On August 18, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two PHP Object Injection vulnerabilities in the Essential Blocks plugin for WordPress, a plugin with over 100,000 installations.

A response was received from the developers three days later and sent over their full disclosure on August 23, 2023. A patched version of the free plugin, 4.2.1, was released on August 29, 2023 with version 1.1.1 for the Pro version released the same day.

We issued a firewall rule to protect all WordFence users by September 17, 2023. We recommend that all Wordfence users update to the patched version, 4.2.1 (1.1.1 for Pro), as soon as possible as this will entirely eliminate the vulnerabilities.

Source and more info: https://www.wordfence.com/blog/2023/09/two-php-object-injection-vulnerabilities-fixed-in-essential-blocks

On August 24, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) and a Blind SQL Injection vulnerability in the Slimstat Analytics plugin, which is actively installed on more than 100,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages or execute SQL queries by appending them to an existing SQL query using the plugin’s shortcode.

All WordFence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting and SQL Injection protection.

WordFence contacted VeronaLabs on August 24, 2023, and they received a response on the same day. After providing full disclosure details, the developer released a patch on August 28, 2023. We would like to commend VeronaLabs for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Slimstat Analytics, version 5.0.10 at the time of this writing, as soon as possible.