Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023)
Last week, there were 60 vulnerabilities disclosed in 52 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 25 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 20 |
Patched | 40 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 53 |
High Severity | 6 |
Critical Severity | 0 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 26 |
Cross-Site Request Forgery (CSRF) | 21 |
Missing Authorization | 8 |
Information Exposure | 1 |
Authorization Bypass Through User-Controlled Key | 1 |
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 1 |
Unrestricted Upload of File with Dangerous Type | 1 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Truoc Phan | 6 |
LEE SE HYOUNG | 5 |
Erwan LR | 5 |
Marco Wotschka (Wordfence Vulnerability Reasearcher) |
4 |
Abdi Pranata | 3 |
Mika | 3 |
Lana Codes (Wordfence Vulnerability Reasearcher) |
3 |
yuyudhn | 3 |
Nguyen Xuan Chien | 3 |
Rafshanzani Suhada | 2 |
konagash | 2 |
NeginNrb | 2 |
Rafie Muhammad | 2 |
A. S. M. Muhiminul Hasan | 1 |
Theodoros Malachias | 1 |
Rio Darmawan | 1 |
Le Ngoc Anh | 1 |
emad | 1 |
Alex Thomas (Wordfence Vulnerability Reasearcher) |
1 |
Daniel Ruf | 1 |
Amirmohammad vakili | 1 |
thiennv | 1 |
Chloe Chamberland (Wordfence Vulnerability Reasearcher) |
1 |
Phd | 1 |
killr00t | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
All Bootstrap Blocks | all-bootstrap-blocks |
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress and all Kinds of Equipment | booking-and-rental-manager-for-woocommerce |
CF7 Google Sheets Connector | cf7-google-sheets-connector |
CF7 Google Sheets Connector Pro | cf7-google-sheets-connector-pro |
CHP Ads Block Detector | chp-ads-block-detector |
Church Admin | church-admin |
Constant Contact Forms | constant-contact-forms |
Contact Form by WD – responsive drag & drop contact form builder tool | contact-form-maker |
Elementor Forms Google Sheet Connector | gsheetconnector-for-elementor-forms |
Elementor Forms Google Sheet Connector Pro | gsheetconnector-for-elementor-forms-pro |
Flo Forms – Easy Drag & Drop Form Builder | flo-forms |
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | form-maker |
Forminator – Contact Form, Payment Form & Custom Form Builder | forminator |
Galleria | galleria |
Google Map Shortcode | google-map-shortcode |
Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor | front-editor |
LWS Cleaner | lws-cleaner |
LWS Tools | lws-tools |
Login Configurator | login-configurator |
MStore API | mstore-api |
MasterStudy LMS WordPress Plugin – for Online Courses and Education | masterstudy-lms-learning-management-system |
ND Shortcodes | nd-shortcodes |
Ninja Forms Google Sheet Connector | gsheetconnector-ninja-forms |
Ninja Forms Google Sheet Connector Pro | gsheetconnector-ninja-forms-pro |
Password Protected | password-protected |
Protect WP Admin | protect-wp-admin |
Recent Posts Slider | recent-posts-slider |
Recipe Maker For Your Food Blog from Zip Recipes | zip-recipes |
Securimage-WP | securimage-wp |
Seed Fonts | seed-fonts |
Sermon’e – Sermons Online | UNKNOWN-CVE-2023-35776-1 |
Stock Manager for WooCommerce | woocommerce-stock-manager |
Template Debugger | quick-edit-template-link |
Tutor LMS – eLearning and online course solution | tutor |
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | unlimited-elements-for-elementor |
WP Affiliate Links | wp-affiliate-links |
WP Backup Manager | wp-backup-manager |
WP Directory Kit | wpdirectorykit |
WP Matterport Shortcode | shortcode-gallery-for-matterport-showcase |
WP PDF Generator | wp-pdf-generator |
WPForms Google Sheet Connector | gsheetconnector-wpforms |
WPForms Google Sheet Connector Pro | gsheetconnector-wpforms-pro |
Who Hit The Page – Hit Counter | who-hit-the-page-hit-counter |
WooCommerce Stripe Payment Gateway | woocommerce-gateway-stripe |
WordPress Contact Forms by Cimatti | contact-forms |
WordPress NextGen GalleryView | wordpress-nextgen-galleryview |
YaySMTP – Simple WP SMTP Mail | yaysmtp |
Zephyr Project Manager | zephyr-project-manager |
breadcrumb simple | breadcrumb-simple |
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin | mycred |
胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件 | fat-rat-collect |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.66 – Authenticated (Contributor+) Arbitrary File Upload
CVE ID: CVE-2023-3295
CVSS Score: 8.8 (High)
Researcher/s: Chloe Chamberland, Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce1ac711-6026-49ef-b66b-2cc199697942
Tutor LMS <= 2.2.0 – Missing Authorization via REST API
CVE ID: CVE-2023-3133
CVSS Score: 7.5 (High)
Researcher/s: A. S. M. Muhiminul Hasan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d6c9765-6936-4b22-835e-e899f62c14c9
WooCommerce Stripe Payment Gateway <= 7.4.0 – Unauthenticated Insecure Direct Object Reference to Sensitive Information Disclosure
CVE ID: CVE-2023-34000
CVSS Score: 7.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70971072-d743-466b-affe-d7f79d5712aa
Ninja Forms Google Sheet Connector <= 1.2.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2333
CVSS Score: 7.2 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/559a92e0-609e-415f-aab3-649a185eb431
YaySMTP <= 2.4.5 – Unauthenticated Stored Cross-Site Scripting via Email
CVE ID: CVE-2023-3093
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68e6ec3a-c5fd-4f63-a9a0-2c9ddfb96e2e
Who Hit The Page – Hit Counter <= 1.4.14.3 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-25466
CVSS Score: 7.2 (High)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/714d7811-0425-4833-a7b2-a408799181e4
Contact Form Maker <= 1.13.23 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-2655
CVSS Score: 6.6 (Medium)
Researcher/s: killr00t
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb56c071-d7b9-40e0-8cc5-2dd48c93b8cf
All Bootstrap Blocks <= 1.3.6 – Cross-Site Request Forgery to Plugin Settings Reset
CVE ID: CVE-2023-35047
CVSS Score: 6.5 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a7a15ab-4f13-4eb1-aeb5-143230308871
WP Directory Kit <= 1.2.3 – Missing Authorization to Plugin Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_admin_action
CVE ID: CVE-2023-2351
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50c5154c-1573-4c2b-85a1-a89bdb22dc7d
MStore API <= 3.9.5 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a747542-0601-4fa5-a97c-c72d1347013b
Sermon’e <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-35776
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08b5f399-018c-4e0b-aefc-55463d4ac48d
MasterStudy LMS <= 3.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-35090
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/174e2bf3-2531-4a53-ade6-3df7e976ed29
ND Shortcodes <= 6.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2022-4623
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d92687e-cdf2-4dd2-b984-eaf9f0a56625
WP Matterport Shortcode <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-35094
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b76ce38-d9ee-4998-ba3b-9f21158ce18a
ND Shortcodes <= 6.9 – Authenticated (Subscriber+) Local File Inclusion
CVE ID: CVE-2023-1273
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9b9bd42f-cb24-483a-ae91-add4378067d9
Front User Submit | Front Editor <= 3.7.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f34722fb-e852-4194-b839-7d885d212fc9
NextGen GalleryView <= 0.5.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-35098
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/043ed446-3af3-4d90-8da7-b1fe73e06bba
CF7 Google Sheets Connector <= 5.0.1 – Reflected Cross-Site Scripting via ‘code’
CVE ID: CVE-2023-2320
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c6b2c4b-5ea5-471d-9114-d2b469b6c59b
Elementor Forms Google Sheet Connector <= 1.0.6 – Reflected Cross-Site Scripting via ‘code’
CVE ID: CVE-2023-2324
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ac577f4-2e61-4b72-881e-6fbbfd268f7b
WP Backup Manager <= 1.13.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-35775
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ee3416b-d6df-4f8b-834b-4e78516c00ba
WPForms Google Sheet Connector <= 3.4.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2321
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75067f95-48b6-4c1d-8d8b-2601185b1f81
Recent Posts Slider <= 1.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-35043
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bbc6aa7-0625-4689-8afe-d7399009ee53
WP Affiliate Links <= 0.1.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-35097
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba4638be-29d3-4638-84d3-6a9d540bfa33
Google Map Shortcode <= 3.1.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-35772
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbd4983f-bf92-45c3-95a6-6f5e39bca228
Church Admin <= 3.7.29 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34021
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e85efdc1-cffc-411a-a2f7-6fa1132e2910
LWS Tools <= 2.4.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-35774
CVSS Score: 5.4 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/315dbb77-d872-4cc4-bb4c-9d4763a6ff8f
LWS Cleaner <= 2.3.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-35781
CVSS Score: 5.4 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b89c51fe-c056-4d85-a6e3-6678ed93b9d8
Fat Rat Collect <= 2.6.1 – Missing Authorization
CVE ID: CVE-2023-35045
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/279cebb5-4be4-485a-92c7-e0bcc961f93e
Protect WP Admin <= 3.8 – Unauthenticated Information Disclosure to Protection Bypass
CVE ID: CVE-2023-3139
CVSS Score: 5.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7012b34d-8d65-4575-9965-417739206b5f
Forminator <= 1.23.3 – Race Condition to Multiple Poll Voting
CVE ID: CVE-2023-2010
CVSS Score: 5.3 (Medium)
Researcher/s: Amirmohammad vakili
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a40cb2da-dc13-4e20-9602-a4e6c2eade43
CHP Ads Block Detector <= 3.9.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2354
CVSS Score: 4.9 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f8514c9-0e11-4e26-ba0b-1d08a990b56c
Seed Fonts 2.3.1 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-35779
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57953bab-7430-4841-b073-7db7964e6a65
ARMember <= 4.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-33323
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/668d4bd3-adde-4347-9169-67c3c96e1743
Booking and Rental Manager <= 1.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-35048
CVSS Score: 4.4 (Medium)
Researcher/s: NeginNrb
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e7c629f-e9c6-4254-ba37-46de5206d77d
Login Configurator <= 2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34369
CVSS Score: 4.4 (Medium)
Researcher/s: NeginNrb
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74d3606f-bd62-4844-ac17-8e47feddab92
Password Protected <= 2.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32580
CVSS Score: 4.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79c296b1-e385-404d-96c0-a98f10b89f08
Flo Forms <= 1.0.40 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-35095
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bdd35d61-0777-4e64-8a51-55fe928e75ba
Recent Posts Slider <= 1.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-35778
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cf9c390-81d7-45d4-a6df-22b16235d11b
MStore API <= 3.9.6 – Cross-Site Request Forgery to Product Limit Update
CVE ID: CVE-2023-3203
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1aed51a2-9fd4-43bb-b72d-ae8e51ee6e87
Zephyr Project Manager <= 3.3.93 – Cross-Site Request Forgery
CVE ID: CVE-2023-34373
CVSS Score: 4.3 (Medium)
Researcher/s: Theodoros Malachias
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/236387f0-b58e-4ef1-b370-a0703a7902eb
WP PDF Generator <= 1.2.2 – Cross-Site Request Forgery to PDF Settings Update
CVE ID: CVE-2023-35038
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28a4c868-a24d-4fd8-ae0e-d5c0bf3a7436
Securimage-WP <= 3.6.16 – Cross-Site Request Forgery
CVE ID: CVE-2023-35044
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36f41de5-50d5-47ca-bbd0-eca3b756a0cd
MasterStudy LMS <= 3.0.7 – Missing Authorization to Course Category Creation
CVE ID: CVE-2023-35093
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/417ae2f2-e245-49bb-8b77-0eabf6095459
CHP Ads Block Detector <= 3.9.4 – Missing Authorization to Plugin Settings Update
CVE ID: CVE-2023-2353
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4eca64d7-6e33-4b8e-af37-a3e8bbf2b76f
Zip Recipes <= 8.0.7 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/727a0649-082f-46d0-8d6f-de53ee7fb18e
MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Message Update
CVE ID: CVE-2023-3200
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78f3c503-e255-44d2-8432-48dc2c5f553d
Form Maker <= 1.15.16 – Missing Authorization in check_score
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f0eac1e-4988-4b73-bf13-c959b0dc11e2
Template Debugger <= 3.1.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-35773
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8da0fed9-4b88-4b68-b317-124fe678cfa4
Stock Manager for WooCommerce <= 2.10.0 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99984fff-94e3-46fb-8241-88fcda556054
myCred <= 2.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-35096
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3936c4b-2326-41dc-b7d6-a8cf43752ddb
MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Title Update
CVE ID: CVE-2023-3199
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a604df5d-92b3-4df8-a7ef-00f0ee95cf0f
Constant Contact Forms <= 2.0.2 – Missing Authorization via constant_contact_privacy_ajax_handler
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8a26695-4793-418b-9a23-6709fe79ea4f
MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Status Update
CVE ID: CVE-2023-3198
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5f30190-4576-4c2b-b069-72501538733b
MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Title Update
CVE ID: CVE-2023-3201
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb5cb1a5-30d2-434f-90f9-d37aecfbe158
MStore API <= 3.9.6 – Cross-Site Request Forgery to Firebase Server Key Update
CVE ID: CVE-2023-3202
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2b3612e-3c91-469b-98ef-fdb03b0ee9d9
CHP Ads Block Detector <= 3.9.4 – Cross-Site Request Forgery via chp_abd_action
CVE ID: CVE-2023-2352
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5a9cced-0e5e-4b6e-8291-0a862c9f9523
Galleria <= 1.0.3 – Cross-Site Request Forgery via showOptionsPage
CVE ID: CVE-2023-35780
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea85fa9a-78ea-4017-b72e-49db7eafa11e
Recipe Maker For Your Food Blog from Zip Recipes <= 8.0.7 – Cross-Site Request Forgery
CVE ID: CVE-2023-35089
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ebd1483a-949d-4edb-9b86-007879d2d207
WordPress Contact Forms by Cimatti <= 1.5.7 – Cross-Site Request Forgery via _accua_forms_form_edit_action
CVE ID: CVE-2023-2563
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f80a1f13-c1b9-4259-8d96-71a3cbcaf4ca
breadcrumb simple <= 1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-35092
CVSS Score: 3.3 (Low)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/598e38d7-b5a9-43c1-b908-dab8bbe24115
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments