Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023)
🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 39 |
Patched | 76 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 3 |
Medium Severity | 90 |
High Severity | 18 |
Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 33 |
Cross-Site Request Forgery (CSRF) | 26 |
Missing Authorization | 21 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 7 |
Unrestricted Upload of File with Dangerous Type | 5 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 4 |
Information Exposure | 3 |
Protection Mechanism Failure | 2 |
Improper Authorization | 2 |
Guessable CAPTCHA | 2 |
Improper Privilege Management | 1 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Improper Control of Generation of Code (‘Code Injection’) | 1 |
Authorization Bypass Through User-Controlled Key | 1 |
Exposure of Sensitive Data Through Data Queries | 1 |
Authentication Bypass Using an Alternate Path or Channel | 1 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
Unverified Password Change | 1 |
Incorrect Privilege Assignment | 1 |
Use of Less Trusted Source | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
István Márton (Wordfence Vulnerability Researcher) |
14 |
Rafie Muhammad | 10 |
Nguyen Xuan Chien | 9 |
Abdi Pranata | 7 |
Dave Jong | 6 |
Mika | 4 |
Dmitrii Ignatyev | 4 |
Dimas Maulana | 3 |
Joshua Chan | 3 |
Jesse McNeil | 3 |
thiennv | 3 |
Ngô Thiên An (ancorn_) | 2 |
Donato Di Pasquale | 2 |
Francesco Marano | 2 |
Dateoljo of BoB 12th | 2 |
Abu Hurayra (HurayraIIT) | 2 |
Arvandy | 2 |
qilin_99 | 2 |
Skalucy | 2 |
lttn | 1 |
Joost Grunwald | 1 |
Bob Matyas | 1 |
SeungYongLee | 1 |
Tien fromVNPT-VCI | 1 |
DoYeon Park (p6rkdoye0n) | 1 |
Le Ngoc Anh | 1 |
Vladislav Pokrovsky (ΞX.MI) | 1 |
Song Hyun Bae | 1 |
resecured.io | 1 |
Naveen Muthusamy | 1 |
Luqman Hakim Y | 1 |
minhtuanact | 1 |
Muhammad Daffa | 1 |
Myungju Kim | 1 |
Francesco Carlucci | 1 |
Huynh Tien Si | 1 |
Marco Wotschka (Wordfence Vulnerability Researcher) |
1 |
Phd | 1 |
Alex Sanford | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AI ChatBot | chatbot |
ARI Stream Quiz – WordPress Quizzes Builder | ari-stream-quiz |
Abandoned Cart Lite for WooCommerce | woocommerce-abandoned-cart |
Accept Stripe Payments | stripe-payments |
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) | wp-analytify |
Auto Affiliate Links | wp-auto-affiliate-links |
Autocomplete Location field Contact Form 7 | autocomplete-location-field-contact-form-7 |
Availability Calendar | availability-calendar |
Awesome Support – WordPress HelpDesk & Support Plugin | awesome-support |
BackWPup – WordPress Backup Plugin | backwpup |
BlossomThemes Email Newsletter | blossomthemes-email-newsletter |
Booster for WooCommerce | woocommerce-jetpack |
Bootstrap Shortcodes Ultimate | bs-shortcode-ultimate |
Broken Link Checker for YouTube | broken-link-checker-for-youtube |
Bulk Comment Remove | bulk-comment-remove |
Captcha Code | captcha-code-authentication |
CataBlog | catablog |
Chatbot for WordPress ⚡️ | collectchat |
Community by PeepSo – Social Network, Membership, Registration, User Profiles | peepso-core |
Consensu.io | Conformidade e Consentimento de Cookies para LGPD | consensu-io |
Contact Form Email | contact-form-to-email |
Contact Form to Any API | contact-form-to-any-api |
Debug Log Manager | debug-log-manager |
Display Custom Post | display-custom-post |
Drop Shadow Boxes | drop-shadow-boxes |
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box | easy-facebook-likebox |
Easy Social Icons | easy-social-icons |
EventPrime – Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
Events Manager | events-manager |
Export any WordPress data to XML/CSV | wp-all-export |
Fast Custom Social Share by CodeBard | fast-custom-social-share-by-codebard |
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager | file-manager |
Floating Action Button | floating-action-button |
Frontier Post | frontier-post |
Grab & Save | save-grab |
HUSKY – Products Filter for WooCommerce Professional | woocommerce-products-filter |
Hide login page, Hide wp admin – stop attack on login page | hide-login-page |
Import Spreadsheets from Microsoft Excel | import-spreadsheets-from-microsoft-excel |
Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages | page-builder-add |
League Table | league-table-lite |
License Manager for WooCommerce | license-manager-for-woocommerce |
Link Whisper Free | link-whisper |
Login Lockdown – Protect Login Form | login-lockdown |
Mail Bank – #1 Mail SMTP Plugin for WordPress | wp-mail-bank |
Maspik – Spam Blacklist | contact-forms-anti-spam |
MyBookTable Bookstore by Stormhill Media | mybooktable |
Parallax Image | parallax-image |
Parcel Pro | woo-parcel-pro |
PayTR Taksit Tablosu – WooCommerce | paytr-taksit-tablosu-woocommerce |
Perfmatters | perfmatters |
Porto Theme – Functionality | porto-functionality |
Post Meta Data Manager | post-meta-data-manager |
Preloader for Website | preloader-for-website |
Quttera Web Malware Scanner | quttera-web-malware-scanner |
Salon booking system | salon-booking-system |
Seraphinite Post .DOCX Source | seraphinite-post-docx-source |
Simple Testimonials Showcase | simple-testimonials-showcase |
Simply Exclude | simply-exclude |
SpiderVPlayer | player |
Super Progressive Web Apps | super-progressive-web-apps |
Tainacan | tainacan |
Taxonomy filter | taxonomy-filter |
Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More | gs-team-members |
TextMe SMS | textme-sms-integration |
The Events Calendar | the-events-calendar |
Theme Editor | theme-editor |
Theme My Login 2fa | tml-2fa |
TriPay Payment Gateway | tripay-payment-gateway |
UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping | wc-multishipping |
UserPro – Community and User Profile WordPress Plugin | userpro |
Video PopUp | video-popup |
WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors | wc-vendors |
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce | wc-multivendor-marketplace |
WP ALL Export Pro | wp-all-export-pro |
WP Child Theme Generator | wp-child-theme-generator |
WP Githuber MD – WordPress Markdown Editor | wp-githuber-md |
WP Mail Log | wp-mail-log |
WP Roadmap – Product Feedback Board | wp-roadmap |
Widgets for Google Reviews | wp-reviews-plugin-for-google |
WordPress Gallery Plugin – NextGEN Gallery | nextgen-gallery |
WordPress Job Board and Recruitment Plugin – JobWP | jobwp |
WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout | gs-pinterest-portfolio |
Yoast SEO | wordpress-seo |
eDoc Employee Job Application – Best WordPress Job Manager for Employees | edoc-employee-application |
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin | mycred |
salient-core | salient-core |
wpForo Forum | wpforo |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Enfold – Responsive Multi-Purpose Theme | enfold |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
UserPro <= 5.1.1 – Authentication Bypass to Administrator
CVE ID: CVE-2023-2437
CVSS Score: 9.8 (Critical)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3cf9f38-c20e-40dc-a7a1-65b0c6ba7925
UserPro <= 5.1.1 – Insecure Password Reset Mechanism
CVE ID: CVE-2023-2449
CVSS Score: 9.8 (Critical)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de9be7bc-4f8a-4393-8ebb-1b1f141b7585
Porto Theme – Functionality <= 2.11.1 – Unauthenticated SQL Injection
CVE ID: CVE-2023-48738
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fabc7ad3-1d20-493f-aacb-1832d33d8e14
WP Child Theme Generator <= 1.0.8 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2023-47873
CVSS Score: 9.1 (Critical)
Researcher/s: Dateoljo of BoB 12th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49fcd2cb-d880-4152-a736-33fd90f07083
UserPro <= 5.1.1 – Cross-Site Request Forgery to Privilege Escalation
CVE ID: CVE-2023-2440
CVSS Score: 8.8 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73600498-f55c-4b8e-a625-4f292e58e0ee
WP Githuber MD <= 1.16.2 – Authenticated (Author+) Arbitrary File Upload
CVE ID: CVE-2023-47846
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6fda35d-8b82-4a7a-8db6-21dc38a841f4
Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 – Cross-Site Request Forgery to Remote Code Execution
CVE ID: CVE-2023-5882
CVSS Score: 8.8 (High)
Researcher/s: Donato Di Pasquale, Francesco Marano
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b70e8bce-1793-40f0-bdb1-100cf5f431e9
Link Whisper Free <= 0.6.5 – Authenticated (Contributor+) SQL Injection
CVE ID: CVE-2023-47852
CVSS Score: 8.8 (High)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5e26a56-bba0-4204-bcb7-c5ec123a9b2d
UserPro <= 5.1.4 – Authenticated (Subscriber+) Privilege Escalation
CVE ID: CVE-2023-6009
CVSS Score: 8.8 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8bed9c0-dae3-405e-a946-5f28a3c30851
UserPro <= 5.1.0 – Cross-Site Request Forgery to PHP Object Injection
CVE ID: CVE-2023-2497
CVSS Score: 8.8 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fbb601ce-a884-4894-af13-dab14885c7eb
Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 – Cross-Site Request Forgery to PHAR Deserialization
CVE ID: CVE-2023-5886
CVSS Score: 8.8 (High)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fdc18341-135b-4522-a9db-510e4c4d9704
BackWPup <= 4.0.1 – Authenticated (Administrator+) Directory Traversal
CVE ID: CVE-2023-5504
CVSS Score: 8.7 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e830fe1e-1171-46da-8ee7-0a6654153f18
WordPress Job Board and Recruitment Plugin – JobWP <= 2.1 – Sensitive Information Exposure
CVE ID: CVE-2023-48288
CVSS Score: 7.5 (High)
Researcher/s: Myungju Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c73dbc40-ba54-4836-9bb1-a35f95d5a077
UserPro <= 5.1.1 – Missing Authorization via multiple functions
CVE ID: CVE-2023-6007
CVSS Score: 7.3 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c4f8798-c0f9-4d05-808e-375864a0ad95
License Manager for WooCommerce <= 2.2.10 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-48742
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09597618-8695-4631-8c3b-4e7580d58c86
Login Lockdown <= 2.06 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09773141-883b-40e3-bd20-d3115c02e023
WP Mail Log <= 1.1.2 – Authenticated (Editor+) SQL Injection via id
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/099cc754-6a56-498f-848a-a242733e7fb0
Salon booking system < 8.7 – Authenticated (Editor+) Privilege Escalation
CVE ID: CVE-2023-48319
CVSS Score: 7.2 (High)
Researcher/s: lttn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cac7f96-eb64-427d-9a95-b8bf1c675af0
CataBlog <= 1.7.0 – Authenticated (Editor+) Arbitrary File Upload
CVE ID: CVE-2023-47842
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18d1ba80-ddf6-4076-bc78-78647b964bcf
WC Vendors Marketplace <= 2.4.7 – Authenticated (Shop manager+) SQL Injection via search dates
CVE ID: CVE-2023-48327
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64f879af-aa8f-4edf-8369-ca032603d529
Theme Editor <= 2.7.1 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2023-6091
CVSS Score: 7.2 (High)
Researcher/s: Dateoljo of BoB 12th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6ede290-a6c4-4c13-872b-60c9601d39db
ChatBot <= 4.7.8 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-48741
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db1bb11d-4752-42d0-b538-2d2a4c827226
Quttera Web Malware Scanner <= 3.4.1.48 – Authenticated (Administrator+) Directory Traversal via ShowFile
CVE ID: CVE-2023-6222
CVSS Score: 6.8 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9992d0d-7c6e-4184-8f48-1515d50cc028
Widgets for Google Reviews <= 11.0.2 – Authenticated (Editor+) Arbitrary File Upload
CVE ID: CVE-2023-48275
CVSS Score: 6.6 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/504c0132-530b-4184-b19a-97e68df79b48
UserPro <= 5.1.1 – Sensitive Information Disclosure via Shortcode
CVE ID: CVE-2023-2446
CVSS Score: 6.5 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4072ba5f-6385-4fa3-85b6-89dac7b60a92
UserPro <= 5.1.4 – Missing Authorization to Arbitrary Shortcode Execution via userpro_shortcode_template
CVE ID: CVE-2023-2448
CVSS Score: 6.5 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7cbe9175-4a6f-4eb6-8d31-9a9fda9b4f40
CataBlog <= 1.7.0 – Authenticated (Editor+) Arbitrary File Deletion
CVE ID: CVE-2023-47843
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8794854d-e931-4a85-b767-2ab81bfcb780
Contact Form to Any API <= 1.1.6 – Missing Authorization via delete_cf7_records()
CVE ID: CVE-2023-47871
CVSS Score: 6.5 (Medium)
Researcher/s: Arvandy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4a7c647-4c57-499a-8e46-ca273985bd6d
Display Custom Post <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-48317
CVSS Score: 6.4 (Medium)
Researcher/s: Tien fromVNPT-VCI
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18531eed-3150-424c-970c-5975afe7546a
Bootstrap Shortcodes Ultimate <= 4.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47851
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e93efec-371c-4050-b24b-e5e978059549
Salient Core <= 2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-48749
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/316ffb37-47fe-47c4-8a81-5794fa12ce33
Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 – Authenticated (Admin+) Remote Code Execution
CVE ID: CVE-2023-4724
CVSS Score: 6.4 (Medium)
Researcher/s: Donato Di Pasquale, Francesco Marano
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43f976ee-cba7-4f5d-b9c6-a6f66c0011d2
EventPrime – Modern Events Calendar, Bookings and Tickets <= 3.3.2 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5124be64-6679-4dc5-8117-55c73ae91489
Parallax Image <= 1.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47854
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55cd02d1-7b06-427b-840b-3ced73ad4a74
wpForo Forum <= 2.2.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47872
CVSS Score: 6.4 (Medium)
Researcher/s: Jesse McNeil
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5607a60e-a04a-4d28-bb04-bdacf8e97c56
Video PopUp <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4962
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/670ea03e-2f76-48a4-9f40-bc4cfd987a89
Community by PeepSo <= 6.2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47850
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/826e7e0a-79b1-4828-8eeb-159ef3cc2c65
Easy Social Icons <= 3.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-48336
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab888ee1-bdc2-4b8b-9b16-a7d146f123df
Drop Shadow Boxes <= 1.7.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5469
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c0b3911c-a960-4f28-b289-389b26282741
GS Team Members <= 2.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c146f89c-5df3-4aaf-b880-0ce6016dfb6d
myCred <= 2.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47853
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4067e03-427c-4b03-a250-0354572ae361
Perfmatters < 2.2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47877
CVSS Score: 6.4 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc4a7efd-f4f4-44a7-bd55-a6ae3a1d3521
Import Spreadsheets from Microsoft Excel <= 10.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-48289
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d337e39c-3a3d-4465-bc40-77f0b27aeab2
WCFM Marketplace <= 3.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4960
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f99e9f01-cc98-4af5-bb95-f56f6a550e96
UserPro <= 5.1.1 – Cross-Site Request Forgery via multiple functions
CVE ID: CVE-2023-6008
CVSS Score: 6.3 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed6e2b9e-3d70-4c07-a779-45164816b89c
UserPro <= 5.1.1 – Cross-Site Request Forgery to Sensitive Information Exposure
CVE ID: CVE-2023-2447
CVSS Score: 6.1 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0372efe4-b5be-4601-be43-5c12332ea1a5
Enfold <= 5.6.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-38400
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/100b700f-8812-48be-8a04-28f60a57b35f
Grab & Save <= 1.0.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47844
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2baab094-5ece-41a2-821a-b594a2c2327e
Simply Exclude <= 2.0.6.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-48743
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f9a3883-9755-4de8-9d60-113238b3c0ac
Perfmatters <= 2.1.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47876
CVSS Score: 6.1 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/612fb73f-e488-453f-a2a4-32969f91122b
UserPro <= 5.1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting via userpro_save_userdata
CVE ID: CVE-2023-2438
CVSS Score: 6.1 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d30adc5-27a5-4549-84fc-b930f27f03e5
Tainacan <= 0.20.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47848
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f192811-378b-422d-8086-9a957b464bb7
Events Manager <= 6.4.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-48326
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9053cf91-0af1-44f8-9fdf-7ecbd457545b
Salient Core <= 2.0.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-48748
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1ae1b28-ea9e-4446-8b03-b5a8eaac1042
eDoc Employee Job Application <= 1.13 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-48322
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbfbd7c2-7a46-4292-9173-f90298a7fcc4
Maspik – Spam blacklist <= 0.9.2 – Unauthenticated Stored Cross-Site Scripting via efas_add_to_log
CVE ID: CVE-2023-48272
CVSS Score: 6.1 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8db52ce-fbc3-4fe1-b9b4-cb2ce7d88a67
Community by PeepSo <= 6.2.6.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-48746
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fda1be79-ba45-4e8f-bfc3-355f9cdbad82
Yoast SEO <= 21.0 – Authenticated (Seo Manager+) Stored Cross-Site Scripting
CVE ID: CVE-2023-40680
CVSS Score: 5.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/385a82ff-50ad-4787-845b-fb5f639f6466
Theme My Login 2FA < 1.2 – 2FA Bypass via Brute Force
CVE ID: CVE-2023-6272
CVSS Score: 5.4 (Medium)
Researcher/s: Joost Grunwald
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1398e296-9b20-4f8e-85f2-896888abc67e
Porto Theme – Functionality <= 2.11.1 – Missing Authorization
CVE ID: CVE-2023-48739
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e1300be-07e3-44b6-9ced-a16825274d22
BlossomThemes Email Newsletter <= 2.2.4 – Missing Authorization
CVE ID: CVE-2023-47849
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e98b763-29b9-435d-a436-d4df64234b4d
Quttera Web Malware Scanner <= 3.4.1.48 – Sensitive Data Exposure
CVE ID: CVE-2023-6065
CVSS Score: 5.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2163af55-1ea4-4c60-b9f0-baf99297c6bc
Accept Stripe Payments <= 2.0.79 – Unauthenticated Content Injection
CVE ID: CVE-2023-48285
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f499d5e-eb27-4611-af27-ac9fd6a9f044
Accept Stripe Payments <= 2.0.79 – Insecure Direct Object Reference
CVE ID: CVE-2023-48286
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44d14692-d90a-45f9-afb4-0666ce4b3397
Preloader for Website <= 1.2.2 – Missing Authorization via plwao_register_settings()
CVE ID: CVE-2023-48273
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5cfc38c0-f940-4c4d-ba7b-0d772146ea2d
Hide login page <= 1.1.7 – Login Page Disclosure
CVE ID: CVE-2023-48335
CVSS Score: 5.3 (Medium)
Researcher/s: Naveen Muthusamy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6d3cff57-ea8a-4082-bc05-d62b9d92f0e6
The Events Calendar <= 6.2.8 – Information Disclosure
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8291fd89-aea1-4f7b-abd8-dee8438c3ed5
PayTR Taksit Tablosu <= 1.3.1 – Missing Authorization
CVE ID: CVE-2023-47847
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bfefe86-b25e-4ffe-9beb-28dc22a99d62
Perfmatters <= 2.1.6 – Missing Authorization
CVE ID: CVE-2023-47874
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b078e446-61e7-4ce1-b9a9-480ccc388c72
Captcha Code <= 2.8 – Captcha Bypass
CVE ID: CVE-2023-48745
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1dd3845-a88d-41aa-acf4-66fd1a6819ff
Contact Form Email <= 1.3.41 – Captcha Bypass
CVE ID: CVE-2023-48318
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b637ebfd-c273-428b-985c-6f5b6a03f263
Super Progressive Web Apps <= 2.2.21 – Missing Authorization
CVE ID: CVE-2023-48277
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d36e869a-5bd4-4f59-8e28-01fa586024c5
Maspik – Spam blacklist <= 0.10.1 – Bypass
CVE ID: CVE-2023-48271
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3a8273e-2439-4138-941e-379d130e0c74
Consensu.io <= 1.0.2 – Missing Authorization via update_config_db()
CVE ID: CVE-2023-48280
CVSS Score: 5.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc1963cc-7e9e-4998-8338-c3e83b70d441
Autocomplete Location field Contact Form 7 <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-5005
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13fd7509-6d61-4eb0-9f85-cc40e074b819
Video Player <= 1.5.22 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-48320
CVSS Score: 4.4 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1627ec2a-f91d-4ed7-acb8-a3fb63b45731
WP Roadmap <= 1.0.8 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-41128
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24fc2554-375a-4216-91bf-41921cc4b436
Fast Custom Social Share by CodeBard <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-48329
CVSS Score: 4.4 (Medium)
Researcher/s: Song Hyun Bae
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3eece451-65a3-4c9d-a8eb-05f6f3e2d1d5
TriPay Payment Gateway <= 3.2.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-48737
CVSS Score: 4.4 (Medium)
Researcher/s: Luqman Hakim Y
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/946add6f-4cd5-4c55-9399-a782140f217c
Chatbot for WordPress <= 2.3.9 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-5691
CVSS Score: 4.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dfd67329-11b1-4f00-a422-bb4833a3181d
Booster for WooCommerce <= 7.1.2 – Missing Authorization to Product Creation/Modification
CVE ID: CVE-2023-48747
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/00ec2f57-48ee-49ea-ae8f-e7b24bf4535c
MyBookTable Bookstore <= 3.3.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-48331
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02b336ce-be41-4343-9817-0437bd2685c2
Auto Affiliate Links <= 6.4.2.5 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17453fa5-af14-477b-9b3d-b245511ad8ce
Frontier Post <= 6.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-6137
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24ef5844-93d6-4ba3-bd0a-b8837bbd7baf
Mail Bank – #1 Mail SMTP Plugin for WordPress <= 4.0.14 – Missing Authorization
CVE ID: CVE-2023-48332
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31a3a3c1-be0e-46d5-9fa3-563febc5569b
NextGEN Gallery <= 3.37 – Cross-Site Request Forgery
CVE ID: CVE-2023-48328
CVSS Score: 4.3 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3354b925-2e4a-4ee5-b436-2c1a502b1725
Debug Log Manager <= 2.2.1 – Missing Authorization
CVE ID: CVE-2023-6136
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev, Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33a54cae-0fa3-4c25-bf81-8423f5e01e84
wpForo Forum <= 2.2.5 – Cross-Site Request Forgery via logout()
CVE ID: CVE-2023-47870
CVSS Score: 4.3 (Medium)
Researcher/s: Jesse McNeil
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bce40ee-c378-4a44-9c5d-d83151975309
GS Pins for Pinterest Lite <= 1.8.0 – Missing Authorization via _update_shortcode
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f81003b-8214-4fa3-960f-81b166623de9
Bulk Comment Remove <= 2 – Cross-Site Request Forgery via brc_admin()
CVE ID: CVE-2023-48330
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/42303b60-cbb5-4176-94f9-b2ed29f59cc8
Floating Action Button <= 1.2.1 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/42b2d840-4e8b-4027-ab3b-78b17c9ed9aa
Availability Calendar <= 1.2.6 – Cross-Site Request Forgery via add_availability_calendar_create_admin_page()
CVE ID: CVE-2023-48744
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b13388b-19f9-4f5c-9599-efd6ccf978c8
WCMultiShipping <= 2.3.5 – Missing Authorization to Log Export
CVE ID: CVE-2023-48274
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b19657c-3e95-42cf-8d1a-64fa50b3b82b
Awesome Support <= 6.1.4 – Missing Authorization via wpas_edit_reply_ajax()
CVE ID: CVE-2023-48324
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dec91d7-19cf-480d-871c-427cd1e691a6
Awesome Support <= 6.1.4 – Cross-Site Request Forgery via wpas_edit_reply_ajax()
CVE ID: CVE-2023-48323
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/579b887a-4140-4e12-9a9a-ba52d212b8a2
wpForo Forum <= 2.2.5 – Missing Authorization
CVE ID: CVE-2023-47869
CVSS Score: 4.3 (Medium)
Researcher/s: Jesse McNeil
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71078aaf-9803-4b46-bc94-dbcb43745629
Grab & Save <= 1.0.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-47845
CVSS Score: 4.3 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7cd4b1da-faee-4c4e-b323-e77c4c033149
Perfmatters <= 2.1.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-47875
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95f5b4df-5214-4f36-8dd5-a1a816fbc3db
Broken Link Checker for YouTube <= 1.3 – Cross-Site Request Forgery via plugin_settings_page()
CVE ID: CVE-2023-48281
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9993d84e-7337-4eda-af3c-039b6d8c8fe6
TextMe SMS <= 1.15.20 – Missing Authorization via tetxme_update_option_page()
CVE ID: CVE-2023-48287
CVSS Score: 4.3 (Medium)
Researcher/s: Arvandy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fb4ad52-a0b2-4645-bf0d-132b4ce8a0a1
Easy Social Feed <= 6.5.1 – Missing Authorization via hide_free_sidebar()
CVE ID: CVE-2023-48740
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4ffb3ef-9d77-463f-92c4-4bc799ac16aa
Simple Testimonials Showcase <= 1.1.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-48283
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6008237-e4a8-4757-ae14-ac20c6f1b0af
ARI Stream Quiz <= 1.2.32 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b758c8a7-6220-4b54-af88-7933a530b5ba
Landing Page Builder <= 1.5.1.5 – Open Redirect
CVE ID: CVE-2023-48325
CVSS Score: 4.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1a4d8a3-5553-4b1c-b0f8-d6a372de3692
HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 – Missing Authorization via woof_meta_get_keys()
CVE ID: CVE-2023-40334
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d00edaf1-2a97-4000-afd9-432ca8fa3df4
Post Meta Data Manager <= 1.2.1 – Cross-Site Request Forgery to Post, Term, and User Meta Deletion
CVE ID: CVE-2023-5776
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d49b8c44-4dad-4990-a8a8-116b424a7dfa
Analytify Dashboard <= 5.1.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-47841
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7362f3f-c5d9-4ba0-b9c3-282c58861e2f
Booster for WooCommerce <= 7.1.1 – Missing Authorization to Authenticated (Subscriber+) Order Information Disclosure
CVE ID: CVE-2023-48333
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d94661c1-2d70-4943-9452-b51a76116ebb
WooCommerce Parcel Pro <= 1.6.11 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbf54852-f3fe-4c9e-9348-44a73f9a8131
Seraphinite Post .DOCX Source <= 2.16.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-48279
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dfcc2ab2-504d-4151-9435-618e317ce95c
Taxonomy filter <= 2.2.9 – Cross-Site Request Forgery via taxonomy_filter_save_main_settings()
CVE ID: CVE-2023-48282
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e74ff260-48af-4fc2-80d8-1ff2403f8f33
League Table <= 1.13 – Cross-Site Request Forgery
CVE ID: CVE-2023-48334
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef7ec175-cee5-4559-909d-ee689158d67c
Abandoned Cart Lite for WooCommerce <= 5.16.0 – Improper Authorization via wcal_preview_emails
CVE ID: CVE Unknown
CVSS Score: 3.7 (Low)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4edbfeee-b668-4a85-a030-c15d6583dc82
Abandoned Cart Lite for WooCommerce <= 5.16.0 – Improper Authorization via wcal_delete_expired_used_coupon_code
CVE ID: CVE Unknown
CVSS Score: 3.1 (Low)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52d1f9a3-243e-4e2c-a752-f40b6d275121
File Manager <= 6.3 – Authenticated (Admin+) Arbitrary OS File Access via Path Traversal
CVE ID: CVE-2023-5907
CVSS Score: 2.2 (Low)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/640b1800-3b59-4b06-a803-08cb76d62d99
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments