Wordfence Intelligence Weekly WordPress Vulnerability Report (Feb 27, 2023 to Mar 5, 2023)
Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially.
Last week, there were 117 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Vulnerability Database, and there were 30 Vulnerability Researchers that contributed to WordPress Security last week. You can find those vulnerabilities below along with some data about the vulnerabilities that were added.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 44 |
Patched | 73 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 104 |
High Severity | 10 |
Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Cross-Site Request Forgery (CSRF) | 53 |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 34 |
Missing Authorization | 16 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 2 |
Information Exposure | 2 |
Authorization Bypass Through User-Controlled Key | 2 |
Server-Side Request Forgery (SSRF) | 2 |
Incorrect Privilege Assignment | 1 |
Unrestricted Upload of File with Dangerous Type | 1 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Protection Mechanism Failure | 1 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
Improper Validation of Integrity Check Value | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Lana Codes | 27 |
Rio Darmawan | 20 |
Mika | 13 |
Dave Jong | 6 |
FearZzZz | 4 |
Erwan LR | 4 |
yuyudhn | 4 |
WPScanTeam | 3 |
Prasanna V Balaji | 3 |
Marco Wotschka | 3 |
Rafie Muhammad | 3 |
TEAM WEBoB of BoB 11th | 2 |
Abdi Pranata | 2 |
Muhammad Daffa | 2 |
Nguyen Xuan Chien | 2 |
Marc-Alexandre Montpas | 1 |
TaeEun Lee | 1 |
Pounraj Chinnasamy | 1 |
Jarko Piironen | 1 |
dc11 | 1 |
rezaduty | 1 |
Mohammed El Amin, Chemouri | 1 |
Universe | 1 |
Alex Sanford | 1 |
Vaibhav Rajput | 1 |
MyungJu Kim | 1 |
Mahesh Nagabhairava | 1 |
Leonidas Milosis | 1 |
Shreya Pohekar | 1 |
Nguyen Thuc Tuyen | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
Vulnerability Details
Houzez <= 2.7.1 – Privilege Escalation
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0578f4d1-5953-4fbe-8bc3-0569bee57a1a
Debug Assistant <= 1.4 – Cross-Site Request Forgery via imlt_create_admin
CVSS Score: 8.8 (High)
Researcher/s: Prasanna V Balaji
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/429ce9e6-e51b-4f1e-8e26-f679b08d68d3
OceanWP <= 3.4.1 – Authenticated (Subscriber+) Local File Inclusion
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7fa57b92-3a3e-418c-bfc2-7ed2602004e4
ProfileGrid <= 5.3.0 – Missing Authorization to Arbitrary Password Reset
CVSS Score: 8.8 (High)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/58cf6e80-63dd-42dc-9c4a-7b5c092bc4cb
CSSTidy – Server-Side Request Forgery
CVSS Score: 8.3 (High)
Researcher/s: Dave Jong
Patch Status: Unpatched/Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb534d86-c477-4a9c-b048-2fbc002168b2
Gallery Blocks with Lightbox <= 3.0.7 – Missing Authorization in pgc_sgb_add_dashboard_widget
CVSS Score: 8.1 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7561bce2-bd70-4da3-bbf0-318e59cd1852
Paid Memberships Pro <= 2.9.11 – Authenticated (Subscriber+) SQL Injection via Shortcodes
CVSS Score: 7.7 (High)
Researcher/s: Marc-Alexandre Montpas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/103a7e7b-74bb-4691-8670-c66ed2144596
Types <= 3.4.17 – Unauthenticated (Administrator+) Arbitrary File Upload
CVSS Score: 7.2 (High)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09ec4633-7639-4d46-8070-9fc6909bc610
Leyka <= 3.29.2 – Unauthenticated Stored Cross-Site Scripting
CVSS Score: 7.2 (High)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3afbfa7c-a87f-4810-9356-374923ff2314
Dokan <= 3.7.12 – Authenticated (Vendor+) SQL Injection
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4967c95-8eb6-4c9b-ae6e-082dbc6af7f5
LWS Tools <= 2.3.1 – Cross-Site Request Forgery
CVSS Score: 7.1 (High)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2dabb790-4f5e-447a-ad65-3f62ac7f6176
Manage Upload Limit <= 1.0.4 – Reflected Cross-Site Scripting via upload_limit
CVSS Score: 7.1 (High)
Researcher/s: Mahesh Nagabhairava
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9b90bf09-639c-497c-a58e-3972250db1e4
Woodmart <= 7.1.1 – Cross-Site Request Forgery to License Update
CVSS Score: 6.5 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02fde6b1-d709-4329-ae9c-fea444c1aec8
Shortcodes Ultimate <= 5.12.7 – Authenticated (Subscriber+) Information Exposure
CVSS Score: 6.5 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/144895c9-5800-435e-9f75-a8de17ca2d93
WoodMart <= 7.1.1 – Missing Authorization to Shortcode Injection
CVSS Score: 6.5 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73017e92-d95e-4b9c-a44a-779b498f58b7
Sales Report Email for WooCommerce <= 2.8 – Missing Authorization for Email Functionality
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8befbf2-0d9d-4d0e-87de-0f1b26c0acd0
Smart Slider 3 <= 3.5.1.13 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0191e5b0-b669-439b-8ad4-9f860e6ee637
Simple Vimeo Shortcode <= 2.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66edd8e5-1d5e-425d-a4f4-5359683c1e36
Cost Calculator <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVSS Score: 6.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/750be90d-dc12-4974-8921-75259d56c7b3
menu shortcode <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9150a7d9-d792-4bb6-9d33-5892f9cdfd1e
WordPress Infinite Scroll – Ajax Load More <= 5.6.0.2 – Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9595fa45-6b00-4ee0-89aa-a236dbf82423
Cookie Notice & Compliance for GDPR / CCPA <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95acec2a-ba1b-4b61-a4d6-3b0250a32835
Yoast SEO <= 20.2 – Authenticated (Contributor+) Cross-Site Scripting
CVSS Score: 6.4 (Medium)
Researcher/s: Leonidas Milosis
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c0e58807-bccc-469f-82c3-a4bbf088a626
NEX-Forms – Ultimate Form Builder <= 8.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd817fe9-b7be-4252-877a-e9843d62a0a9
Real Estate 7 <= 3.3.4 – Reflected Cross-Site Scripting via ct_additional_features
CVSS Score: 6.1 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/157b3095-b662-465e-a975-5b71b5d4ba2a
Watu Quiz <= 3.3.9 – Reflected Cross-Site Scripting
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6341bdcc-c99f-40c3-81c4-ad90ff19f802
Darcie <= 1.1.5 – Reflected Cross-Site Scripting via JS split
CVSS Score: 6.1 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/83d162f9-32a9-4d03-845e-6fc9b8574fb5
GN Publisher <= 1.5.5 – Reflected Cross-Site Scripting
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a4ee97c-63cd-4a5e-a112-6d4c4c627a57
Easy Testimonial Slider and Form <= 1.0.15 – Unauthenticated Reflected Cross-Site Scripting via search_term
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6b16ffe-1c65-49d3-9e30-407bc75d7d49
GTmetrix for WordPress <= 0.4.5 – Reflected Cross-Site Scripting via ‘url’
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dcdf22be-8af4-4596-b138-67ebfd04c06d
Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD <= 3.1.5 – Reflected Cross-Site Scripting via cart_search
CVSS Score: 6.1 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eebe1bf7-0366-4226-bcbc-027186136008
Real Estate 7 <= 3.3.4 – Cross-Site Request Forgery
CVSS Score: 5.4 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/007af51b-95b5-4b12-9f74-abf31f6de341
Instant Images <= 5.1.0.1 – Authenticated (Author+) Server-Side Request Forgery via instant_images_download
CVSS Score: 5.4 (Medium)
Researcher/s: Universe
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a50e142-59f4-488b-8120-5bf505a9039d
Leyka <= 3.29.2 – Cross-Site Request Forgery
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a1ab02c0-e083-4f0e-b6d4-1a10ade2c688
Rife Elementor Extensions & Templates <= 1.1.10 – Missing Authorization via import_templates
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee520664-0c1f-4af0-8cdf-a33c1dfaaca7
Sheets To WP Table Live Sync <= 2.12.15 – Cross-Site Request Forgery
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f70221e6-59a4-4151-9688-f06e194f51ac
Advanced Text Widget <= 2.1.2 – Missing Authorization via atw_dismiss_admin_notice
CVSS Score: 5.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3fe1313c-1368-4bcb-9d11-25b948da5547
WP SMS <= 6.0.4 – Information Disclosure via REST API
CVSS Score: 5.3 (Medium)
Researcher/s: Jarko Piironen
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57377380-0435-4747-abba-50063978d8e1
Metform Elementor Contact Form Builder <= 3.2.1 – reCaptcha Protection Bypass
CVSS Score: 5.3 (Medium)
Researcher/s: Mohammed El Amin, Chemouri
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69527d4b-49b6-47cd-93b6-39350f881ec9
Event Espresso 4 Decaf <= 4.10.44.decaf – Feature Bypass
CVSS Score: 5.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d55f10f3-5484-4b90-80da-3d91f409fe04
WP Repost <= 0.1 – Missing Authorization
CVSS Score: 5.3 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbf0f614-e5e9-486c-a0dd-cd494708a2a8
Simple CSV/XLS Exporter <= 1.5.8 – CSV Injection
CVSS Score: 5.1 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/219614b7-2394-490c-baf4-14a12249c4b5
Advanced Text Widget <= 2.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f622e20-2f7e-44ed-8237-fbf25323d2ce
Jetpack CRM <= 5.4.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVSS Score: 4.4 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20b3cd2a-ee32-49e0-8281-16afb8e42448
We’re Open! <= 1.46 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVSS Score: 4.4 (Medium)
Researcher/s: TaeEun Lee
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a5c6b05-6e28-40be-80cb-9f95241a4fc6
WP Repost <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scritping
CVSS Score: 4.4 (Medium)
Researcher/s: Pounraj Chinnasamy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/438689aa-3b85-4dd7-ac3e-a37906efd79c
Button Generator – easily Button Builder <= 2.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4ac9262a-96a6-439a-a2b0-a05f24654d06
Dashboard Widgets Suite <= 3.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/503a44ed-25c2-4178-aeec-756c5b533e04
Publish to Schedule <= 4.5.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e2014bd-2809-4f79-913d-d7a35eda63ef
Namaste! LMS <= 2.5.9.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘accept_other_payment_methods’, ‘other_payment_methods’ Parameters
CVSS Score: 4.4 (Medium)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ef23b03-8452-4730-860c-2c2ef1686202
FareHarbor for WordPress <= 3.6.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b40165b-17e3-4b87-8d0d-90d60ba4bf81
CPO Content Types <= 1.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d0b1e05-0e28-4cf5-a278-ea91b6c9d253
WP No External Links <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scritping
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8e3a111-6327-47a0-becd-d7e2d9166118
Simple File List <= 6.0.9 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3f0032e-a6f4-47f5-b3eb-6f1c9bf9670c
New Adman <= 1.6.8 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d862e8e6-ecf6-41f5-8f40-1225ecec7e1f
Simple Slug Translate <= 2.7.2 – Authenticated (Administrator+) Stored Cross-Site Scritping
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc19313b-f9d0-4a92-8e33-d632d8a478df
JCH Optimize <= 3.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f04c83b9-33a0-4f4b-afc4-929d40c2ef67
Debug Assistant <= 1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4421782-8a7a-4bca-8c5a-7152dfafe902
Maspik – Spam blacklist <= 0.7.8 – Cross-Site Request Forgery
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0206aead-d146-453d-99ed-3870f7dfdae9
WpStream – Live Streaming, Video on Demand, Pay Per View <= 4.4.10 – Cross-Site Request Forgery via wpstream_settings
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0219851f-7fce-42e0-ba82-77af84b17d9f
WP Time Slots Booking Form <= 1.1.76 – Cross-Site Request Forgery to Feedback Submission
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/032f3363-83c0-4548-81f0-724a71931add
Download Read More Excerpt Link <= 1.6.0 – Cross-Site Request Forgery to Settings Update
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0359434b-9d88-4a40-8e9f-ec354c8de816
CP Contact Form with Paypal <= 1.3.34 – Authenticated Feedback Submission
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ba56d68-e104-4a79-b5b4-627f9617043b
WP Google Tag Manager <= 1.1 – Cross-Site Request Forgery
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1cb265d8-eb18-42ee-9141-2fe81c0c4585
DeepL Pro API translation <= 2.1.4 – Cross-Site Request Forgery via saveSettings
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1fc58078-7520-4ee7-b5a1-d6a362ac1860
Search in Place <= 1.0.104 – Missing Authorization to Feedback Submission
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28ca150a-443f-4b99-8c15-491bd9f1cee3
WP Meteor Page Speed Optimization Topping <= 3.1.4 -Missing Authorization to Notice Dismissal
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b335807-f4d1-43b3-9e1b-2215eb00a3f8
Preview Link Generator <= 1.0.3 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: WPScanTeam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b6b4953-a264-4668-9cc3-1578109f6592
Blog Floating Button <= 1.4.12 – Cross-Site Request Forgery
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ba56b4c-0573-4911-97a4-a51e867daa75
Free WooCommerce Theme 99fy Extension <= 1.2.7 – Cross-Site Request Forgery leading to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e215a5c-7a01-4a1d-b051-3abf742bf573
Shortcodes Ultimate <= 5.12.7 – Authenticated (Subscriber+) Arbitrary Post Access via Shortcode
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2eddfe94-7232-4d3d-9f3a-f53fc476a012
WP Insurance – WordPress Insurance Service Plugin <= 2.1.3 – Cross-Site Request Forgery leading to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37264b0f-b021-41f8-a72d-3ee0d06b19a8
WC Sales Notification <= 1.2.2 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: WPScanTeam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43fc71bb-87ba-4cf9-ae4d-1cba7bd84806
WP Meteor Page Speed Optimization Topping <= 3.1.4 – Cross-Site Request Forgery via processAjaxNoticeDismiss
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d246a99-fd92-4132-9576-efa065a58f59
HT Portfolio <= 1.1.4 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4ed63724-c21f-4b0e-b595-e824d3519b21
Add Expires Headers & Optimized Minify <= 2.7 – Cross-Site Request Forgery via [placeholder]
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55e6a968-153e-4d4c-a7be-65650a0c9bc1
HT Politic <= 2.3.7 – Cross-Site Request Forgery leading to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b127a47-d22f-47b5-92a8-440a5892a181
DecaLog <= 3.7.0 – Cross-Site Request Forgery via get_settings_page
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5de953ee-8a01-4372-a376-74a4cff674ce
WP Plugin Manager <= 1.1.7 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: WPScanTeam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/623decc5-bdb7-42c9-8531-8004ddc16682
About Me 3000 widget <= 2.2.6 – Cross-Site Request Forgery to Plugin Settings Update
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62c1b5ce-cd58-4805-9a40-1af529604406
ClickFunnels <= 3.1.1 – Cross-Site Request Forgery to Settings Update
CVSS Score: 4.3 (Medium)
Researcher/s: rezaduty
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/65581fa6-110f-4ae3-a903-dbf649b44417
Fontiran <= 2.1 – Cross-Site Request Forgery
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/701bf711-d692-4eb1-8459-befa62264b97
Ever Compare <= 1.2.3 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/702aa972-7b74-4417-8d33-a26c3831934f
WP TFeed <= 1.6.9 – Cross-Site Request Forgery via aptf_delete_cache
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73986641-b3a4-438d-90ae-6ff0f6f73f01
Resize at Upload Plus <= 1.3 – Cross-Site Request Forgery
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76af3f0a-2e35-4059-960c-09769459bc01
WP Social Bookmarking Light <= 2.0.7 – Cross-Site Request Forgery
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7997ae20-88d2-4e12-87a0-a6e83808a495
Total Poll Lite <= 4.8.6 – Cross-Site Request Forgery
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e3ae5e7-1f41-48cd-8aea-698e3b00066c
HT Slider For Elementor <= 1.3.9 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/81258fcc-18cc-4614-a644-5cfb004d019b
When Last Login <= 1.2.1 – Cross-Site Request Forgery via wll_hide_subscription_notice
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/81638472-b635-4100-8fb9-3daf35fa172e
HT Event <= 1.4.5 – Cross-Site Request Forgery leading to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b14c07b-23bb-4a14-8018-fa2462383b35
WP Time Slots Booking Form <= 1.1.76 – Missing Authorization to Feedback Submission
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c732b0e-9898-48f2-99b2-068f31532b17
WP Clean Up <= 1.2.3 – Cross-Site Request Forgery via wp_clean_up_optimize
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f342fb7-8f52-43d9-a887-1cf1fffa6ec6
WP Shamsi <= 4.3.3 – Missing Authorization leading to Authenticated (Subscriber+) Attachment Deletion
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8fc88821-b2be-49a5-a2cf-53e87d0349a2
WP Education <= 1.2.6 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91062d2c-f2a6-4a92-b684-e133391afe60
Calculated Fields Form <= 1.1.120 – Missing Authorization to Feedback Submission
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9370f05a-9c69-45f4-9fd8-7017bfcf4d1e
Quiz And Survey Master <= 8.0.10 – Cross-Site Request Forgery to Quiz Restoration
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9af36edd-4520-4afc-8d3a-c9a96659ddf8
Smart YouTube PRO <= 4.3 – Cross-Site Request Forgery via handle_colorbox_options
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a184090c-0281-4d8d-bd4d-256b4ed826dc
Big Store <= 1.9.3 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a1859dca-d771-470c-ae4a-48246977212c
WP Translitera <= p1.2.5 – Cross-Site Request Forgery
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad427bea-1b0e-46bb-85fc-53c51fb40a17
WP Film Studio <= 1.3.4 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae5121bd-2f3f-4d87-a2fd-d11bb9f8dc2c
XML Sitemap Generator for Google <= 1.2.8 – Cross-Site Request Forgery to Plugin Settings Changes
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b03a9aaa-ce9a-47bf-8574-0eba92fcf0c5
New Adman <= 1.6.8 – Cross-Site Request Forgery via plugin_menu
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b140d228-cd74-4d78-8b9d-9a69e5a89bfb
QuickSwish <= 1.0.9 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b594b771-4d0b-46e1-b4c6-751c994992af
OoohBoi Steroids for Elementor <= 2.1.3 – Missing Authorization leading to Authenticated (Subscriber+) Attachment Deletion
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c24c57e5-2b42-40db-816a-f1327d1ac09b
Fontiran <= 2.1 – Cross-Site Request Forgery
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c35bffb2-f805-48d6-938a-cb5142eac3b1
Total Theme <= 2.1.19 – Authenticated(Subscriber+) Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4dfd5af-0af0-469c-81ed-52867609550c
Classic Editor and Classic Widgets <= 1.2.4 – Cross-Site Request Forgery via render_settings_page
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce2bef2f-fe28-48ea-8b83-052eebd31622
Rus-To-Lat <= 0.3 – Cross-Site Request Forgery to Plugins Options Changes
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d07d8c3a-5e97-422a-ba20-e0bc206dda59
Elegant Custom Fonts <= 1.0 – Cross-Site Request Forgery
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dadb6bf5-dbbd-4afb-8783-f6880dec2cbf
OptinMonster <= 2.12.1 – Authenticated (Subscriber+) Sensitive Information Disclosure via Shortcode
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dfbdb5a7-e949-4d3a-8c8d-5dc6702f4675
Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks <= 1.1.5 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dfe6f49a-1dd1-46d9-8e15-a8a766917092
Calculated Fields Form <= 1.1.120 – Cross-Site Request Forgery
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4785012-d160-42cc-bd06-d9b8e65652a4
Search in Place <= 1.0.104 – Cross-Site Request Forgery to Feedback Submission
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f079037c-cea6-4ba6-843f-99c5e5fe59a5
WP News <= 1.1.9 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f53e9354-248f-4d13-a1c0-8355b268fae2
OAuth Single Sign On – SSO (OAuth Client) <= 6.24.1 – Cross-Site Request Forgery via ‘delete’ in mooauth_client_applist_page
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Thuc Tuyen
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6658edb-11dc-4594-8936-95d60d581f49
Wholesale Suite <= 2.1.5 – Missing Authorization to Plugin Settings Change
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f713f2f8-545a-4f54-a028-8422c0942a63
FluentSMTP <= 2.2.2 – Authenticated (Author+) Stored Cross-Site Scripting via Email Logs
CVSS Score: 3.8 (Low)
Researcher/s: Vaibhav Rajput
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/803c32e9-665c-40a0-b52d-f2c0b8fbe931
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments