Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023)

Last week, there were 60 vulnerabilities disclosed in 52 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 25 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 20
Patched 40

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 53
High Severity 6
Critical Severity 0

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 26
Cross-Site Request Forgery (CSRF) 21
Missing Authorization 8
Information Exposure 1
Authorization Bypass Through User-Controlled Key 1
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) 1
Unrestricted Upload of File with Dangerous Type 1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Truoc Phan 6
LEE SE HYOUNG 5
Erwan LR 5
Marco Wotschka
(Wordfence Vulnerability Reasearcher)
4
Abdi Pranata 3
Mika 3
Lana Codes
(Wordfence Vulnerability Reasearcher)
3
yuyudhn 3
Nguyen Xuan Chien 3
Rafshanzani Suhada 2
konagash 2
NeginNrb 2
Rafie Muhammad 2
A. S. M. Muhiminul Hasan 1
Theodoros Malachias 1
Rio Darmawan 1
Le Ngoc Anh 1
emad 1
Alex Thomas
(Wordfence Vulnerability Reasearcher)
1
Daniel Ruf 1
Amirmohammad vakili 1
thiennv 1
Chloe Chamberland
(Wordfence Vulnerability Reasearcher)
1
Phd 1
killr00t 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup armember-membership
All Bootstrap Blocks all-bootstrap-blocks
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress and all Kinds of Equipment booking-and-rental-manager-for-woocommerce
CF7 Google Sheets Connector cf7-google-sheets-connector
CF7 Google Sheets Connector Pro cf7-google-sheets-connector-pro
CHP Ads Block Detector chp-ads-block-detector
Church Admin church-admin
Constant Contact Forms constant-contact-forms
Contact Form by WD – responsive drag & drop contact form builder tool contact-form-maker
Elementor Forms Google Sheet Connector gsheetconnector-for-elementor-forms
Elementor Forms Google Sheet Connector Pro gsheetconnector-for-elementor-forms-pro
Flo Forms – Easy Drag & Drop Form Builder flo-forms
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker
Forminator – Contact Form, Payment Form & Custom Form Builder forminator
Galleria galleria
Google Map Shortcode google-map-shortcode
Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor front-editor
LWS Cleaner lws-cleaner
LWS Tools lws-tools
Login Configurator login-configurator
MStore API mstore-api
MasterStudy LMS WordPress Plugin – for Online Courses and Education masterstudy-lms-learning-management-system
ND Shortcodes nd-shortcodes
Ninja Forms Google Sheet Connector gsheetconnector-ninja-forms
Ninja Forms Google Sheet Connector Pro gsheetconnector-ninja-forms-pro
Password Protected password-protected
Protect WP Admin protect-wp-admin
Recent Posts Slider recent-posts-slider
Recipe Maker For Your Food Blog from Zip Recipes zip-recipes
Securimage-WP securimage-wp
Seed Fonts seed-fonts
Sermon’e – Sermons Online UNKNOWN-CVE-2023-35776-1
Stock Manager for WooCommerce woocommerce-stock-manager
Template Debugger quick-edit-template-link
Tutor LMS – eLearning and online course solution tutor
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor
WP Affiliate Links wp-affiliate-links
WP Backup Manager wp-backup-manager
WP Directory Kit wpdirectorykit
WP Matterport Shortcode shortcode-gallery-for-matterport-showcase
WP PDF Generator wp-pdf-generator
WPForms Google Sheet Connector gsheetconnector-wpforms
WPForms Google Sheet Connector Pro gsheetconnector-wpforms-pro
Who Hit The Page – Hit Counter who-hit-the-page-hit-counter
WooCommerce Stripe Payment Gateway woocommerce-gateway-stripe
WordPress Contact Forms by Cimatti contact-forms
WordPress NextGen GalleryView wordpress-nextgen-galleryview
YaySMTP – Simple WP SMTP Mail yaysmtp
Zephyr Project Manager zephyr-project-manager
breadcrumb simple breadcrumb-simple
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin mycred
胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件 fat-rat-collect

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.66 – Authenticated (Contributor+) Arbitrary File Upload

Affected Software: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
CVE ID: CVE-2023-3295
CVSS Score: 8.8 (High)
Researcher/s: Chloe Chamberland, Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce1ac711-6026-49ef-b66b-2cc199697942

Tutor LMS <= 2.2.0 – Missing Authorization via REST API

Affected Software: Tutor LMS – eLearning and online course solution
CVE ID: CVE-2023-3133
CVSS Score: 7.5 (High)
Researcher/s: A. S. M. Muhiminul Hasan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d6c9765-6936-4b22-835e-e899f62c14c9

WooCommerce Stripe Payment Gateway <= 7.4.0 – Unauthenticated Insecure Direct Object Reference to Sensitive Information Disclosure

Affected Software: WooCommerce Stripe Payment Gateway
CVE ID: CVE-2023-34000
CVSS Score: 7.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70971072-d743-466b-affe-d7f79d5712aa

Ninja Forms Google Sheet Connector <= 1.2.6 – Reflected Cross-Site Scripting

Affected Software/s: Ninja Forms Google Sheet Connector, Ninja Forms Google Sheet Connector Pro
CVE ID: CVE-2023-2333
CVSS Score: 7.2 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/559a92e0-609e-415f-aab3-649a185eb431

YaySMTP <= 2.4.5 – Unauthenticated Stored Cross-Site Scripting via Email

Affected Software: YaySMTP – Simple WP SMTP Mail
CVE ID: CVE-2023-3093
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68e6ec3a-c5fd-4f63-a9a0-2c9ddfb96e2e

Who Hit The Page – Hit Counter <= 1.4.14.3 – Unauthenticated Cross-Site Scripting

Affected Software: Who Hit The Page – Hit Counter
CVE ID: CVE-2023-25466
CVSS Score: 7.2 (High)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/714d7811-0425-4833-a7b2-a408799181e4

Contact Form Maker <= 1.13.23 – Authenticated (Administrator+) SQL Injection

Affected Software: Contact Form by WD – responsive drag & drop contact form builder tool
CVE ID: CVE-2023-2655
CVSS Score: 6.6 (Medium)
Researcher/s: killr00t
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb56c071-d7b9-40e0-8cc5-2dd48c93b8cf

All Bootstrap Blocks <= 1.3.6 – Cross-Site Request Forgery to Plugin Settings Reset

Affected Software: All Bootstrap Blocks
CVE ID: CVE-2023-35047
CVSS Score: 6.5 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a7a15ab-4f13-4eb1-aeb5-143230308871

WP Directory Kit <= 1.2.3 – Missing Authorization to Plugin Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_admin_action

Affected Software: WP Directory Kit
CVE ID: CVE-2023-2351
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50c5154c-1573-4c2b-85a1-a89bdb22dc7d

MStore API <= 3.9.5 – Missing Authorization

Affected Software: MStore API
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a747542-0601-4fa5-a97c-c72d1347013b

Sermon’e <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Sermon’e – Sermons Online
CVE ID: CVE-2023-35776
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08b5f399-018c-4e0b-aefc-55463d4ac48d

MasterStudy LMS <= 3.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: MasterStudy LMS WordPress Plugin – for Online Courses and Education
CVE ID: CVE-2023-35090
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/174e2bf3-2531-4a53-ade6-3df7e976ed29

ND Shortcodes <= 6.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: ND Shortcodes
CVE ID: CVE-2022-4623
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d92687e-cdf2-4dd2-b984-eaf9f0a56625

WP Matterport Shortcode <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Matterport Shortcode
CVE ID: CVE-2023-35094
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b76ce38-d9ee-4998-ba3b-9f21158ce18a

ND Shortcodes <= 6.9 – Authenticated (Subscriber+) Local File Inclusion

Affected Software: ND Shortcodes
CVE ID: CVE-2023-1273
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9b9bd42f-cb24-483a-ae91-add4378067d9

Front User Submit | Front Editor <= 3.7.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f34722fb-e852-4194-b839-7d885d212fc9

NextGen GalleryView <= 0.5.5 – Reflected Cross-Site Scripting

Affected Software: WordPress NextGen GalleryView
CVE ID: CVE-2023-35098
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/043ed446-3af3-4d90-8da7-b1fe73e06bba

CF7 Google Sheets Connector <= 5.0.1 – Reflected Cross-Site Scripting via ‘code’

Affected Software/s: CF7 Google Sheets Connector Pro, CF7 Google Sheets Connector
CVE ID: CVE-2023-2320
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c6b2c4b-5ea5-471d-9114-d2b469b6c59b

Elementor Forms Google Sheet Connector <= 1.0.6 – Reflected Cross-Site Scripting via ‘code’

Affected Software/s: Elementor Forms Google Sheet Connector Pro, Elementor Forms Google Sheet Connector
CVE ID: CVE-2023-2324
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ac577f4-2e61-4b72-881e-6fbbfd268f7b

WP Backup Manager <= 1.13.1 – Reflected Cross-Site Scripting

Affected Software: WP Backup Manager
CVE ID: CVE-2023-35775
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ee3416b-d6df-4f8b-834b-4e78516c00ba

WPForms Google Sheet Connector <= 3.4.5 – Reflected Cross-Site Scripting

Affected Software/s: WPForms Google Sheet Connector Pro, WPForms Google Sheet Connector
CVE ID: CVE-2023-2321
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75067f95-48b6-4c1d-8d8b-2601185b1f81

Recent Posts Slider <= 1.1 – Reflected Cross-Site Scripting

Affected Software: Recent Posts Slider
CVE ID: CVE-2023-35043
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bbc6aa7-0625-4689-8afe-d7399009ee53

WP Affiliate Links <= 0.1.1 – Reflected Cross-Site Scripting

Affected Software: WP Affiliate Links
CVE ID: CVE-2023-35097
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba4638be-29d3-4638-84d3-6a9d540bfa33

Google Map Shortcode <= 3.1.2 – Reflected Cross-Site Scripting

Affected Software: Google Map Shortcode
CVE ID: CVE-2023-35772
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbd4983f-bf92-45c3-95a6-6f5e39bca228

Church Admin <= 3.7.29 – Reflected Cross-Site Scripting

Affected Software: Church Admin
CVE ID: CVE-2023-34021
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e85efdc1-cffc-411a-a2f7-6fa1132e2910

LWS Tools <= 2.4.1 – Cross-Site Request Forgery

Affected Software: LWS Tools
CVE ID: CVE-2023-35774
CVSS Score: 5.4 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/315dbb77-d872-4cc4-bb4c-9d4763a6ff8f

LWS Cleaner <= 2.3.0 – Cross-Site Request Forgery

Affected Software: LWS Cleaner
CVE ID: CVE-2023-35781
CVSS Score: 5.4 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b89c51fe-c056-4d85-a6e3-6678ed93b9d8

Fat Rat Collect <= 2.6.1 – Missing Authorization


Protect WP Admin <= 3.8 – Unauthenticated Information Disclosure to Protection Bypass

Affected Software: Protect WP Admin
CVE ID: CVE-2023-3139
CVSS Score: 5.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7012b34d-8d65-4575-9965-417739206b5f

Forminator <= 1.23.3 – Race Condition to Multiple Poll Voting

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE-2023-2010
CVSS Score: 5.3 (Medium)
Researcher/s: Amirmohammad vakili
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a40cb2da-dc13-4e20-9602-a4e6c2eade43

CHP Ads Block Detector <= 3.9.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: CHP Ads Block Detector
CVE ID: CVE-2023-2354
CVSS Score: 4.9 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f8514c9-0e11-4e26-ba0b-1d08a990b56c

Seed Fonts 2.3.1 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Seed Fonts
CVE ID: CVE-2023-35779
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57953bab-7430-4841-b073-7db7964e6a65

ARMember <= 4.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
CVE ID: CVE-2023-33323
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/668d4bd3-adde-4347-9169-67c3c96e1743

Booking and Rental Manager <= 1.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting


Login Configurator <= 2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Login Configurator
CVE ID: CVE-2023-34369
CVSS Score: 4.4 (Medium)
Researcher/s: NeginNrb
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74d3606f-bd62-4844-ac17-8e47feddab92

Password Protected <= 2.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Password Protected
CVE ID: CVE-2023-32580
CVSS Score: 4.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79c296b1-e385-404d-96c0-a98f10b89f08

Flo Forms <= 1.0.40 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Flo Forms – Easy Drag & Drop Form Builder
CVE ID: CVE-2023-35095
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bdd35d61-0777-4e64-8a51-55fe928e75ba

Recent Posts Slider <= 1.1 – Cross-Site Request Forgery

Affected Software: Recent Posts Slider
CVE ID: CVE-2023-35778
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cf9c390-81d7-45d4-a6df-22b16235d11b

MStore API <= 3.9.6 – Cross-Site Request Forgery to Product Limit Update

Affected Software: MStore API
CVE ID: CVE-2023-3203
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1aed51a2-9fd4-43bb-b72d-ae8e51ee6e87

Zephyr Project Manager <= 3.3.93 – Cross-Site Request Forgery

Affected Software: Zephyr Project Manager
CVE ID: CVE-2023-34373
CVSS Score: 4.3 (Medium)
Researcher/s: Theodoros Malachias
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/236387f0-b58e-4ef1-b370-a0703a7902eb

WP PDF Generator <= 1.2.2 – Cross-Site Request Forgery to PDF Settings Update

Affected Software: WP PDF Generator
CVE ID: CVE-2023-35038
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28a4c868-a24d-4fd8-ae0e-d5c0bf3a7436

Securimage-WP <= 3.6.16 – Cross-Site Request Forgery

Affected Software: Securimage-WP
CVE ID: CVE-2023-35044
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36f41de5-50d5-47ca-bbd0-eca3b756a0cd

MasterStudy LMS <= 3.0.7 – Missing Authorization to Course Category Creation

Affected Software: MasterStudy LMS WordPress Plugin – for Online Courses and Education
CVE ID: CVE-2023-35093
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/417ae2f2-e245-49bb-8b77-0eabf6095459

CHP Ads Block Detector <= 3.9.4 – Missing Authorization to Plugin Settings Update

Affected Software: CHP Ads Block Detector
CVE ID: CVE-2023-2353
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4eca64d7-6e33-4b8e-af37-a3e8bbf2b76f

Zip Recipes <= 8.0.7 – Cross-Site Request Forgery

Affected Software: Recipe Maker For Your Food Blog from Zip Recipes
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/727a0649-082f-46d0-8d6f-de53ee7fb18e

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Message Update

Affected Software: MStore API
CVE ID: CVE-2023-3200
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78f3c503-e255-44d2-8432-48dc2c5f553d

Form Maker <= 1.15.16 – Missing Authorization in check_score

Affected Software: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f0eac1e-4988-4b73-bf13-c959b0dc11e2

Template Debugger <= 3.1.2 – Cross-Site Request Forgery

Affected Software: Template Debugger
CVE ID: CVE-2023-35773
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8da0fed9-4b88-4b68-b317-124fe678cfa4

Stock Manager for WooCommerce <= 2.10.0 – Cross-Site Request Forgery

Affected Software: Stock Manager for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99984fff-94e3-46fb-8241-88fcda556054

myCred <= 2.5 – Cross-Site Request Forgery

Affected Software: myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin
CVE ID: CVE-2023-35096
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3936c4b-2326-41dc-b7d6-a8cf43752ddb

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Title Update

Affected Software: MStore API
CVE ID: CVE-2023-3199
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a604df5d-92b3-4df8-a7ef-00f0ee95cf0f

Constant Contact Forms <= 2.0.2 – Missing Authorization via constant_contact_privacy_ajax_handler

Affected Software: Constant Contact Forms
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8a26695-4793-418b-9a23-6709fe79ea4f

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Status Update

Affected Software: MStore API
CVE ID: CVE-2023-3198
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5f30190-4576-4c2b-b069-72501538733b

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Title Update

Affected Software: MStore API
CVE ID: CVE-2023-3201
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb5cb1a5-30d2-434f-90f9-d37aecfbe158

MStore API <= 3.9.6 – Cross-Site Request Forgery to Firebase Server Key Update

Affected Software: MStore API
CVE ID: CVE-2023-3202
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2b3612e-3c91-469b-98ef-fdb03b0ee9d9

CHP Ads Block Detector <= 3.9.4 – Cross-Site Request Forgery via chp_abd_action

Affected Software: CHP Ads Block Detector
CVE ID: CVE-2023-2352
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5a9cced-0e5e-4b6e-8291-0a862c9f9523

Galleria <= 1.0.3 – Cross-Site Request Forgery via showOptionsPage

Affected Software: Galleria
CVE ID: CVE-2023-35780
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea85fa9a-78ea-4017-b72e-49db7eafa11e

Recipe Maker For Your Food Blog from Zip Recipes <= 8.0.7 – Cross-Site Request Forgery

Affected Software: Recipe Maker For Your Food Blog from Zip Recipes
CVE ID: CVE-2023-35089
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ebd1483a-949d-4edb-9b86-007879d2d207

WordPress Contact Forms by Cimatti <= 1.5.7 – Cross-Site Request Forgery via _accua_forms_form_edit_action

Affected Software: WordPress Contact Forms by Cimatti
CVE ID: CVE-2023-2563
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f80a1f13-c1b9-4259-8d96-71a3cbcaf4ca

breadcrumb simple <= 1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: breadcrumb simple
CVE ID: CVE-2023-35092
CVSS Score: 3.3 (Low)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/598e38d7-b5a9-43c1-b908-dab8bbe24115

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

No Comments