WordPress Vulnerability Report – July 5, 2023

This week, 70 total vulnerabilities emerged in public disclosure. They may affect over one million WordPress sites. There are 36 plugin vulnerabilities that have security patches available, so run those updates!

Additionally, there are 33 plugin vulnerabilities and one theme vulnerability with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress and repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

CVE
2023-1844
The vulnerability has been patched, so you should update to version 10.41.
Vulnerability
Cross Site Request Forgery (CSRF)
CVE
2023-3407
The vulnerability has been patched, so you should update to version 10.41.

WPGraphQL

Product image for WPGraphQL.

Plugin
WPGraphQL
Vulnerability
Server Side Request Forgery (SSRF)
The vulnerability has been patched, so you should update to version 1.14.6.

MStore API

Product image for MStore API.

Plugin
MStore API
CVE
2023-3197
The vulnerability has been patched, so you should update to version 4.0.2.

Short URL

Product image for Short URL.

Plugin
Short URL
Vulnerability
Authenticated Stored Cross Site Scripting (XSS)
CVE
2023-1602
The vulnerability has been patched, so you should update to version 1.6.5.

Short URL

Product image for Short URL.

Plugin
Short URL
The vulnerability has been patched, so you should update to version 1.6.5.

WP Inventory Manager

Product image for WP Inventory Manager.

Vulnerability
Inventory Items Deletion via Cross Site Request Forgery (CSRF)
CVE
2023-2842
The vulnerability has been patched, so you should update to version 2.1.0.14.

Kanban Boards for WordPress

Product image for Kanban Boards for WordPress.

Vulnerability
Auth. Stored Cross Site Scripting (XSS)
CVE
2023-0873
The vulnerability has been patched, so you should update to version 2.5.21.

Request a Quote

Product image for Request a Quote.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 2.3.11.

ARMember

Vulnerability
Stored Cross Site Scripting (XSS) on Common Messages Settings
The vulnerability has been patched, so you should update to version 4.0.5.

AutomateWoo

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 5.7.6.

AutomateWoo

The vulnerability has been patched, so you should update to version 5.7.6.

Houzez CRM

The vulnerability has been patched, so you should update to version 1.3.5.

Salon Booking System

Vulnerability
Cross Site Request Forgery (CSRF)
CVE
2023-3427
The vulnerability has been patched, so you should update to version 8.4.8.

LearnDash LMS

Vulnerability
Authenticated IDOR to Account Takeover
CVE
2023-3105
The vulnerability has been patched, so you should update to version 4.6.0.1.

WooCommerce Order Barcodes

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 1.6.5.

WooCommerce Ship to Multiple Addresses

Plugin
WooCommerce Ship to Multiple Addresses
Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 3.8.6.

WP Post Author

The vulnerability has been patched, so you should update to version 3.3.0.

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Side Cart Woocommerce

Product image for Side Cart Woocommerce (Ajax).

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Enhanced Text Widget

Product image for Enhanced Text Widget.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Zippy

Product image for Zippy.

Plugin
Zippy
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Enable SVG, WebP & ICO Upload

Product image for Enable SVG, WebP & ICO Upload  .

Vulnerability
Auth. Stored Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-2143
The vulnerability has not been patched. You should deactivate the plugin.

SW Product Bundles

Product image for SW Product Bundles.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Email download link

Product image for Email download link.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Post Hit Counter

Product image for Post Hit Counter.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Layer Slider

Product image for Layer Slider.

Plugin
Layer Slider
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Google Sheet Connector

Product image for WooCommerce Google Sheet Connector.

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
CVE
2023-2329
The vulnerability has not been patched. You should deactivate the plugin.

WCP OpenWeather

Product image for WCP OpenWeather.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP Abstracts

Product image for WP Abstracts.

Plugin
WP Abstracts
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP Abstracts

Product image for WP Abstracts.

Plugin
WP Abstracts
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Caldera Forms Google Sheets Connector

Product image for Caldera Forms Google Sheets Connector.

Vulnerability
Access Code Update via Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
CVE
2023-2330
The vulnerability has not been patched. You should deactivate the plugin.

Autochat

Product image for Autochat Automatic Conversation.

Vulnerability
Unauth. Stored Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-3041
The vulnerability has not been patched. You should deactivate the plugin.

AN_GradeBook

Patched in Version
No Fix
CVE
2023-2636
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Booked

Vulnerability
Unauth. Appointment Data Exposure
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Editorial Calendar

Vulnerability
Auth. Stored Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2022-4115
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Editorial Calendar

Vulnerability
Insecure Direct Object References (IDOR)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

File Manager Advanced Shortcode

Plugin
File Manager Advanced Shortcode
Vulnerability
Unauth. Remote Code Execution (RCE)
Patched in Version
No Fix
CVE
2023-2068
The vulnerability has not been patched. You should deactivate the plugin.

Image Map Pro Lite

Vulnerability
Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched in Version
No Fix
CVE
2023-3411
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Image Map Pro

Vulnerability
Missing Authorization to Stored Cross-Site Scripting
Patched in Version
No Fix
CVE
2023-3412
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Noo Timetable

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Noo Timetable

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

SP Project & Document Manager

Plugin
SP Project & Document Manager
Vulnerability
Auth. Insecure Direct Object References (IDOR)
Patched in Version
No Fix
CVE
2023-3063
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

SP Project & Document Manager

Plugin
SP Project & Document Manager
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

SP Project & Document Manager

Plugin
SP Project & Document Manager
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Web3

Plugin
Web3 – Crypto wallet Login & NFT token gating
Patched in Version
No Fix
CVE
2023-3249
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WPJobBoard

Vulnerability
Unauth. Blind SQL Injection
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

The7 — Website and eCommerce Builder for WordPress

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should switch themes.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

The post WordPress Vulnerability Report – July 5, 2023 appeared first on iThemes.

This content was originally published here.