Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 10, 2023 to Apr 16, 2023)
Last week, there were 69 vulnerabilities disclosed in 60 WordPress plugins and 4 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 30 |
Patched | 39 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 60 |
High Severity | 6 |
Critical Severity | 3 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 31 |
Cross-Site Request Forgery (CSRF) | 16 |
Missing Authorization | 10 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 5 |
Authorization Bypass Through User-Controlled Key | 2 |
Improper Privilege Management | 1 |
Information Exposure | 1 |
Authentication Bypass Using an Alternate Path or Channel | 1 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
Improper Neutralization of Formula Elements in a CSV File | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Mika | 4 |
Lana Codes | 4 |
yuyudhn | 3 |
Erwan LR | 3 |
Dave Jong | 3 |
Shreya Pohekar | 3 |
Rio Darmawan | 2 |
Maurice Fielenbach | 2 |
Alex Thomas | 2 |
Prasanna V Balaji | 2 |
Muhammad Daffa | 2 |
Pavak Tiwari | 2 |
Cat | 2 |
Ivy | 2 |
Abdi Pranata | 2 |
Rafie Muhammad | 2 |
Mahesh Nagabhairava | 1 |
TEAM WEBoB of BoB 11th | 1 |
Skalucy | 1 |
Marc-Alexandre Montpas | 1 |
Fariq Fadillah Gusti Insani | 1 |
qilin_99 | 1 |
dc11 | 1 |
Pavitra Tiwari | 1 |
Johan Kragt | 1 |
Sajjad Shariati | 1 |
Justiice | 1 |
Yuki Haruma | 1 |
LOURCODE | 1 |
Ramuel Gall | 1 |
Padavishree | 1 |
Ameen Alkurdy | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AFFILIATE Solution | affiliate-solution |
AI ChatBot | chatbot |
AdFoxly – Ad Manager, AdSense Ads & Ads.txt | adfoxly |
Affiliate Links Lite | affiliate-links |
Article Directory Redux | article-directory-redux |
Best WordPress Gallery Plugin – FooGallery | foogallery |
Better Search – Relevant search results for WordPress | better-search |
Blocksy Companion | blocksy-companion |
Booqable Rental Plugin | booqable-rental-reservations |
Cloud Manager | cloud-manager |
CoSchedule | coschedule-by-todaymade |
Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress | contact-form-to-db |
Coupon Affiliates – WooCommerce Affiliate Plugin | woo-coupon-usage |
Custom Order Numbers for WooCommerce | custom-order-numbers-for-woocommerce |
Cyr to Lat enhanced | cyr3lat |
Database Collation Fix | database-collation-fix |
Download Manager Pro | download-manager |
Easy Appointments | easy-appointments |
ElasticPress | elasticpress |
Electric Studio Client Login | electric-studio-client-login |
Enable Accessibility | enable-accessibility |
External Videos | external-videos |
Fantastic Content Protector Free | fantastic-content-protector-free |
Featured Post Creative | featured-post-creative |
Forminator – Contact Form, Payment Form & Custom Form Builder | forminator |
Kaya QR Code Generator | kaya-qr-code-generator |
Landing Page Builder – Free Landing Page Templates | ultimate-landing-page |
Limit Login Attempts | limit-login-attempts |
Motor Racing League | motor-racing-league |
Neshan Maps | neshan-maps |
Newsletters | newsletters-lite |
Optima Express + MarketBoost IDX Plugin | optima-express |
Paytm – Donation Plugin | paytm-donation |
Pickup | Delivery | Dine-in date time | restaurant-pickup-delivery-dine-in |
PowerPress Podcasting plugin by Blubrry | powerpress |
Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin | pretty-link |
Product Catalog Feed by PixelYourSite | product-catalog-feed |
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress | quiz-master-next |
Restricted Site Access | restricted-site-access |
ReviewX – Multi-criteria Rating & Reviews for WooCommerce | reviewx |
Ruby Help Desk | ruby-help-desk |
ShiftController Employee Shift Scheduling | shiftcontroller |
Shortcodes by Angie Makes | wc-shortcodes |
Simple PopUp | simple-popup |
Stamped.io Product Reviews & UGC for WooCommerce | stampedio-product-reviews |
Stock Exporter for WooCommerce | stock-exporter-for-woocommerce |
SupportCandy – Helpdesk & Support Ticket System | supportcandy |
Ultimate Noindex Nofollow Tool II | ultimate-noindex-nofollow-tool-ii |
User registration & user profile – UserPlus | userplus |
Vimeotheque / Vimeo | codeflavors-vimeo-video-post-lite |
WP EasyPay – Square for WordPress | wp-easy-pay |
WP Inventory Manager | wp-inventory-manager |
WP Reroute Email | wp-reroute-email |
WP Roles at Registration | wp-roles-at-registration |
Watu Quiz | watu |
WooCommerce Wishlist by MC + (Free Elementor & Email Marketing Automation) | smart-wishlist-for-more-convert |
ZM Ajax Login & Register | zm-ajax-login-register |
a3 Portfolio | a3-portfolio |
hiWeb Migration Simple | hiweb-migration-simple |
tencentcloud-cos | tencentcloud-cos |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Betheme | betheme |
Blogger Buzz | blogger-buzz |
Educenter | educenter |
Square | square |
Vulnerability Details
SupportCandy <= 3.1.4 – Unauthenticated SQL Injection via parse_user_filters
CVE ID: CVE-2023-1730
CVSS Score: 9.8 (Critical)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ca1c55a-cd4e-429a-ab74-dd1bad1a65f5
ZM Ajax Login & Register <= 2.0.2 – Authentication Bypass
CVE ID: CVE-2023-2027
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b10d01ec-54ef-456b-9410-ed013343a962
Quiz and Survey Master <= 8.1.4 – Unauthenticated SQL Injection
CVE ID: CVE-2023-28787
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b29dcd7a-a0bc-4983-85ba-6ebf2c405ceb
Cyr to Lat <= 3.5 – Authenticated SQL Injection
CVE ID: CVE-2022-4290
CVSS Score: 8.8 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9c29130-1b42-4edd-ad62-6f635e03ae31
webpack JS package <= 5.75.0 – Sandbox Bypass
CVE ID: CVE-2023-28154
CVSS Score: 8.3 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1cda31a4-4c79-4567-a527-6510c31d2843
WP Reroute Email <= 1.4.6 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-27605
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/395a8ca6-78b8-43f2-8e8c-896702b5da0d
Paytm Payment Donation <= 2.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-28535
CVSS Score: 7.2 (High)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/534e6f80-b162-4a4b-a979-72ed63a8b0dc
Landing Page Builder – Free Landing Page Templates <= 3.1.9.8 – Local File Inclusion
CVE ID: CVE-2023-24379
CVSS Score: 7.2 (High)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c40bf215-81c1-423a-9d41-9a231dfc8053
Neshan Maps <= 1.1.4 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2022-47426
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee7eb754-27f0-47b0-a82f-4781cfbb0fa6
Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.2 – Missing Authorization
CVE ID: CVE-2023-30479
CVSS Score: 6.5 (Medium)
Researcher/s: Fariq Fadillah Gusti Insani
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/490061dc-11f7-48f2-bc9a-974bedf16621
ReviewX <= 1.6.6 – Unauthenticated CSV Injection
CVE ID: CVE-2022-46809
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc465757-4295-4a75-90f6-92c4be4e8944
Limit Login Attempts <= 1.7.1 – Authenticated(Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1861
CVSS Score: 6.4 (Medium)
Researcher/s: Marc-Alexandre Montpas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3334fc78-48c5-4cfa-ac83-5690fdbf590a
Affiliate Links Lite <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-22696
CVSS Score: 6.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9511d8f1-ab96-4695-aa8c-16a3482a6de4
a3 Portfolio <= 3.1.0 – Authenticated (Author+) Stored Cross-Site Scripting
CVE ID: CVE-2023-29097
CVSS Score: 6.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a190909-4b0f-4a44-8371-d79f64d323c2
Kaya QR Code Generator <= 1.5.2 – Authenticated(Contributor+) Stored Cross-Site Scripting via url parameter
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad8b5fd2-ba92-4afa-9b4a-a95936b9a18d
Product Catalog Feed by PixelYourSite <= 2.1.0 – Reflected Cross-Site Scripting via 'page'
CVE ID: CVE-2023-1805
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18d33d68-9719-4e74-a594-bc4add38ceee
Contact Form to DB <= 1.7.0 – Multiple Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19b21013-136a-41b0-a667-39f23ccedf2e
Watu Quiz <= 3.3.9.2 – Reflected Cross-Site Scripting via 'question'
CVE ID: CVE-2023-30483
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d24dbdf-8fb0-41c3-8c35-e0d65c6b96f5
WP Inventory Manager <= 2.1.0.11 – Reflected Cross-Site Scripting via 'message'
CVE ID: CVE-2023-1806
CVSS Score: 6.1 (Medium)
Researcher/s: Maurice Fielenbach
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/363ece80-1fa6-4019-84c9-e0a65f02625d
AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.4 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-30754
CVSS Score: 6.1 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d13ae87-f632-4eb0-bc71-5132ba6a9b13
Cloud Manager <= 1.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-0421
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d896366-a85d-49c9-9509-3f7454712474
Coupon Affiliates <= 5.4.5 – Reflected Cross-Site Scripting via 'page'
CVE ID: CVE-2023-30475
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c6fc6be-7e9a-40cb-b9cd-bb71d4f487f7
Vimeotheque <= 2.2.1 – Reflected Cross-Site Scripting via 'view' and 'page'
CVE ID: CVE-2023-30498
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72256ac2-72a7-4c3c-a892-1f1795671c5d
FooGallery <= 2.2.35 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-29439
CVSS Score: 6.1 (Medium)
Researcher/s: LOURCODE
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7181056-d2ee-4c0f-b9a8-fdb7ad042a6b
UserPlus <= 2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2023-0824
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/acd0349b-7864-4e4e-84ba-6f0ec5b585f3
ShiftController Employee Shift Scheduling <= 4.9.25 – Reflected Cross-Site Scripting via Query String
CVE ID: CVE-2023-1978
CVSS Score: 6.1 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b5c61212-e68e-4198-b078-18121576b767
hiWeb Migration Simple <= 2.0.0.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-0769
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9aacc69-aa46-4cdb-a301-c0bf2836d441
Betheme <= 26.7.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-29101
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c14b948f-129d-4223-b3ee-0bef1f9fc703
Product Catalog Feed by PixelYourSite <= 2.1.0 – Reflected Cross-Site Scripting via 'edit'
CVE ID: CVE-2023-1804
CVSS Score: 6.1 (Medium)
Researcher/s: Maurice Fielenbach
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d82d1dd2-b5b5-490a-92e5-1a4d4ab0085d
Booqable Rental Plugin <= 2.4.12 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-30746
CVSS Score: 5.5 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16f183a6-b8db-461e-b17d-2faa528ff0ff
Newsletters <= 4.8.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-30478
CVSS Score: 5.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cd6474f-72e1-4ec2-a056-3c05a0dfa173
PowerPress <= 10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-1917
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44583cb7-bc32-4e62-8431-f5f1f6baeff2
Custom Order Numbers for WooCommerce <= 1.4.0 – Cross-Site Request Forgery
CVE ID: CVE-2022-45367
CVSS Score: 5.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d19800a-bff3-414f-a809-0159f49d263a
Featured Post Creative <= 1.2.7 – Missing Authorization via wpfp_update_featured_post
CVE ID: CVE-2023-30488
CVSS Score: 5.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61585a02-fe7b-4a54-959f-346e4e0d6658
Blogger Buzz <= 1.2.1 – Missing Authorization via activate_plugin
CVE ID: CVE-2023-30476
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/823dce74-2688-4573-b0c8-353f1789ea48
Download Manager Pro <= 6.2.9 – Unauthenticated Information Disclosure
CVE ID: CVE-2023-1809
CVSS Score: 5.3 (Medium)
Researcher/s: Johan Kragt
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88d80702-a987-4b12-a003-2fa564fda409
Fantastic Content Protector Free <= 2.6 – Missing Authorization via update_setting_fantastic_content_protector
CVE ID: CVE-2023-25048
CVSS Score: 5.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b93f8036-4a89-45e6-b86f-9d57e1662a35
Shortcodes by Angie Makes <= 3.46 – Missing Authorization
CVE ID: CVE-2023-23725
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e20feb23-f78e-42e7-8922-e7cf37dbdcb1
Optima Express + MarketBoost IDX Plugin <= 7.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-30749
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/059e262b-ee63-4f8b-82ab-c12bcf70f879
External Videos <= 1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-30752
CVSS Score: 4.4 (Medium)
Researcher/s: Mahesh Nagabhairava
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/168e8512-d551-47f9-bc2b-c458180a6d13
Simple Popup Images <= 1.8.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24406
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18c0ecc5-b3e2-4ac0-b901-dae397e2d57c
WP Roles at Registration <= 0.23 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-27609
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a4eeb77-7a8b-489f-8ded-bbe09e881758
Article Directory Redux <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-30751
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63c681e5-3110-4790-a075-4996fa1f2129
Motor Racing League <= 1.9.9 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-27614
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8876ecc4-1a50-43ac-9c8d-354f6de4abdd
Pickup | Delivery | Dine-in date time <= 1.0.9 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0894
CVSS Score: 4.4 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/936803ab-93d5-4808-8758-6b8f7c01b3c2
Easy Appointments <= 3.11.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-30748
CVSS Score: 4.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfe8d13b-f387-4c82-ba9f-efadda18c882
AI ChatBot <= 4.4.9 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1649
CVSS Score: 4.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cdb3fbaa-4d33-4754-848b-77e902ea4a85
Electric Studio Client Login <= 0.8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-27425
CVSS Score: 4.4 (Medium)
Researcher/s: Padavishree
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e797c0ca-f348-4d9c-815e-0c1756686690
AFFILIATE Solution <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-30477
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef778a1d-d4ce-47fd-932b-9e86b38e2681
tencentcloud-cos <= 1.0.7 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0be21ac7-4f61-44fc-9ffc-ab65faa549f6
Forminator <= 1.22.1 – Missing Authorization on 'load_hcaptcha_preview' AJAX function
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ef15cb1-b320-42d9-a2fd-afff2ec8a93b
Database Collation Fix <= 1.2.7 – Cross-Site Request Forgery via admin_page
CVE ID: CVE-2023-23997
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31612b4b-a75f-4fa4-831b-43f62a8d5fad
Featured Post Creative <= 1.2.7 – Cross-Site Request Forgery via wpfp_update_featured_post
CVE ID: CVE-2023-30488
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33a47156-ee93-4b59-9f73-56be5c9e3b00
Educenter <= 1.5.1 – Missing Authorization via activate_plugin
CVE ID: CVE-2023-30480
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/344ad959-038a-46d1-b515-ae3473af8209
Shortlinks by Pretty Links <= 3.4.0 – Cross-Site Request Forgery via route
CVE ID: CVE-2022-47149
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5304da48-5d42-47ce-b1b1-dc04b8fa9dff
Stock Exporter for WooCommerce <= 1.1.0 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c4a9092-fd49-42fe-a84d-a9f7fe708122
Forminator <= 1.22.1 – Missing Authorization on 'load_recaptcha_preview' AJAX function
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/718e54f5-f040-42d6-958d-255d905615d5
Ultimate Noindex Nofollow Tool II <= 1.3.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-30474
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7761fe7c-e7f5-4bab-8820-42e6fcabcb2f
Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.2 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a8c4232-2e1e-4c99-83d5-d70f7ca1c879
MC Woocommerce Wishlist <= 1.5.4 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c7f6ef2-6c50-4739-8844-0db7d9ffe7f7
WP Reroute Email <= 1.4.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-27606
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9c3a047f-be12-4308-a4a5-fbbbc37f674d
Enable Accessibility <= 1.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-30484
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0b8c4c3-eba2-4c20-b790-48eceeba898e
CoSchedule <= 3.3.8 – Cross-Site Request Forgery
CVE ID: CVE-2022-47165
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca55a7a0-da31-4d3f-845b-80f89ffbadf5
Forminator <= 1.22.1 – Missing Authorization on 'hubspot_support_request' AJAX function
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d0cb4434-94c5-42a9-bd86-869058dcbf67
Blocksy Companion <= 1.8.81 – Authenticated(Subscriber+) Sensitive Information Exposure via blocksy_posts shortcode
CVE ID: CVE-2023-1911
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d31aad1c-89d4-4f71-bfed-a795f7a4f209
Square <= 2.0.0 – Missing Authorization via activate_plugin
CVE ID: CVE-2023-30486
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3ca4c3c-2b20-42d4-8dcf-77f4d52c25a3
Better Search <= 3.1.0 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7a02502-bc3c-4fd1-b6db-7b3c476c141f
WP EasyPay <= 4.0.4 – Cross-Site Request Forgery
CVE ID: CVE-2022-47177
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2c1606e-b6b6-4f7d-8473-1015677ded7c
Ruby Help Desk <= 1.3.3 – Missing Authorization to Arbitrary Ticket Modification
CVE ID: CVE-2023-1125
CVSS Score: 4.3 (Medium)
Researcher/s: Ameen Alkurdy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd741e2d-5478-4b9a-83ab-7ccafdc5d12f
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments