Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 20, 2023 to Mar 26, 2023)
Last week, there were 80 vulnerabilities disclosed in 69 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WooCommerce Payments <= 5.6.1 -Authentication Bypass and Privilege Escalation
- The Wordfence Firewall has blocked 57,136 exploit attempts targeting this vulnerability since its release to premium, care, and response customers on March 23, 2023.
- WAF-RULE-569 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
- SEO Plugin by Squirrly SEO <= 12.1.20 – Missing Authorization
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 27 |
Patched | 53 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 70 |
High Severity | 9 |
Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 39 |
Cross-Site Request Forgery (CSRF) | 18 |
Missing Authorization | 10 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 3 |
Improper Neutralization of Formula Elements in a CSV File | 2 |
Authentication Bypass Using an Alternate Path or Channel | 1 |
Deserialization of Untrusted Data | 1 |
Information Exposure | 1 |
Unrestricted Upload of File with Dangerous Type | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Lana Codes | 10 |
Mika | 7 |
yuyudhn | 6 |
Joshua Martinelle | 5 |
Erwan LR | 4 |
Yuki Haruma | 3 |
Cat | 3 |
Varun | 2 |
Rafshanzani Suhada | 2 |
Rio Darmawan | 2 |
thiennv | 2 |
Shreya Pohekar | 2 |
minhtuanact | 2 |
Vaibhav Rajput | 1 |
Abdi Pranata | 1 |
Nguyen Anh Tien | 1 |
Michael Mazzolini | 1 |
Fariq Fadillah Gusti Insani | 1 |
Rafie Muhammad | 1 |
Flaviu Popescu | 1 |
rSolutions Security Team | 1 |
ipatelsumit | 1 |
Nithissh S | 1 |
Bartłomiej Marek | 1 |
NeginNrb | 1 |
Pavitra Tiwari | 1 |
Muhammad Daffa | 1 |
Cyxow | 1 |
Dave Jong | 1 |
R3zk0n | 1 |
Karol Mazurek | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Advance WordPress Search Plugin | th-advance-product-search |
All-In-One Security (AIOS) – Security and Firewall | all-in-one-wp-security-and-firewall |
BigContact Contact Page | bigcontact |
Branded Social Images – Open Graph Images with logo and extra text layer | branded-social-images |
CBX Currency Converter | cbcurrencyconverter |
Contact Form Email | contact-form-to-email |
Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms | fluentform |
ConvertBox Auto Embed WordPress plugin | convertbox-auto-embed |
Custom Field Template | custom-field-template |
Cyberus Key | cyberus-key |
Disqus Conditional Load | disqus-conditional-load |
Easy Table of Contents | easy-table-of-contents |
Enhanced Plugin Admin | enhanced-plugin-admin |
Event Manager and Tickets Selling Plugin for WooCommerce | mage-eventpress |
Events Made Easy | events-made-easy |
Export Users Data Distinct | export-users-data-distinct |
Floating Cart and Menu Cart for WooCommerce | th-all-in-one-woo-cart |
Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress | gallery-plugin |
GamiPress – Youtube integration | gamipress-youtube-integration |
GiveWP – Donation Plugin and Fundraising Platform | give |
Google XML Sitemap for Mobile | google-mobile-sitemap |
Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS | hummingbird-performance |
I Recommend This | i-recommend-this |
If Menu – Visibility control for Menus | if-menu |
InPost Gallery | inpost-gallery |
JS Job Manager | js-jobs |
JetEngine | jet-engine |
Kanban Boards for WordPress | kanban |
Klaviyo | klaviyo |
Lazy Social Comments | lazy-facebook-comments |
MDTF – Meta Data and Taxonomies Filter | wp-meta-data-filter-and-taxonomy-filter |
Open Graphite | open-graphite |
Owl Carousel | owl-carousel |
Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin | pagination |
Photo Gallery by 10Web – Mobile-Friendly Image Gallery | photo-gallery |
Pricing Tables For WPBakery Page Builder (formerly Visual Composer) | pricing-tables-for-wpbakery-page-builder |
Product Feed PRO for WooCommerce | woo-product-feed-pro |
Safe SVG | safe-svg |
Scheduled Announcements Widget | scheduled-announcements-widget |
Simple Custom Author Profiles | simple-custom-author-profiles |
Simple Giveaways – Grow your business, email lists and traffic with contests | giveasap |
Simple Mobile URL Redirect | simple-mobile-url-redirect |
Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows | ml-slider |
Stock Sync for WooCommerce | stock-sync-for-woocommerce |
Store Locator WordPress | agile-store-locator |
Stylish Cost Calculator | stylish-cost-calculator-premium |
Team Member – Team with Slider | team-showcase-supreme |
Thank You Page Customizer for WooCommerce – Increase Your Sales | woo-thank-you-page-customizer |
Time Sheets | time-sheets |
TreePress – Easy Family Trees & Ancestor Profiles | treepress |
User Registration – Custom Registration Form, Login Form And User Profile For WordPress | user-registration |
Userlike – WordPress Live Chat plugin | userlike |
Variation Swatches for WooCommerce | th-variation-swatches |
Vertical scroll recent post | vertical-scroll-recent-post |
VigilanTor | vigilantor |
W4 Post List | w4-post-list |
WP Content Filter – Censor All Offensive Content From Your Site | wp-content-filter |
WP Popup Banners | wp-popup-banners |
WP VR – 360 Panorama and Virtual Tour Builder For WordPress | wpvr |
Waiting: One-click countdowns | waiting |
Wbcom Designs – BuddyPress Activity Social Share | bp-activity-social-share |
Weather Station | live-weather-station |
WooCommerce JazzCash Gateway Plugin | jazzcash-woocommerce-gateway |
WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo | woocommerce-payments |
WordPress Amazon S3 Plugin | wp-s3 |
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg | groundhogg |
WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout | gs-pinterest-portfolio |
amr users | amr-users |
eRoom – Zoom Meetings & Webinars | eroom-zoom-meetings-webinar |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Resoto | resoto |
Vulnerability Details
WooCommerce Payments 4.8.0 – 5.6.1 Authentication Bypass and Privilege Escalation
CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Michael Mazzolini
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41cf57ff-421d-4db2-894f-17f2c4d4b9ed
Waiting: One-click countdowns <= 0.6.2 – Authenticated (Subscriber+) SQL Injection via ‘pbc_down[meta][id]’
CVE ID: CVE-2023-28659
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17d12a35-35a1-4f7b-aa03-33ddafe17f5b
WP Popup Banners <= 1.2.5 – Authenticated (Subscriber+) SQL Injection via ‘value’
CVE ID: CVE-2023-28661
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa64d6b4-5673-4d88-b5c7-d3441eaa0706
Events Made Easy <= 2.3.14 – Authenticated (Subscriber+) SQL Injection via ‘search_name’
CVE ID: CVE-2023-28660
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2550461-2546-4dc4-85ff-decf2fca3f10
Crocoblock JetEngine <= 3.1.3 – Authenticated(Author+) Arbitrary File Upload to Remote Code Execution
CVE ID: CVE-2023-1406
CVSS Score: 8.8 (High)
Researcher/s: R3zk0n
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7e7247f-869a-4cf0-ae03-0b36ecbc1b7e
Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 – Authenticated (Subscriber+) Local File Inclusion via Shortcode
CVE ID: CVE-2023-1274
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3475c8fe-17fa-4d8e-bffd-a33e59f6e03b
User Registration <= 2.3.2.1 – PHP Object Injection
CVE ID: CVE-2023-27459
CVSS Score: 7.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5835fed0-5b9d-47b5-82ae-f0f19830ae2a
Stylish Cost Calculator < 7.9.0 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-0983
CVSS Score: 7.2 (High)
Researcher/s: Flaviu Popescu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b7cc660-b430-4b0f-b2d1-68ba458de8a9
Groundhogg <= 2.7.9.3 – Authenticated (Administrator)+ SQL Injection
CVE ID: CVE-2023-1425
CVSS Score: 7.2 (High)
Researcher/s: rSolutions Security Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76c468cb-8ad6-4b62-8de5-dc8efd4b8e61
SVG Sanitizer library <= 0.15.4 – Cross-Site Scripting Bypass
CVE ID: CVE-2023-28426
CVSS Score: 7.2 (High)
Researcher/s: Cyxow
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca73de6d-2d47-4d7c-a917-0f99fed8c27d
JS Job Manager <= 2.0.0 – Missing Authorization
CVE ID: CVE-2023-28689
CVSS Score: 6.5 (Medium)
Researcher/s: Fariq Fadillah Gusti Insani
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55604ee9-7343-472c-9a29-035d18b266ab
TH Advance WordPress Search <= 1.1.4 – Missing Authorization via settings_init
CVE ID: CVE-2023-25969
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/826a3fa2-ee41-4960-becb-0df8813a964a
FluentForms <= 4.3.24 – Authenticated(Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0546
CVSS Score: 6.4 (Medium)
Researcher/s: Vaibhav Rajput
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b79a851-1212-4a9c-89fe-b5f2d50ec18c
Vertical scroll recent post <= 14.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
CVE ID: CVE-2023-23862
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a0e93cb-4311-4b38-8eb4-17152e1f3475
WordPress Pinterest Plugin <= 1.6.1 – Stored (Contributor+) Cross-Site Scripting via Shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20daf751-176d-48f2-ac68-480fda89cee1
Team Member <= 4.4 – Authenticated (Editor+) Stored Cross-Site Scripting via new_style_name
CVE ID: CVE-2023-23647
CVSS Score: 6.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/353d22c5-dee1-485f-ae66-e9c7afe3ad8e
W4 Post List <= 2.4.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options
CVE ID: CVE-2023-0374
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64ed8547-0dc1-4f0a-8b0b-27ce20b8bbd6
Scheduled Announcements Widget <= 0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0363
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/755ae574-9df3-44d1-a14b-16887f234510
GamiPress – Youtube integration <= 1.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb74a917-2dfb-4229-a72a-9c3d1f9a6324
Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-0367
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c04a0f82-97f6-44ff-999d-08a8c106f889
ConvertBox Auto Embed WordPress plugin <= 1.0.19 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-23664
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8a4e9b8-9794-48b7-8c53-cfad37ed530c
Slider, Gallery, and Carousel by MetaSlider <= 3.29.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-1473
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/290233f0-a5dd-4c69-8039-7392268daf40
InPost Gallery <= 2.1.4.1 – Reflected Cross-Site Scripting via ‘imgurl’
CVE ID: CVE-2023-28666
CVSS Score: 6.1 (Medium)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69fd66db-5693-4976-96c0-60dbfeccd14f
MDTF – Meta Data and Taxonomies Filter <= 1.3.0.1 – Relected Cross-Site Scripting via ‘tax_name’
CVE ID: CVE-2023-28664
CVSS Score: 6.1 (Medium)
Researcher/s: Joshua Martinelle
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6edb6604-9da8-421e-933b-bac02b179bd0
WP VR <= 8.2.8 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-1413
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fbde737-0730-49a4-a84e-a9c5e0e32af5
W4 Post List <= 2.4.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-1373
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d6a7230-07c7-43f3-a844-77d2bb19545d
WordPress Amazon S3 Plugin <= 1.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-0423
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab779713-7004-47f6-af16-2db2c7c1013b
WooCommerce JazzCash Gateway Plugin <= 2.0 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2022-46822
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6809f7f-4495-4185-b439-820010afc305
Open Graphite <= 1.6.0 – Reflected Cross-Site Scripting via topic parameter
CVE ID: CVE-2022-47439
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd368b2c-ef40-453b-aeef-ad88d847c29b
Export Users Data Distinct <= 1.3 – Authenticated (Subscriber+) CSV Injection
CVE ID: CVE-2022-46804
CVSS Score: 5.8 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03a1724c-8fea-4e9f-a4a1-9de236e1f15a
amr users <= 4.59.4 – Authenticated (Subscriber+) CSV Injection
CVE ID: CVE-2022-45348
CVSS Score: 5.8 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/879e7695-3a61-4e65-b102-fcdc63fac688
Simple Giveaways <= 2.45.0 – Authenticated (Editor+) Stored Cross-Site Scripting via Form, Prize, and Sharing Method Fields
CVE ID: CVE-2023-1122
CVSS Score: 5.5 (Medium)
Researcher/s: Varun
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/240691c4-35c5-40e1-b1ab-a500ffcdac73
Wbcom Designs – BuddyPress Activity Social Share <= 3.5.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-28694
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c8152c5-7d72-48a1-9140-8b0341c86023
TH Variation Swatches <= 1.2.7 – Cross-Site Request Forgery via delete_settings
CVE ID: CVE-2023-28688
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e98fb74-46f2-4a6a-8012-e2824bd77070
CBX Currency Converter <= 3.0.3 – Cross-Site Request Forgery leading to Plugin Settings Leakage/Changes
CVE ID: CVE-2023-28747
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/711d2c4d-700d-4d6e-911f-99abf86eff32
Enhanced Plugin Admin <= 1.16 – Cross-Site Request Forgery via epa_options_page
CVE ID: CVE-2023-28618
CVSS Score: 5.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9b5bc030-7739-4eb4-b85d-99e5d0f2643a
Easy Table of Contents <= 2.0.45.2 – Missing Authorization via eztoc_reset_options_to_default
CVE ID: CVE-2023-25469
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff937860-c4e0-4172-9f0f-d66578fa7203
TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 – Missing Authorization
CVE ID: CVE-2023-25969
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c0d18d3-8758-41ae-b104-dac69eee4ac9
Branded Social Images <= 1.1.0 – Missing Authorization leading to Unauthenticated Plugin Settings Updates
CVE ID: CVE-2023-28536
CVSS Score: 5.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2cbc0b70-c8a4-4924-a67f-cea81ab19cdc
Owl Carousel <= 0.5.3 – Missing Authorization via save_paramter.php
CVE ID: CVE-2022-44578
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37aaf109-e04f-40d7-8303-a581b0b09d24
If Menu <= 0.16.3 – Missing Authorization to Admin Settings Modification
CVE ID: CVE-2022-41698
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b5fc0ac-7a33-48da-8b0f-566b9eb0f17f
eRoom – Zoom Meetings & Webinar <= 1.4.6 – Missing Authorization via add_feedback
CVE ID: CVE-2022-43472
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e0767a8-9e82-4ce4-9df9-19b458dc5ce0
GiveWP <= 2.25.2 – Cross-Site Request Forgery via give_ajax_delete_payment_note
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a2dc1a04-5503-412b-92e7-ed86910abd92
GiveWP <= 2.25.2 – Cross-Site Request Forgery via give_ajax_store_payment_note
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d09a0b62-6556-4be5-a6f2-0cb0edcced3b
Hummingbird <= 3.4.1 – Unauthenticated Path Traversal
CVE ID: CVE-2023-1478
CVSS Score: 5.3 (Medium)
Researcher/s: Karol Mazurek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9b8e6dc-a9ac-4afb-ad47-4f51032bb1f4
Resoto <= 1.0.8 – Missing Authorization leading to Authenticated (Subscriber+) Arbitrary Plugin Activation
CVE ID: CVE-2023-28619
CVSS Score: 5 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb5c5e82-d6e5-4237-958f-12fc4698e77e
Photo Gallery by 10Web <= 1.8.14 – Authenticated (Administrator+) Directory Traversal
CVE ID: CVE Unknown
CVSS Score: 4.9 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0f55f3e-9a9a-42a7-91b5-0d515519d545
Kanban Boards for WordPress <= 2.5.20 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23884
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/071b5c32-b6ac-402a-af74-6ecd05279d93
Userlike <= 2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14c94d47-c911-4874-a897-58f4c0800329
Store Locator WordPress <= 1.4.9 – Authenticated (Editor+) Stored Cross-Site Scripting via ‘category_name’, ‘description’, ‘description_2’ parameters
CVE ID: CVE-2023-27618
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1dad9de0-5e43-4dfd-a56c-5e9efff35c0a
Klaviyo <= 3.0.9 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0874
CVSS Score: 4.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/294de862-716c-4e17-a1cf-cade53207013
VigilanTor <= 1.3.10 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28695
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ea71d63-27ce-4f24-b3ef-de38e6f25e0d
Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress <= 4.6.9 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3adf6b20-110f-4057-9fab-5248e9c18555
Lazy Social Comments <= 2.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Options
CVE ID: CVE-2023-23733
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43f2c020-a531-4e25-948e-372bc7af3bab
Disqus Conditional Load <= 11.0.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings.
CVE ID: CVE-2023-23732
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/762190dc-cd19-4bc1-8204-9219881d95e9
Simple Giveaways <= 2.45.0 – Authenticated (Admin+) Stored Cross-Site Scripting via Settings
CVE ID: CVE-2023-1120
CVSS Score: 4.4 (Medium)
Researcher/s: ipatelsumit
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86991143-d4e7-4114-b219-0deedd084858
Simple Giveaways <= 2.45.0 – Authenticated(Admin+) Stored Cross-Site Scripting via form fields
CVE ID: CVE-2023-1121
CVSS Score: 4.4 (Medium)
Researcher/s: Varun
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91552a9b-d46b-4a75-b096-8f28bdd9fb56
WP Content Filter – Censor All Offensive Content From Your Site <= 3.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23883
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95ffefff-80e1-4f5a-8939-47a00f75493d
Simple Custom Author Profiles <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24372
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/986d16d5-f1f4-4ed9-9978-0f12ee22a543
All-In-One Security (AIOS) <= 5.1.4 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0157
CVSS Score: 4.4 (Medium)
Researcher/s: Bartłomiej Marek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3ae55ad-b192-4dde-8a7c-3a4fd71d3475
Pagination by BestWebSoft < 1.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4572874-afd4-4e46-8a28-76a0a6cc8acb
Cyberus Key <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘uid’ in ‘cyberkey_settings’ Plugin Setting
CVE ID: CVE-2023-28620
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf5e5eaf-b42d-49b9-8f55-6025e64748c9
Event Manager for WooCommerce <= 3.8.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘mep_get_option’ function
CVE ID: CVE-2023-28422
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2f4c1de-7eeb-45c4-bbff-ec85f2cda5aa
Time Sheets <= 1.29.2 – Authenticated(Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0893
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7e25e64-4504-4aad-aeb6-d58b5c36a4bd
Cyberus Key <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3944b2d-c431-4a53-b4e2-740480e746d6
TreePress – Easy Family Trees & Ancestor Profiles <= 2.0.22 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘post_title’ parameter
CVE ID: CVE-2023-23863
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fbef8738-d639-48a5-98b7-abf9a7e9fec1
TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18f04566-3a63-41f3-aa9b-766304d56499
W4 Post List <= 2.4.5 – Information Disclosure via post_excerpt
CVE ID: CVE-2023-1371
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ac7408d-8ec7-415b-bf52-024182888cb4
GiveWP <= 2.25.2 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ea02dd5-d837-471c-aa6a-264ffcedd55d
I Recommend This <= 3.8.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-28696
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0ee9b26-4e7f-475f-b42b-5af40b78cbca
BigContact <= 1.5.8 – Cross-Site Request Forgery leading to Plugin Settings Updates
CVE ID: CVE-2023-22694
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0403adb-08c4-4697-a7d9-50e39d46cd43
Download Weather Station <= 3.8.11 – Cross-Site Request Forgery
CVE ID: CVE-2023-25478
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1e1db3f-1ebc-4f16-b2d8-8bce9c51b3db
Google XML Sitemap for Mobile <= 1.6.1 – Cross-Site Request Forgery via mobile_sitemap_generate
CVE ID: CVE-2023-23869
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2b0c5f9-b734-41e6-8ecb-4cf3d891ddb7
Custom Field Template <= 2.5.8 – Cross-Site Request Forgery via Plugin Options Update
CVE ID: CVE-2023-22695
CVSS Score: 4.3 (Medium)
Researcher/s: NeginNrb
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b55853e1-2f20-417f-b07e-eda758eaed32
Stock Sync for WooCommerce <= 2.3.2 – Missing Authorization
CVE ID: CVE-2022-46807
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8faa34a-17fd-4a2e-b8bf-ed40fc7a88d9
Simple Mobile URL Redirect <= 1.7.2 – Cross-Site Request Forgery leading to Mobile Redirect Updates
CVE ID: CVE-2023-23897
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be8dcff9-1626-4919-b297-c423891f3d02
Product Feed PRO for WooCommerce <= 12.4.0 – Cross-Site Request Forgery via update_project
CVE ID: CVE-2022-46793
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5b0939a-1699-483c-9a4f-7978155e6ad1
Contact Form Email <= 1.3.31 – Cross-Site Request Forgery to Feedback Submission
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce6ea115-941e-482f-a2a4-95293ff10a69
Stock Sync for WooCommerce <= 2.3.2 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf13732b-7c24-443a-bae9-d8cf70b5cb33
Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.0.13 – Cross-Site Request Forgery via send_email
CVE ID: CVE-2022-46812
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ecd504ad-8812-46ec-be18-e98d05982312
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments
2:03 pm
Even though I am not a programmer, I really enjoy reading the reports (even though I don't understand some of it). I appreciate the seriousness the Wordfence takes with security. I like the full disclosure and the giving credit to the researchers who helped. Make me feel confident that my four small websites are protected by WF. Thanks for your hard work. Carla
2:10 pm
You're very welcome, Carla. Thank you for trusting us to help keep your WordPress Sites Secure!
6:40 pm
Yes, I totally agree with what Carla has said. Good work team.
6:43 pm
Chloe you guys are keeping the plugin developers on their toes. Paid plugins need to have accountability and wordfence is doing just that. Good Job!