Wordfence Intelligence Weekly WordPress Vulnerability Report (January 8, 2024 to January 14, 2024)
🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Last week, there were 67 vulnerabilities disclosed in 60 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Stored Cross-Site Scripting via Block
- WAF-RULE-666 – This is for an undisclosed vulnerability that we are working with the vendor on getting patched.
- WAF-RULE-665 – This is for an undisclosed vulnerability that we are working with the vendor on getting patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 12 |
Patched | 55 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 54 |
High Severity | 7 |
Critical Severity | 5 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Cross-Site Request Forgery (CSRF) | 20 |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 19 |
Missing Authorization | 8 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
Unrestricted Upload of File with Dangerous Type | 4 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 3 |
Information Exposure | 2 |
Information Exposure Through Debug Information | 1 |
Exposure of Private Information (‘Privacy Violation’) | 1 |
Use of Less Trusted Source | 1 |
Protection Mechanism Failure | 1 |
Server-Side Request Forgery (SSRF) | 1 |
Authorization Bypass Through User-Controlled Key | 1 |
Improper Access Control | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Francesco Carlucci | 5 |
Rafie Muhammad | 4 |
Dave Jong | 3 |
Daniel Ruf | 2 |
Nex Team | 2 |
drop | 2 |
Artem Guzhva (hexcat) | 2 |
Ngô Thiên An (ancorn_) | 2 |
Abdi Pranata | 2 |
Brandon James Roldan (tomorrowisnew) | 2 |
Webbernaut | 2 |
Dateoljo of BoB 12th | 1 |
Lucio Sá | 1 |
LVT-tholv2k | 1 |
Le Ngoc Anh | 1 |
Huynh Tien Si | 1 |
Mika | 1 |
Joshua Chan | 1 |
Abu Hurayra (HurayraIIT) | 1 |
Akbar Kustirama | 1 |
Yudistira Arya | 1 |
Naveen Muthusamy | 1 |
thiennv | 1 |
Yuchen Ji | 1 |
Dmitrii Ignatyev | 1 |
Rafshanzani Suhada | 1 |
Ulyses Saicha | 1 |
Elliot | 1 |
Nicolas Decayeux | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! | ai-engine |
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
Advanced Flamingo | advanced-flamingo |
Advanced Woo Search | advanced-woo-search |
Auto Affiliate Links | wp-auto-affiliate-links |
Beds24 Online Booking | beds24-online-booking |
Constant Contact Forms by MailMunch | constant-contact-forms-by-mailmunch |
Contact Form 7 Connector | ari-cf7-connector |
Contact Form 7 Extension For Mailchimp | contact-form-7-mailchimp-extension |
Contact Form 7 – Dynamic Text Extension | contact-form-7-dynamic-text-extension |
Customer Reviews for WooCommerce | customer-reviews-woocommerce |
Download Monitor | download-monitor |
Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder | droit-elementor-addons |
ElementsKit Elementor addons | elementskit-lite |
Email Encoder – Protect Email Addresses and Phone Numbers | email-encoder-bundle |
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates | essential-blocks |
EventON | eventon-lite |
EventON Pro | eventon |
Football Pool | football-pool |
Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | formidable |
GD Rating System | gd-rating-system |
Gallery Plugin for WordPress – Envira Photo Gallery | envira-gallery-lite |
Happy Addons for Elementor | happy-elementor-addons |
Index Now | mihdan-index-now |
InstaWP Connect – 1-click WP Staging & Migration | instawp-connect |
List category posts | list-category-posts |
MailerLite – WooCommerce integration | woo-mailerlite |
Metform Elementor Contact Form Builder | metform |
Newsletter – Send awesome emails from WordPress | newsletter |
OneClick Chat to Order | oneclick-whatsapp-order |
Order Export & Order Import for WooCommerce | order-import-export-for-woocommerce |
PDF Invoices & Packing Slips for WooCommerce | woocommerce-pdf-invoices-packing-slips |
POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications | post-smtp |
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions | paid-memberships-pro |
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress | contest-gallery |
Plugin for Google Reviews | widget-google-reviews |
Products, Order & Customers Export for WooCommerce | export-woocommerce |
Profile Builder Pro | profile-builder-pro |
RabbitLoader | rabbit-loader |
Schema & Structured Data for WP & AMP | schema-and-structured-data-for-wp |
Seraphinite Accelerator | seraphinite-accelerator |
Seraphinite Alternative Slugs Manager | seraphinite-old-slugs-mgr |
Shortcodes Finder | shortcodes-finder |
Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce | barcode-scanner-lite-pos-to-manage-products-inventory-and-orders |
Swift SMTP (formerly Welcome Email Editor) | welcome-email-editor |
TNC PDF viewer | pdf-viewer-by-themencode |
The Events Calendar | the-events-calendar |
Voting Record | voting-record |
WP Register Profile With Shortcode | wp-register-profile-with-shortcode |
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc | wp-sms |
WP Spell Check | wp-spell-check |
WP Testimonials | testimonial-widgets |
WPS Hide Login | wps-hide-login |
WooCommerce | woocommerce |
Woocommerce Vietnam Checkout | woo-vietnam-checkout |
Word Replacer Pro | word-replacer-ultra |
WordPress Button Plugin MaxButtons | maxbuttons |
WordPress Live Chat Plugin for Elementor – LiveChat | livechat-elementor |
WordPress Live Chat Plugin for WooCommerce – LiveChat | livechat-woocommerce |
WordPress Manutenção | wp-manutencao |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated Arbitrary File Upload via uploadFile
CVE ID: CVE-2023-52221
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34439db4-1b66-4ccb-bf84-fddef6bc1f88
Customer Reviews for WooCommerce <= 5.38.9 – Authenticated (Author+) Arbitrary File Upload
CVE ID: CVE-2023-6979
CVSS Score: 9.8 (Critical)
Researcher/s: Artem Guzhva (hexcat)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4af801db-44a6-4cd3-bd1a-3125490c8c48
AI Engine: ChatGPT Chatbot <= 1.9.98 – Unauthenticated Arbitrary File Upload via rest_upload
CVE ID: CVE-2023-51409
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3fc4bac-9be0-4a1c-b4bb-4384d80e22f7
Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated SQL Injection via userToken
CVE ID: CVE-2023-52215
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba18bd0c-ba6c-4f98-ac29-660a79affa6c
POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API
CVE ID: CVE-2023-6875
CVSS Score: 9.8 (Critical)
Researcher/s: Ulyses Saicha
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af
WP Testimonials <= 1.4.4 – Authenticated (Contributor+) SQL Injection
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4da18aad-3c82-4bc6-8dad-523643c12d5b
WP Register Profile With Shortcode <= 3.5.9 – Cross-Site Request Forgery to User Password Reset
CVE ID: CVE-2023-5448
CVSS Score: 8.8 (High)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca564941-4780-4da2-b937-c9bd45966d81
Profile Builder Pro <= 3.10.0 – Cross-Site Request Forgery
CVE ID: CVE-2024-22140
CVSS Score: 8.8 (High)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4c8932b-ede8-4f17-9612-5493c1130170
Download Monitor <= 4.9.4 – Authenticated (Admin+) SQL Injection
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/105ae6be-2cb7-4ab2-8e4c-5d3ff84c5b9f
Order Export & Order Import for WooCommerce <= 2.4.3 – Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file
CVE ID: CVE-2024-22135
CVSS Score: 7.2 (High)
Researcher/s: Dateoljo of BoB 12th
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15ce2e54-ca5a-4dbc-9795-6e989e85b330
PDF Invoices & Packing Slips for WooCommerce <= 3.7.5 – Authenticated (Shop Manager+) SQL Injection
CVE ID: CVE-2024-22147
CVSS Score: 7.2 (High)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a92e307d-b3c0-441a-abac-580a60dd44cf
Index Now <= 2.6.3 – Cross-Site Request Forgery via reset_form
CVE ID: CVE-2024-0428
CVSS Score: 7.1 (High)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7641d52-e930-4143-9180-2903d018da91
EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Missing Authorization to Arbitrary Post Meta Update via evo_eventpost_update_meta
CVE ID: CVE-2023-6158
CVSS Score: 6.5 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea
List category posts <= 0.89.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-6994
CVSS Score: 6.5 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/611871cc-737f-44e3-baf5-dbaa8bd8eb81
EventON – WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.8 (Free) – Cross-Site Request Forgery via save_virtual_event_settings
CVE ID: CVE-2023-6244
CVSS Score: 6.5 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fcc3a82-f116-446e-9e5f-4f074e20403b
Profile Builder Pro <= 3.10.0 – Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure
CVE ID: CVE-2024-22141
CVSS Score: 6.5 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a388b406-1640-443d-9656-6a87588ce201
Word Replacer Pro <= 1.0 – Missing Authorization
CVE ID: CVE-2023-52229
CVSS Score: 6.5 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd31e8b0-6089-4521-a80f-e65e61ad062f
GD Rating System <= 3.5.0 – Unauthenticated Stored Cross-Site Scripting via IP
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c0b3662d-e369-4978-aa7a-debbb3ee37e4
EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Cross-Site Request Forgery via evo_eventpost_update_meta
CVE ID: CVE-2023-6242
CVSS Score: 6.5 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8e9a333-a6b7-4b5e-93c1-b95566e5d6fb
Formidable Forms <= 6.7 – HTML Injection
CVE ID: CVE-2023-6830
CVSS Score: 6.5 (Medium)
Researcher/s: drop
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff294b0f-97fe-4d27-bf93-f5bbb57ac1f6
Happy Elementor Addons <= 3.10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1453815d-4e28-41ec-9aa4-4fd2899c619a
Voting Record <= 2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-7084
CVSS Score: 6.4 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/286c3e26-07a8-4fca-9fdc-98e62ae88b67
OneClick Chat to Order <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e4aaf2e-a0c6-47d2-9eb8-d65952a74424
Beds24 Online Booking <= 2.0.23 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-52228
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fc2b2a5-00b0-424e-8678-c6b5cd76baec
TNC PDF viewer <= 2.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a5f29ce-e266-4f52-af63-159253e7987c
Constant Contact Forms by MailMunch <= 2.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-22137
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a84bd9c8-97bd-4572-8bfa-5191d98c9523
Plugin for Google Reviews <= 3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-6884
CVSS Score: 6.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a8971d54-b54e-4e62-9db2-fa87d2564599
WP SMS <= 6.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9141ad3-86cf-47ae-be99-d78f0337f2ca
Email Encoder – Protect Email Addresses and Phone Numbers <= 2.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-7070
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5afe6ea-93b8-4782-8593-76468e370a45
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-7071
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f969cb24-734f-46e5-a74d-fddf8e61e096
Football pool <= 2.11.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff150706-5fbf-4881-976b-89fdaf637fb1
ARMember <= 4.0.22 – Cross-Site Request Forgery
CVE ID: CVE-2023-52200
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88907f28-7b1d-4a5a-b846-67dfd21d6488
WooCommerce < 8.4.0 – Reflected Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43810a17-89b4-44f5-887e-1ad0989ea5b4
Profile Builder Pro <= 3.10.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-22142
CVSS Score: 6.1 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/578d8ca7-7042-493d-92b4-63241b4bdfca
Shortcodes Finder <= 1.5.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-21750
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8eb77a53-4aea-46c3-8eea-a16f728dfa23
Advanced Woo Search <= 2.96 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-0251
CVSS Score: 6.1 (Medium)
Researcher/s: Artem Guzhva (hexcat)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91358e40-e64f-4e8e-b5a3-7d2133db5fe9
Voting Record <= 2.0 – Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
CVE ID: CVE-2023-7083
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f93aa003-5b8b-4836-af65-80df2f9fbdb6
Auto Affiliate Links <= 6.4.2.7 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 5.8 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d89918e1-b525-4d32-9b11-5e014eb02c16
Metform Elementor Contact Form Builder <= 3.8.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-6788
CVSS Score: 5.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30fd2425-ee48-4777-91c1-03906d63793a
Schema & Structured Data for WP & AMP <= 1.25 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-22146
CVSS Score: 5.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ca21247-c443-4808-8397-790669453bfc
RabbitLoader <= 2.19.13 – Missing Authorization via multiple AJAX actions
CVE ID: CVE-2024-21751
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/958118ec-437e-45c8-a0f0-6aaf54e60d04
MailerLite – WooCommerce integration <= 2.0.8 – Cross-Site Request Forgery via Multiple AJAX Functions
CVE ID: CVE-2023-52223
CVSS Score: 5.4 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ea7ccb0-c0fb-4ef3-8041-9bf5abe36e3f
Contact Form 7 Extension For Mailchimp <= 0.5.70 – Authenticated (Subscriber+) Server-Side Request Forgery
CVE ID: CVE-2024-22134
CVSS Score: 5.4 (Medium)
Researcher/s: Yuchen Ji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bed25977-040e-4427-b1e3-e9be9733b31f
Paid Memberships Pro <= 2.12.6 – Information Exposure in Debug Logs
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/852b1895-3bed-4c2f-912c-c136b38a09bb
Seraphinite Accelerator <= 2.20.45 – Unauthenticated Sensitive Information Exposure via Log File
CVE ID: CVE-2024-22138
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5991df2-1aab-4d07-9e30-1257aa9ec884
WordPress Manutenção <= 1.0.6 – IP Spoofing to Maintenance Mode Bypass
CVE ID: CVE-2024-22139
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6664039-554b-43bf-8925-00c1e62e28f5
The Events Calendar <= 6.2.8.2 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-6557
CVSS Score: 5.3 (Medium)
Researcher/s: Nicolas Decayeux
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc40196e-c0f3-4bc6-ac4b-b866902def61
ElementsKit Lite <= 3.0.3 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-6582
CVSS Score: 5.3 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff4ae5c8-d164-4c2f-9bf3-83934c22cf4c
Newsletter <= 8.0.6 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c24ee66-7b57-4e4c-bbb5-0451fc24ce4b
Contest Gallery <= 21.2.8.4 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2b5213d-fdc5-4c98-9a05-15d83bd7308f
Formidable Forms <= 6.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6842
CVSS Score: 4.4 (Medium)
Researcher/s: drop
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47e402c3-e06c-4ac9-8c60-5666cb1101ce
Woocommerce Vietnam Checkout <= 2.0.8 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5344499d-c183-4164-a52c-0dca7873f63d
WordPress Button Plugin MaxButtons <= 9.7.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6594
CVSS Score: 4.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfe2cabd-98f6-4ebc-8a02-e6951202aa88
Swift SMTP <= 5.0.6 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b9ed184-814d-46cb-979c-908bc9359fae
LiveChat Elementor <= 1.0.13 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32c2a25d-e660-4700-8df3-b043cf6aa78a
Envira Gallery Lite <= 1.8.7.2 – Missing Authorization to Gallery Modification via envira_gallery_insert_images
CVE ID: CVE-2023-6742
CVSS Score: 4.3 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/40655278-6915-4a76-ac2d-bb161d3cee92
InstaWP Connect <= 0.1.0.8 – Cross-Site Request Forgery via create_file_db_manager
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5954c35a-7d0a-4bc5-9cad-3223e7be56eb
Seraphinite Alternative Slugs Manager <= 1.3 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66377ee2-cc87-4cfe-a4e4-cef4459bf2ec
MailerLite – WooCommerce integration <= 2.0.8 – Missing Authorization via Multiple Functions
CVE ID: CVE-2023-52227
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/757690b0-6c59-4e74-aad2-f5fde9f7a2fb
LiveChat WooCommerce <= 2.2.16 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/872f13bc-e6d0-4307-b2c9-b55a44df1016
Advanced Flamingo <= 1.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-52226
CVSS Score: 4.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ce8ad5f-05e8-4279-915a-1c94559d4e56
WP Spell Check <= 9.17 – Cross-Site Request Forgery
CVE ID: CVE-2024-22143
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9eef053c-16a1-4624-8393-08e78b221d4f
Contact Form 7 – Dynamic Text Extension <= 4.1.0 – Insecure Direct Object Reference
CVE ID: CVE-2023-6630
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3f1d836-da32-414f-9f2b-d485c44b2486
Contact Form 7 Connector <= 1.2.2 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b437020c-31a3-413e-a1da-b4781da34f10
Products & Order Export for WooCommerce <= 2.0.7 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da1f68a5-8ca7-4744-9b73-09e767072885
Droit Elementor Addons <= 3.1.5 – Cross-Site Request Forgery
CVE ID: CVE-2024-22136
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7b49fd1-2d1e-4083-bc1d-010a9c8f4c2f
WPS Hide Login <= 1.9.11 – Hidden Login Page Location Disclosure
CVE ID: CVE-2023-49748
CVSS Score: 3.7 (Low)
Researcher/s: Naveen Muthusamy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb81e90f-8da4-483c-9bc1-18b6c016df5e
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments