTP Access	ftp-access
FV Flowplayer Video Player	fv-wordpress-flowplayer
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager	folders
Herd Effects – fake notifications and social proof plugin	mwp-herd-effect
Hide My WP Ghost – Security Plugin	hide-my-wp
Jupiter X Core	jupiterx-core
Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages	page-builder-add
Leyka	leyka
Lock User Account	lock-user-account
Master Addons for Elementor	master-addons
MasterStudy LMS WordPress Plugin – for Online Courses and Education	masterstudy-lms-learning-management-system
Min Max Control – Min Max Quantity & Step Control for WooCommerce	woo-min-max-quantity-step-control-single
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor	post-and-page-builder
Posts Like Dislike	posts-like-dislike
Premmerce User Roles	premmerce-user-roles
Push Notification for Post and BuddyPress	push-notification-for-post-and-buddypress
ReviewX – Multi-criteria Rating & Reviews for WooCommerce	reviewx
Royal Elementor Addons and Templates	royal-elementor-addons
Save as Image plugin by Pdfcrowd	save-as-image-by-pdfcrowd
Save as PDF plugin by Pdfcrowd	save-as-pdf-by-pdfcrowd
Secure Admin IP	secure-admin-ip
Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management	simple-urls
Slimstat Analytics	wp-slimstat
Sticky Social Media Icons	sticky-social-media-icons
Translate WordPress with GTranslate	gtranslate
URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress	url-shortify
Vertical marquee plugin	vertical-marquee-plugin
Void Elementor Post Grid Addon for Elementor Page builder	void-elementor-post-grid-addon-for-elementor-page-builder
WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders	adminify
WP VK-付费内容插件（付费阅读/资料/工具软件资源管理）	wp-vk
gAppointments – Appointment booking addon for Gravity Forms	gAppointments
iThemes Sync	ithemes-sync

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

JupiterX Core <= 3.3.5 – Unauthenticated Arbitrary File Upload

---

JupiterX Core <= 3.3.8 – Unauthenticated Privilege Escalation

---

Folders <= 2.9.2 – Authenticated (Author+) Arbitrary File Upload

---

Premmerce User Roles <= 1.0.12 – Missing Authorization via role management functions

---

Master Addons for Elementor <= 2.0.3 – Missing Authorization

---

MasterStudy LMS <= 3.0.17 – Privilege Escalation

---

Simple URLs <= 117 – Unauthenticated Cross-Site Scripting

---

URL Shortify <= 1.7.5 – Unauthenticated Stored Cross-Site Scripting via Referrer Header

---

Collapse-O-Matic <= 1.8.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Simple URLs <= 117 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

FTP Access <= 1.0 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

---

gAppointments – Appointment booking addon for Gravity Forms <= 1.9.7 – Reflected Cross-Site Scripting

---

Min Max Control <= 4.5 – Reflected Cross-Site Scripting

---

Elements kit Elementor addons <= 2.9.1 – Missing Authorization

---

FV Flowplayer Video Player <= 7.5.37.7212 – Insufficient Input Validation to Unauthenticated Stored Cross-Site Scripting and Arbitrary Usermeta Update

---

Void Elementor Post Grid Addon for Elementor Page builder <= 2.1.10 – Missing Authorization to Review Notice Dismissal

---

Push Notification for Post and BuddyPress <= 1.63 – Missing Authorization to Unauthenticated Admin Notice Dismissal

---

Hide My WP Ghost <= 5.0.25 – CAPTCHA Bypass in brute_math_authenticate

---

Posts Like Dislike <= 1.1.1 – Missing Authorization to Authenticated (Subscriber+) Plugin Setting Reset

---

Secure Admin IP <= 2.0 – Missing Authorization via ‘saveSettings’

---

DoLogin Security <= 3.6 – IP Address Spoofing

---

Vertical Marquee Plugin <= 7.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Cookies by JM <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Slimstat Analytics <= 5.0.8 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

---

Save as PDF plugin by Pdfcrowd <= 2.16.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

---

GTranslate <= 3.0.3 – Authenticated (Administrator+) Cross-Site Scripting via Multiple Parameters

---

WP Adminify <= 3.1.5 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Save as Image plugin by Pdfcrowd <= 2.16.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

---

Leyka <= 3.30.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Landing Page Builder <= 1.5.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WP VK-付费内容插件 <= 1.3.3 – Cross-Site Request Forgery via AJions

---

iThemes Sync <= 2.1.13 – Cross-Site Request Forgery and Missing Authorization via ‘hide_authenticate_notice’

---

Simple URLs <= 117 – Missing Authorization via AJAX actions

---

DX-auto-save-images <= 1.4.0 – Cross-Site Request Forgery

---

Royal Elementor Addons <= 1.3.75 – Cross-Site Request Forgery

---

Sticky Social Media Icons <= 2.0 – Missing Authorization via ajax_request_handle

---

ReviewX <= 1.6.17 – Missing Authorization in rx_coupon_from_submit

---

Herd Effects <= 5.2.3 – Cross-Site Request Forgery to Effect Deletion

---

Category Slider for WooCommerce <= 1.4.15 – Missing Authorization via notice dismissal functionality

---

Simple URLs <= 117 – Cross-Site Request Forgery via AJAX actions

---

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.24.1 – Cross-Site Request Forgery via submitDefaultEditor

---

Slimstat Analytics <= 5.0.5.1 – Missing Authorization via delete_pageview

---

Lock User Account <= 1.0.3 – Cross-Site Request Forgery to Account Lock/Unlock

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023) appeared first on Wordfence.

We’re incredibly excited to announce that we have launched a webhook integration for vulnerabilities as part of Wordfence Intelligence, which enables users to stay on top of the latest vulnerabilities being added to the Wordfence Intelligence WordPress Vulnerability database, all completely for free! This webhook feature makes it possible for users to receive real-time updates sent to a URL of their choice whenever new vulnerabilities are added to the Wordfence Intelligence WordPress Vulnerability Database, along with updates when vulnerability records are updated or deleted. In addition, our system can send new vulnerability notifications directly to a Slack or Discord channel based on pre-configured webhooks.

Wait, did you say free? Yes! This is a completely free to use feature. When we launched the public interface for Wordfence Intelligence and made API access to the vulnerability database free last December, our mission was to make our commercial high-quality WordPress vulnerability information easy to access for all users of the community and that mission hasn’t changed. Whether you’re an individual site owner making sure no vulnerabilities are present on your site, a security researcher looking to stay on top of the latest vulnerabilities, or an enterprise or developer looking to integrate quality vulnerability information into their platform or software, the Wordfence Intelligence Vulnerability Database is there to serve those needs for free.

Every vulnerability record added to the database is manually curated and validated by our team of highly credentialed and industry leading vulnerability researchers. We monitor as many vulnerability sources as possible including other WordPress vulnerability databases, changeset references, plugin closures, the CVE list, and more to ensure we remain on top of all the latest vulnerabilities affecting the WordPress ecosystem, as well as conducting our own in-house research to positively contribute to the security of the WordPress ecosystem. Our free database is one of the most complete WordPress vulnerability databases on the market with CVSS scores, detailed descriptions, succinct titles, references to affected code/changesets, and more, providing our users with the most accurate and high-quality information available to secure their sites or clients.

Getting Started With Webhooks Today

In order to get started with setting up a webhook integration, you need to have an account on http://www.wordfence.com which can be created at https://www.wordfence.com/sign-in/?action=register

Once registered and logged in, you can access http://www.wordfence.com/account/integrations where you should see the following page to manage the Webooks Integration:

Once ready to configure a webhook, you can click the ‘Add Webhook’ button in the top right corner where you should see the following prompt:

Here you have the option to configure what notifications you’d like to receive. ‘Create’ will send the entire JSON formatted record of any new vulnerability entries in our database to the configured URL, while ‘Replace’ will send the entire JSON formatted record of any modified vulnerabilities, and ‘Delete’ will send the UUID for any vulnerability records that have been deleted.

If you opt to format the data for Discord/Slack, you may only receive ‘Create’ events, which occur when new vulnerabilities are added to the database.

You also have the ability to generate and define a secret that can be used to sign any sent payloads with an HMAC signature, which can be used to verify the authenticity and integrity of the data being sent to your application.

Once a webhook has been configured, you’ll be able to view the last status code to verify things are running as expected, and have the option to edit, test, and view the logs for each configured webhook. You may also delete any webhook integration, or edit and disable any integrations. There is currently no limit to how many webhooks you can have configured.

If you are utilizing the webhook updates to maintain a local database of vulnerabilities, we recommend you do a one-time dump of vulnerabilities using the Wordfence Intelligence vulnerability API and then monitor the creations, updates, and deletions using a webhook integration.

If you’d simply like to stay on top of the latest vulnerabilities, we recommend using the Slack/Discord integration that pre-formats the data and sends it directly to the supplied webhook channel integration. The data will appear in your Slack/Discord channel like so:

You can find all of the technical documentation for creating webhook integrations at: https://www.wordfence.com/help/wordfence-intelligence-webhook-notifications/ 

Conclusion

We are incredibly excited about the launch of this feature as we know that it will enable more site owners, security researchers, developers, and enterprises to more effectively implement vulnerability monitoring and notifications. This in turn will have a positive impact on the WordPress ecosystem and security of the internet as a whole.

On a final note, we’d like to say a special thank you to our Premium, Care, and Response customers that make providing this vulnerability information to the community for free possible. Without your support and trust, we wouldn’t be able to provide completely free access to some of the best vulnerability information available on the market with the Wordfence Intelligence Vulnerability Database. All while continuing to create and provide integrations that make access to WordPress vulnerability information as seamless as possible for everyone.

The post Introducing Free Wordfence Intelligence WordPress Vulnerability Webhook Notifications! appeared first on Wordfence.

Today, we are incredibly excited to announce the launch of Wordfence CLI: an open source, high performance malware scanner built for the command-line. With Wordfence CLI you can detect malware and other indicators of compromise on a host system by running an extremely fast scanner that is at home in the Linux command line environment. This provides site owners, security administrators, operations teams, and security focused organizations more performance and flexibility in malware detection.

While the Wordfence plugin continues to provide industry leading security with its Web Application Firewall, 2-Factor Authentication, IP Blocklist, Malware Scanner, and other security features, Wordfence CLI can be used to provide a second layer of detection for malware or provide an option for those who choose not to utilize a security plugin.

Wordfence CLI does not provide the firewall, two-factor authentication, brute force protection and other security features that the Wordfence Free and Paid plugin provides. Wordfence CLI is purely focused on high performance, scalable and scriptable malware detection.

Wordfence CLI is for the following customers:

• Individual site owners comfortable on the Linux command line, who choose to run (or schedule) high performance malware scans on the command line instead of using the malware scanning built into the Wordfence plugin.
• Site cleaners who need a high performance malware scanner to scan a large number of files as part of remediation.
• Developers providing hosting to several customers and who want to configure high performance scans in the Linux environment.
• Hosting companies small and large that want to parallelize scanning across thousands or millions of hosts, fully utilizing all available CPU cores and IO throughput.
• Operations teams in any organization who are looking for a highly configurable command line scanner that can slot right in to a comprehensive, scheduled and scripted security policy.

Wordfence CLI aims to provide the fastest PHP malware scanner in the world with the highest detection rate, in an scriptable tool that can work in concert with other tools and utilities in the Linux command line environment.

What is Wordfence CLI?

Malware Detection Designed with Performance in Mind

Under the hood, Wordfence CLI is a multi-process malware scanner written in Python. It’s designed to have low memory overhead while being able to utilize multiple cores for scanning large filesystems for malware. We’ve opted to use libpcre over Python’s existing regex libraries for speed and compatibility with our signature set.

From some of our own benchmarks, we’ve seen ~324 files per second and  approximately 13 Megabytes scanned per second using 16 workers on an AMD Ryzen 7 1700 with 8 Cores utilizing our full commercial signature set of over 5,000 malware signatures. That is approximately 46 Gigabytes per hour on modest hardware.

Here are some examples of Wordfence CLI in action.

Performing a basic scan of a single directory in a file system:

wordfence scan --output-path /home/wordfence/wordfence-cli.csv /var/www

This will recursively scan files in the /var/www directory and write the results of the scan in CSV format to /home/wordfence/wordfence-cli.csv. A scan like this could be scheduled using a cron job to be performed daily, which would be similar to how the Wordfence plugin performs scans. Additionally, we can use other utilities like find to select which files we want to scan using Wordfence CLI:

find /var/www/ -cmin -60 -type f -print0 | wordfence scan --output-path /home/wordfence/wordfence-cli.csv

In this example, we can find which files have been changed within the last hour and pipe those from the find command to Wordfence CLI for scanning. It is recommended that you use ctime over mtime and atime as changing the ctime of a file requires root access to the file system. mtime and atime can be arbitrarily set by the file owner using the touch command.

We don’t recommend solely scanning recently changed files on your file system. We frequently add new malware signatures to Wordfence CLI, and we therefore recommend periodically performing a full scan of your filesystem.

Flexibility at Your Fingertips

One key benefit of Wordfence CLI is flexibility. The tool comes with many options that enable users to utilize the output of the scan in various ways.

Some of these options include the ability to:

• Format output in various ways like CSV, TSV, human readable, and more
• Choose a number of workers based on available CPUs, that can increase speed and performance of a scan.
• Include or skip certain files and directories from a scan.
• Look for all malware signature matches in each file, or immediately stop scanning a file if we find malware (the default).
• Include or exclude specific signatures from a scan.
• And much more.

For more information on all of the options available, we recommend reviewing our help documentation at https://www.wordfence.com/help/wordfence-cli/, or downloading Wordfence CLI and running wordfence scan --help

How Wordfence CLI Licensing Works

Wordfence CLI comes in two primary license types, Wordfence CLI Free and Wordfence CLI Commercial.

Wordfence CLI Free is free for individual use and can not be used in a commercial setting. The free version uses our Free Signature Set which is a smaller set of signatures appropriate for entry-level malware detection. Wordfence CLI Free is a great way to get familiar with the tool and to conduct quick scans.

Wordfence CLI Commercial includes our Commercial Signature Set of over 5,000 malware signatures, and can be used in any commercial setting. We release new malware signatures in real-time to our commercial customers. For a sense of scale, our team has released over 100 new malware signatures in the past four months.

Wordfence CLI Commercial includes product support from our world-class Customer Support Engineers.

Wordfence CLI Commercial is available in four pricing tiers:

• CLI-100 can be used to scan up to 100 unique sites, at just $299 per year.
• CLI-1,000 can be used to scan up to 1,000 different sites, at just $950 per year.
• CLI-10,000 can be used to scan up to 10,000 different sites, at just $2,950 per year.
• CLI-Enterprise which is tailored to any organization or enterprise use case, where the number of sites to be scanned exceeds 10,000. Please contact us at presales@wordfence.com if you are interested in this option.

We trust that users will self-select into the appropriate CLI tier based on the number of sites they need to scan within the license year. You can sign up for a Wordfence CLI free license, or purchase a Wordfence CLI Commercial license at: https://www.wordfence.com/products/wordfence-cli

Contributing to Open Source

Wordfence was founded on a commitment to building and maintaining open source software, and Wordfence CLI is no different. This is why we’ve decided to release the Wordfence CLI application under the GPLv3 license. You can clone the repository here:

https://github.com/wordfence/wordfence-cli/

We’ve also included documentation about how to install, configure, and run Wordfence CLI here:

https://www.wordfence.com/help/wordfence-cli/

Come see us at WordCamp US!

Wordfence is a proud Admin level sponsor at WordCamp US in Maryland this year. Join us in celebrating our launch of Wordfence CLI by stopping by our booth and saying hi! We’ll be there 8AM – 5PM tomorrow (Friday) and 8AM – 3:30PM on Saturday. We’ll have team members from Engineering, Threat Intelligence, Customer Service, Operations, and Security who will be happy to answer any questions you have about the launch of Wordfence CLI. We can also help with any questions about our current product lineup which includes Wordfence Premium, Wordfence Care, and Wordfence Response along with Wordfence Intelligence. If the rumors are true, we might even be teaching the public how to pick locks, and you might have the opportunity to win your own lock picking set if you can crack it.

The post Introducing Wordfence CLI: A High Performance Malware Scanner Built for the Command Line appeared first on Wordfence.