Wordfence Intelligence CE Weekly Vulnerability Report (Feb 13, 2023 to Feb 19, 2023)

Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence Community Edition.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Our mission with Wordfence Intelligence Community Edition is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence Community Edition user interface and vulnerability API are completely free to access and utilize both personally and commercially.

Last week, there were 104 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below.


GamiPress <= 2.5.7 – Unauthenticated SQL Injection

CVE ID: CVE-2023-24000
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b097ab2-7675-4409-b22a-ad70cee35ab1

WatchTowerHQ <= 3.6.16 – Type Juggling to Authentication Bypass in check_ota

CVE ID: CVE-2023-25701
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/481c738e-d544-4587-8632-e85a7ddd8b14

WooCommerce Checkout Field Manager <= 17.3 – Unauthenticated Arbitrary File Upload

CVE ID: CVE-2022-4328
CVSS Score: 9.8 (Critical)
Researcher/s: cydave
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9be94d63-f027-4988-ab41-673658c1fa5f

WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.5.14 – Cross-Site Request Forgery

CVE ID: CVE-2023-23706
CVSS Score: 8.8 (High)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/faac24e5-94f2-40e5-932e-93ddc2c8af7c

Get URL Cron <= 1.4.7 – Missing Authorization via geturlcron_action_handle

CVE ID: CVE Unknown
CVSS Score: 7.5 (High)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/766003e7-712e-481b-b09d-91d62a325718

Quick Paypal Payments <= 5.7.25 – Missing Authorization

CVE ID: CVE-2023-25714
CVSS Score: 7.3 (High)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8133d84-e28c-4132-9eb5-941800320f84

RSVPMaker <= 9.9.3 – Authenticated (Admin+) SQL Injection via 'delete' parameter

CVE ID: CVE-2023-25047
CVSS Score: 7.2 (High)
Researcher/s: Muhammad Arsalan Diponegoro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13101551-d62e-4b27-9156-5b3d022f0e55

RSVPMaker <= 9.9.3 – Authenticated (Admin+) SQL Injection via $email value

CVE ID: CVE-2023-25045
CVSS Score: 7.2 (High)
Researcher/s: Aldo Dimas Anugrah K
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44373541-adc5-4aa0-abde-0693f2760afb

Quiz And Survey Master <= 8.0.8 – Unauthenticated Arbitrary Media Deletion

CVE ID: CVE-2023-0291
CVSS Score: 7.2 (High)
Researcher/s: Julien Ahrens
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68110321-db1a-4634-98cd-0afd3ec933b8

Multi Rating <= 5.0.5 – Unauthenticated Stored Cross-Site Scripting

CVE ID: CVE-2022-47433
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/979699fd-ff31-4cba-bbf2-03fa51554031

WP Coder – add custom html, css and js code <= 2.5.3 – Authenticated (Admin+) SQL Injection

CVE ID: CVE-2023-0895
CVSS Score: 7.2 (High)
Researcher/s: Etan Imanol Castro Aldrete
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4b6a9cd-4d29-4bd8-afa3-b5d455ad8340

Media Library Assistant <= 3.05 – Authenticated (Administrator+) SQL Injection

CVE ID: CVE-2023-0279
CVSS Score: 7.2 (High)
Researcher/s: Daniel Krohmer, Kunal Sharma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ecc59a6f-5e4a-44b4-932d-ed990ebb075a

Archivist – Custom Archive Templates <= 1.7.4 – Cross-Site Request Forgery

CVE ID: CVE-2023-25448
CVSS Score: 7.1 (High)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e381ad7-efe6-48c4-af3a-22d01d73a065

Ocean Extra <= 2.1.2 – Authenticated (Subscriber+) Arbitrary Post Access

CVE ID: CVE-2023-0749
CVSS Score: 6.5 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32192878-930a-4947-a38f-ec395c17e515

Protected Posts Logout Button <= 1.4.5 – Missing Authorization on pplb_options_save

CVE ID: CVE-2023-25454
CVSS Score: 6.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b87f8bd6-d00d-4062-bf27-b698a1d7e757

Profile Builder – User Profile & User Registration Forms <= 3.9.0 – Sensitive Information Disclosure via Shortcode

CVE ID: CVE-2023-0814
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bbedad66-a5a6-4fb5-b03e-0ecf9fbef19a

Google Maps v3 Shortcode <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE ID: CVE-2023-23827
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15123d5f-eb24-46e3-81ec-7dd4f108a42d

WordPress Fancy Comments <= 1.2.10 – Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode

CVE ID: CVE-2023-23670
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2508adc4-2a2f-4b6c-9b5a-da85d94226a0

Portfolio Slideshow <= 1.13.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE ID: CVE-2023-23717
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26b5c665-b7f6-4481-b9e9-010f9e451d9b

Resume Builder <= 3.1.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting

CVE ID: CVE-2023-0078
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3005c53e-eb09-479f-a4e4-b8d40583d80d

Ocean Extra <= 2.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

CVE ID: CVE-2023-24399
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/596e970b-5a40-46cd-aa32-ac6ace39c21b

Olevmedia Shortcodes <= 1.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25798
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66607be6-cca1-4cbb-b1c0-708d640b1151

vSlider Multi Image Slider <= 4.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE ID: CVE-2023-25797
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72a2449c-4292-45e6-bfe8-106f8043fcad

Portfolio – WordPress Portfolio Plugin <= 2.8.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE ID: CVE-2023-23685
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c95bbba-6459-420f-a072-3b02c7d58ea0

Campaign URL Builder <= 1.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE ID: CVE-2023-0538
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2839fdc-5904-4c3b-894f-7bf7e8b2986a

Quick Paypal Payments <= 5.7.25 – Authenticated (Contributor+) Cross Site Scripting

CVE ID: CVE-2023-23889
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b36303d6-ad28-4354-9f60-acc7df15f468

Ultimate WP Query Search Filter <= 1.0.10 – Authenticated (Contributor+) Stored Cross Site Scripting

CVE ID: CVE-2023-23832
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3ef0c46-5765-458e-80c0-ecfc6ead6df6

vSlider Multi Image Slider <= 4.1.2 – Cross-Site Request Forgery

CVE ID: CVE Unknown
CVSS Score: 6.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14376064-13c4-4874-afea-395af2a1933d

Shoppable Images Lite <= 1.2.3 – Missing Authorization

CVE ID: CVE Unknown
CVSS Score: 6.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/413b2b38-44f2-4756-b66d-b6544c7ecaa2

ALD Dropping and Fulfillment for AliExpress and WooCommerce <= 1.0.21 – Missing Authorization to Order Information Disclosure

CVE ID: CVE Unknown
CVSS Score: 6.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75f0bc5a-f588-4aeb-9e55-72e180d39ddf

vSlider Multi Image Slider <= 4.1.2 – Missing Authorization

CVE ID: CVE Unknown
CVSS Score: 6.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0c7324f-4c22-44e0-8d2a-9b95fd89467d

Twitch Player <= 2.1.0 – Authenticated (Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25464
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03c8ec0a-f75f-450f-86e7-a18dfbae9461

WPGlobus Translate Options <= 2.1.0 – Reflected Cross-Site Scripting via page

CVE ID: CVE-2023-25711
CVSS Score: 6.1 (Medium)
Researcher/s: Ngo Van Thien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf0a1568-e97c-41ea-b2c3-ba335f0b4360

Interactive SVG Image Map Builder <= 1.0 – Authenticated(Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25704
CVSS Score: 5.5 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12d84de4-d97e-40cc-9805-fc9b7de8fa21

Zeno Font Resizer <= 1.7.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25442
CVSS Score: 5.5 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dbba653-e23e-43e6-9dc5-83a6c99f8dc6

Quick Event Manager <= 9.6.4 – Authenticated(Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2022-46863
CVSS Score: 5.5 (Medium)
Researcher/s: Justiice
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8962c601-2c2c-4b96-b8a4-fdc2ad8a2c08

Archivist – Custom Archive Templates <= 1.7.4 – Authenticated(Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25490
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/90333dc7-8bdf-4a59-8001-7eb76b4bc61d

Click to Call or Chat Buttons <= 1.4.0 – Authenticated(Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25710
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92880588-a733-43df-adf6-74fe6291822d

WP Prayer <= 1.9.6 – Authenticated(Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25705
CVSS Score: 5.5 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9738054-058f-47be-9973-f119fbfd4396

Robots.txt optimization <= 1.4.5 – Cross Site Request Forgery

CVE ID: CVE-2023-25706
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03eed366-c018-44b9-bb72-56911e9957b8

Cart All In One For WooCommerce <= 1.1.10 – Cross-Site Request Forgery to Cart Changes

CVE ID: CVE-2022-46806
CVSS Score: 5.4 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d5d2217-306c-4ea2-9727-5c02f7d67c2d

Advanced Dynamic Pricing for WooCommerce <= 4.1.5 – Cross-Site Request Forgery via handleSubmitAction function

CVE ID: CVE-2022-40203
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/272c6fbb-bc85-46d9-b139-87534b2a0842

Shoppable Images <= 1.2.3 – Cross Site Request Forgery

CVE ID: CVE-2023-25698
CVSS Score: 5.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e6a78dc-9b67-4ab5-83f9-be82d05d3a13

VikBooking Hotel Booking Engine & PMS <= 1.5.12 – Cross-Site Request Forgery in saveconfig function

CVE ID: CVE-2023-25707
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/385c6324-3d8e-4dc7-b8ca-309b05e7bdcc

ALD Dropping and Fulfillment for AliExpress and WooCommerce <= 1.0.21 – Cross-Site Request Forgery to Order Information Disclosure

CVE ID: CVE-2022-46811
CVSS Score: 5.4 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4352b2dc-d2a7-4cc9-a44f-1f5be46e2482

VikBooking Hotel Booking Engine & PMS <= 1.5.12 – Cross-Site Request Forgery in savetmplfile function

CVE ID: CVE-2023-25707
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4ad32ff7-0557-439d-aa0f-49c5ea4271ab

Simple PDF Viewer <= 1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via googlepdf Shortcode

CVE ID: CVE-2023-23817
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89bc17fd-14e8-4210-8cf7-a043d1ea9c22

Podlove Subscribe button <= 1.3.7 – Cross-Site Request Forgery via process_form function

CVE ID: CVE-2023-25481
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af695224-24e7-4d5b-b472-dee53eb6073f

Protected Posts Logout Button <= 1.4.4 – Cross-Site Request Forgery to Settings Update

CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c79fd08c-97bc-4d55-832e-92d0897bc3dc

VikBooking Hotel Booking Engine & PMS <= 1.5.12 – Cross-Site Request Forgery in savetranslation function

CVE ID: CVE-2023-25707
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d0631ac6-2d85-4073-be2c-05480deecf97

VikBooking Hotel Booking Engine & PMS <= 1.5.12 – Cross-Site Request Forgery in savetranslationstay function

CVE ID: CVE-2023-25707
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2594cef-6bde-425f-9412-fd4ed3da312e

Conditional Payments for WooCommerce <= 2.3.1 – Cross-Site Request Forgery

CVE ID: CVE-2022-46805
CVSS Score: 5.4 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db15295f-505f-4a0a-bb3a-3ff6daf73008

Podlove Subscribe button <= 1.3.7 – Cross-Site Request Forgery via save function

CVE ID: CVE-2023-25481
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eb9a6c9b-24fb-436f-b583-55adeedb726e

Meta Slider and Carousel with Lightbox <= 1.6.2 – Cross-Site Request Forgery

CVE ID: CVE-2023-25703
CVSS Score: 5.4 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5f59b16-b38a-451b-b220-044598872735

RegistrationMagic <= 5.1.9.2 – Cross-Site Request Forgery leading to Form Metadata Deletion

CVE ID: CVE-2023-25991
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fcfb3a6e-7b58-4568-8439-e9c68a2223b9

WordPress Social Login and Register <= 7.6.0 – Missing Authorization to Unauthenticated Arbitrary Content Deletion

CVE ID: CVE-2023-25455
CVSS Score: 5.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/021a25c9-7fad-425f-8104-bb4852603613

WP Post Rating <= 2.4.6 – Missing Authorization to Vote Manipulation

CVE ID: CVE-2023-25785
CVSS Score: 5.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96ab5bb0-724c-434b-acc4-be8265b4838f

Woodmart <= 7.0.4 – Unauthenticated Arbitrary Content Injection

CVE ID: CVE-2023-25790
CVSS Score: 5.3 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb1db880-0942-4fac-a548-8b6a28dce8c0

VikBooking Hotel Booking Engine & PMS <= 1.5.12 – Cross-Site Request Forgery in save_admin_widgets function

CVE ID: CVE-2023-25707
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2945971-80c6-44a2-bc65-1243af365692

All-In-One Security (AIOS) <= 5.1.4 – Authenticated(Admin+) Directory Traversal

CVE ID: CVE Unknown
CVSS Score: 4.9 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03bf84e2-c101-416d-a953-c63ecd1dba7d

Campaign URL Builder <= 1.8.1 – Authenticated (Admin+) Stored Cross-Site Scripting via Create Link

CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06294c35-6d58-4270-b143-757831fc5da6

WP BaiDu Submit <= 1.2.1 – Authenticated (Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25796
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2241fa07-b6b7-4e5d-8951-ae844a7b88e8

Announce from the Dashboard <= 1.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25716
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b75dce8-3e31-45e8-b193-5df3e4391e56

Sticky Ad Bar <= 1.3.1 – Authenticated (Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25784
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/750a4a94-458c-4944-a99b-a1c8e23e57d1

Easy Panorama <= 1.1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-23799
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/783829c2-fe09-44a1-bbb5-2a694ad816ee

Eyes Only: User Access Shortcode <= 1.8.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25786
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7bbc181f-318e-48ea-a2f7-c668ad15c8a6

Podlove Subscribe button <= 1.3.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25479
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89058e5a-0f67-4162-ba3b-0a4353d1e0a9

Quick Contact Form <= 8.0.3.1 – Authenticated (Admin+) Stored Cross Site Scripting

CVE ID: CVE-2022-47608
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b5e86be-8a35-48d8-a676-9f7074b81cb7

Feed Changer <= 0.2 – Authenticated (Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25795
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9198ffe4-2f9e-4d80-9f5d-cf967b3feb43

Inline Tweet Sharer <= 2.5.3 – Authenticated (Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2023-24005
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a85b549-f6a4-4dc3-9f2a-35d783099f96

Peadig's Like & Share Button <= 1.1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25783
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d8e0ad2-3cfb-443f-9958-9639d0745dd7

JSON Content Importer <= 1.3.15 – Authenticated (Admin+) Cross Site Scripting

CVE ID: CVE-2023-25485
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3839c47-5fd0-48e7-9637-d40bd237e122

Tapfiliate <= 3.0.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25789
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a472e78c-ebd7-4ab8-9b47-96c526754387

Google Analytics Opt-Out <= 2.3.4 – Authenticated (Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25712
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a90ea845-9f7f-4a89-887d-cf4337f8471f

WP资源下载管理 <= 1.3.9 – Authenticatministrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25787
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa7aad43-54b4-4b9f-9584-292e40be71bc

WP Open Social <= 5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25792
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be0dc9be-f597-46d8-badd-452e442a6d1a

WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.5.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

CVE ID: CVE-2023-23710
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca91046d-61c1-4a65-a078-c7dffb27092c

Service Area Postcode Checker <= 2.0.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25782
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da8dd02f-0d9f-44a2-bcad-1e392668dd67

Nooz <= 1.6.0 – Authenticated (Admin+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25794
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8b5bc1b-c9dc-4ce5-86db-2802f5b49d0b

Simple Yearly Archive <= 2.1.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25484
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8d41006-ab36-4eed-8c17-2937ca7aff1b

Upload File Type Settings Plugin <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

CVE ID: CVE-2023-25781
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4dd4479-2f41-426f-b98c-7c654a82ccfe

Wp-Insert <= 2.5.0 Authenticated (Admin+) Stored Cross Site Scripting

CVE ID: CVE-2023-25461
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f607b33a-58ef-4526-9ca1-aaa444aa12bc

VikBooking Hotel Booking Engine & PMS <= 1.5.12 – Cross-Site Request Forgery in admin_widgets_welcome function

CVE ID: CVE-2023-25707
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/035d5f4a-1145-48e0-8388-e319088ebd52

Advanced Dynamic Pricing for WooCommerce <= 4.1.5 – Cross-Site Request Forgery via migrateCommonToProductOnly function

CVE ID: CVE-2022-40203
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/048768bf-326c-455e-919c-9691d6537062

Advanced Dynamic Pricing for WooCommerce <= 4.1.5 – Missing Authorization in ajaxCalculatePrice function

CVE ID: CVE-2022-40203
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cefa293-c934-413e-b946-07e3060472ee

WP VR <= 8.2.7 – Cross-Site Request Forgery

CVE ID: CVE-2023-25708
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13a0dd72-1124-4b5d-9bad-fe4fea8e3e68

Schema – All In One Schema Rich Snippets <= 1.6.5 – Cross-Site Request Forgery in rich_snippet_dashboard

CVE ID: CVE-2023-25058
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23b018d3-3451-4ae8-b571-07e931ad23df

GamiPress <= 2.5.6 – Missing Authorization to User Points Updates

CVE ID: CVE-2023-25715
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c2ce765-018a-4292-b150-7905723d1335

Advanced Dynamic Pricing for WooCommerce <= 4.1.5 – Cross-Site Request Forgery via migrateProductOnlyToCommon function

CVE ID: CVE-2022-40203
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f062ef2-ef94-47c2-8eba-dc7ff6c2537d

Advanced Dynamic Pricing for WooCommerce <= 4.1.5 – Missing Authorization in migrateProductOnlyToCommon function

CVE ID: CVE-2022-40203
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59ff3445-0dfd-4a1a-9ac8-d088b8f4dbf3

AutomatorWP <= 2.5.8 – Cross Site Request Forgery via bulk_delete

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ebdf903-828e-4a22-953a-17d85984b576

VikBooking Hotel Booking Engine & PMS <= 1.5.12 – Cross-Site Request Forgery in exec_multitask_widgets function

CVE ID: CVE-2023-25707
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6adc0154-169a-4d72-8687-66dbf6766139

Locatoraid Store Locator <= 3.9.11 – Cross Site Request Forgery in grab

CVE ID: CVE-2023-25709
CVSS Score: 4.3 (Medium)
Researcher/s: Ngo Van Thien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7feecce5-f2ce-4278-b648-e363b1fa5d7a

WordPress Email Marketing Plugin – WP Email Capture <= 3.9.3 – Cross Site Request Forgery

CVE ID: CVE-2023-23724
CVSS Score: 4.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f052dfc-609d-43ed-a8bb-e30294749d03

Get URL Cron <= 1.4.7 – Cross-Site Request Forgery via geturlcron_action_handle

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/934b2767-eae4-4c2d-a635-2e6a27fd9f49

OAuth Single Sign On – SSO (OAuth Client) <= 6.24.1- Cross-Site Request Forgery

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a250f678-1ec7-48ea-8b81-e5ef89992155

NextGEN Gallery <= 3.28 – Cross-Site Request Forgery leading to Post Thumbnail Change

CVE ID: CVE-2022-38468
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a841456c-2a01-4caf-bebe-e018b92697d8

VikBooking Hotel Booking Engine & PMS <= 1.5.12 – Cross-Site Request Forgery in widgets_watch_data function

CVE ID: CVE-2023-25707
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b07b46a6-8a5d-40cb-8af9-baf0f1722736

VikBooking Hotel Booking Engine & PMS <= 1.5.12 – Cross-Site Request Forgery in exec_admin_widget function

CVE ID: CVE-2023-25707
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b5ef15c4-c96b-4e88-a941-e34d23a0e06a

Tickera <= 3.5.1.0 – Cross-Site Request Forgery to Ticket Post Status Change

CVE ID: CVE-2023-23726
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb0f8a0c-d02f-46e2-8808-3ffada105d13

TeraWallet – For WooCommerce <= 1.3.24 – Cross-Site Request Forgery via admin_options

CVE ID: CVE-2022-40198
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d274f8b1-0f7c-44cc-8063-3d04a33a9404

Advanced Dynamic Pricing for WooCommerce <= 4.1.5 – Missing Authorization in migrateCommonToProductOnly function

CVE ID: CVE-2022-40203
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de46743b-2cc6-4a29-bbc4-bc6cfb540e26

Advanced Dynamic Pricing for WooCommerce <= 4.1.5 – Missing Authorization in ajaxCalculateSeveralProducts function

CVE ID: CVE-2022-40203
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f58f994e-0a9b-4b40-9e38-535169c793d3

GamiPress <= 2.5.6 – Cross-Site Request Forgery to User Earnings Deletion

CVE ID: CVE-2023-25697
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff4b757a-9ede-496b-b559-cf952d39fe70

If you’d like to receive this weekly vulnerability report by email, along with Wordfence Intelligence CE product updates, sign up to the Wordfence Intelligence Community Edition Newsletter by filling out this form below.


Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence Community Edition leaderboard along with being mentioned in our weekly vulnerability report.

Did you enjoy this post? Share it!

Comments

No Comments