Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 17, 2023 to Apr 23, 2023)
Last week, there were 152 vulnerabilities disclosed in 134 WordPress Plugins and 0 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. There were more unpatched vulnerabilities than patched last week, so it’s more important than ever to review those vulnerabilities in this report now to ensure your site is not affected and make the appropriate adjustments if your site is.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 81 |
Patched | 71 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 134 |
High Severity | 16 |
Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 93 |
Cross-Site Request Forgery (CSRF) | 30 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 11 |
Missing Authorization | 10 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
Deserialization of Untrusted Data | 2 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
Information Exposure | 1 |
Improper Access Control | 1 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Lana Codes | 30 |
Marco Wotschka | 11 |
Yuki Haruma | 9 |
yuyudhn | 7 |
Muhammad Daffa | 6 |
LEE SE HYOUNG | 6 |
Rio Darmawan | 6 |
Sajjad Shariati | 6 |
Shreya Pohekar | 5 |
minhtuanact | 5 |
Justiice | 4 |
Ramuel Gall | 4 |
TEAM WEBoB of BoB 11th | 3 |
Mika | 3 |
Ivan Kuzymchak | 3 |
Le Ngoc Anh | 3 |
Erwan LR | 3 |
Cat | 3 |
WPScanTeam | 2 |
Lokesh Dachepalli | 2 |
Nguyen Xuan Chien | 2 |
Joshua Martinelle | 1 |
Rafie Muhammad | 1 |
Rafshanzani Suhada | 1 |
Nguyen Huu Do | 1 |
Ryo Sato | 1 |
Skalucy | 1 |
Shezad Master | 1 |
zhangyunpei | 1 |
Yeting Li VARAS@IIE | 1 |
Ameen Alkurdy | 1 |
Nithissh S | 1 |
Chien Vuong | 1 |
thiennv | 1 |
Alexander Schmid | 1 |
cydave | 1 |
easyBug | 1 |
Daniel Ruf | 1 |
Alex Thomas | 1 |
deokhunKim | 1 |
Lucio Sá | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AI ChatBot | chatbot |
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
Accessibility Suite by Online ADA | online-accessibility |
Accordion & FAQ – Helpie WordPress Frequently Asked Questions plugin | helpie-faq |
Active Directory Integration / LDAP Integration | ldap-login-for-intranet-sites |
ActiveCampaign – Forms, Site Tracking, Live Chat | activecampaign-subscription-forms |
Ad Inserter – Ad Manager & AdSense Ads | ad-inserter |
Album Gallery – WordPress Gallery | new-album-gallery |
ApexChat | apexchat |
Avirato hotels online booking engine | avirato-calendar |
BBSpoiler | bbspoiler |
BadgeOS | badgeos |
Best Travel Booking WordPress Plugin, Tour Booking System, Trip Booking WordPress Plugin – Yatra | yatra |
Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop | woo-altcoin-payment-gateway |
BizLibrary | bizlibrary |
Booking calendar, Appointment Booking System | booking-calendar |
Button Builder – Buttons X | buttons-x |
CMP – Coming Soon & Maintenance Plugin by NiteoThemes | cmp-coming-soon-maintenance |
CMS Tree Page View | cms-tree-page-view |
Cab Grid | cab-grid |
Captcha Them All | captcha-them-all |
Category Specific RSS feed Subscription | category-specific-rss-feed-menu |
Church Admin | church-admin |
Clock In Portal- Staff & Attendance Management | clock-in-portal |
Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress | contact-form-to-db |
Continuous announcement scroller | continuous-announcement-scroller |
Custom Post Type List Shortcode | custom-post-type-list-shortcode |
Customer Support Software, Live Chat, & Marketing Automation | formilla-chat-and-marketing |
Dave’s WordPress Live Search | daves-wordpress-live-search |
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress | charitable |
EZP Maintenance Mode | easy-pie-maintenance-mode |
Easy Ad Manager | easy-ad-manager |
Easy Slider Revolution | easy-slider-revolution |
Ebook Store | ebook-store |
Email posts to subscribers | email-posts-to-subscribers |
Enable/Disable Auto Login when Register | auto-login-when-resister |
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates | essential-blocks |
File Gallery | file-gallery |
Flyzoo Chat | flyzoo |
Form Block | form-block |
FormCraft – Contact Form Builder for WordPress | formcraft-form-builder |
Formilla Edge Targeted Messaging Platform for Sales and Marketing | formilla-edge |
Freshdesk (official) | freshdesk-support |
GDPR Compliance & Cookie Consent | gdpr-compliance-cookie-consent |
Gallery Metabox | gallery-metabox |
Google Analytics Top Content Widget | google-analytics-top-posts-widget |
Gps Plotter | gps-plotter |
Help Desk WP | helpdeskwp |
Image Optimizer by 10web – Image Optimizer and Compression plugin | image-optimizer-wd |
Japanized For WooCommerce | woocommerce-for-japan |
Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation | zero-bs-crm |
Kaya QR Code Generator | kaya-qr-code-generator |
Kiwiz – Certification de facturation – Woocommerce | woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz |
Kodex Posts likes | kodex-posts-likes |
LIQUID SPEECH BALLOON | liquid-speech-balloon |
Layer Slider | slider-slideshow |
LearnPress Export Import – WordPress extension for LearnPress | learnpress-import-export |
Live Chat by Formilla – Real-time Chat & Chatbots Plugin | formilla-live-chat |
Locatoraid Store Locator | locatoraid |
Login Page Styler | Custom Login | Custom WP Admin Login Page | Admin Security | Admin Protection | Login Page Customizer | Admin Login | Login Security | Login Redirect | Theme Login | Login Menu | Login Form | Admin Dashboard | Change Login Logo | Login | login-page-styler |
Mail Subscribe List | mail-subscribe-list |
Mega Addons For WPBakery Page Builder | mega-addons-for-visual-composer |
Membership Database | member-database |
Modal Dialog | modal-dialog |
Motors – Car Dealer, Classifieds & Listing | motors-car-dealership-classified-listings |
NEX-Forms – Ultimate Form Builder – Contact forms and much more | nex-forms-express-wp-form-builder |
Ninja Tables – Best Data Table Plugin for WordPress | ninja-tables |
OoohBoi Steroids for Elementor | ooohboi-steroids-for-elementor |
Panorama – WordPress Project Management Plugin | project-panorama-lite |
Post Shortcode | post-shortcode |
PowerPress Podcasting plugin by Blubrry | powerpress |
Pretty Url | pretty-url |
Product Slider For WooCommerce Lite | product-slider-for-woocommerce-lite |
PropertyHive | propertyhive |
Query Wrangler | query-wrangler |
RapidExpCart | rapidexpcart |
Redirect After Login | redirect-after-login |
Reservation.Studio widget | reservation-studio-widget |
Responsive Filterable Portfolio | responsive-filterable-portfolio |
ReviewX – Multi-criteria Rating & Reviews for WooCommerce | reviewx |
Robokassa payment gateway for Woocommerce | robokassa |
Semalt Blocker | semalt |
ShopEngine – Elementor WooCommerce Builder Addons, Variation Swatches, Wishlist, Products Compare – All in One Solution | shopengine |
Shortcode IMDB | shortcode-imdb |
Simple Share Buttons Adder | simple-share-buttons-adder |
Simple Tooltips | simple-tooltips |
SiteAlert – Uptime, Speed, and Security Monitoring for WordPress | my-wp-health-check |
Sloth Logo Customizer | sloth-logo-customizer |
Smart WooCommerce Search | smart-woocommerce-search |
Social Share Boost | social-share-boost |
SparkPost | sparkpost |
Stock Exporter for WooCommerce | stock-exporter-for-woocommerce |
Stream | stream |
Subscribers – Free Web Push Notifications | subscribers-com |
Tablesome – Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT ) | tablesome |
TaxoPress is the WordPress Tag, Category, and Taxonomy Manager | simple-tags |
The School Management – Education & Learning Management | school-management-system |
Themify Portfolio Post | themify-portfolio-post |
Thumbnail carousel slider | wp-responsive-thumbnail-slider |
Uji Popup | uji-popup |
Ultimate Carousel For Elementor | ultimate-carousel-for-elementor |
Ultimate Carousel For WPBakery Page Builder | ultimate-carousel-for-visual-composer |
Update Image Tag Alt Attribute | update-alt-attribute |
Verified Reviews (Avis Vérifiés) | netreviews |
Video Grid | video-grid |
Video List Manager | video-list-manager |
Visual CSS Style Editor | yellow-pencil-visual-theme-customizer |
WCP Contact Form | wcp-contact-form |
WP Cerber Security, Anti-spam & Malware Scan | wp-cerber |
WP Custom Author URL | wp-custom-author-url |
WP Docs | wp-docs |
WP Links Page | wp-links-page |
WP Login Box | wp-login-box |
WP Original Media Path | wp-original-media-path |
WP Popups – WordPress Popup builder | wp-popups-lite |
WP Responsive Tabs horizontal vertical and accordion Tabs | responsive-horizontal-vertical-and-accordion-tabs |
WP-FormAssembly | formassembly-web-forms |
WP-dTree | wp-dtree-30 |
WPJAM Basic | wpjam-basic |
White Label Branding for Elementor Page Builder | white-label-branding-elementor |
WooCommerce Easy Duplicate Product | woo-easy-duplicate-product |
WooCommerce Order Status Change Notifier | woocommerce-order-status-change-notifier |
Woocommerce Email Report | wooemailreport |
Woocommerce Products Designer by ORION – online product customizer for t-shirts, print cards, phone cases Lettering & Decals | woocommerce-products-designer |
WordPress Header Builder Plugin – Pearl | pearl-header-builder |
Wp-D3 | wp-d3 |
YARPP – Yet Another Related Posts Plugin | yet-another-related-posts-plugin |
YML for Yandex Market | yml-for-yandex-market |
YourChannel: Everything you want in a YouTube plugin. | yourchannel |
Zendesk Support for WordPress | zendesk |
eRocket | erocket |
f(x) TOC | fx-toc |
miniOrange’s Google Authenticator – WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login | miniorange-2-factor-authentication |
vSlider Multi Image Slider for WordPress | vslider |
Vulnerability Details
Email posts to subscribers <= 6.2 – Unauthenticated SQL Injection
CVE ID: CVE-2022-46818
CVSS Score: 9.8 (Critical)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51f73041-927d-42da-92cc-14242a397356
Bitcoin / AltCoin Payment Gateway for WooCommerce <= 1.7.1 – Unauthenticated SQL Injection
CVE ID: CVE-2022-4118
CVSS Score: 9.8 (Critical)
Researcher/s: cydave
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4e1315b-31e5-428c-9a48-6185b4eeb2fc
ReviewX – Multi-criteria Rating & Reviews for WooCommerce <= 1.6.8 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-26325
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/072092ef-17bc-4b8b-bf8b-bd69a761c56a
YARPP <= 5.30.2 – Authenticated (Subscriber+) Local File Inclusion
CVE ID: CVE-2022-45374
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1091862b-784b-496f-a951-6784544cb51b
Accessibility Suite by Online ADA <= 4.11 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2022-47420
CVSS Score: 8.8 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71c21af1-a007-4535-98ea-a6f25142bcf6
Avirato hotels online booking engine <= 5.0.5 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-0768
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b62fb1a8-d62d-4d1f-bcce-a081432b9e61
Contact Form to DB by BestWebSoft <= 1.7.0 – Authenticated (Contributor+) SQL Injection via cntctfrmtdb_department
CVE ID: CVE-2023-29096
CVSS Score: 8.8 (High)
Researcher/s: easyBug
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba317acb-d45c-42c0-b5fb-b163bcd59340
Kiwiz – Certification de facturation – Woocommerce <= 2.1.3 – Unauthenticated Arbitrary File Download
CVE ID: CVE-2023-2180
CVSS Score: 7.5 (High)
Researcher/s: WPScanTeam
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/603f0c9d-6964-4911-b4a5-bdad24a1a8dd
miniOrange’s Google Authenticator <= 5.6.5 – Missing Authorization to Plugin Settings Change
CVE ID: CVE-2022-4943
CVSS Score: 7.5 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23
Jetpack CRM <= 5.3.1 – Cross-Site Request Forgery and PHAR Deserialization
CVE ID: CVE-2022-3342
CVSS Score: 7.5 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98ab264f-b210-41d0-bb6f-b4f31d933f80
The School Management – Education & Learning Management <= 4.1 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2022-47430
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1268bdb9-7f80-4fdc-a95a-d51b0ab83e17
Ad Inserter <= 2.7.25 – Authenticated (Admin+) PHP Object Injection
CVE ID: CVE-2023-1549
CVSS Score: 7.2 (High)
Researcher/s: Nguyen Huu Do
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c94028c-a774-45ac-817d-ad9b966a3b51
Shortcode IMDB <= 6.0.8 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2022-47432
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ae6bf2e-b39a-4bb3-9203-22ff4c23ddf4
WP Cerber Security <= 9.1 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2022-4712
CVSS Score: 7.2 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6cd9cbba-10b0-4fb0-ad49-4593a307a615
Video List Manager <= 1.7 – Authenticated (Admin+) SQL Injection
CVE ID: CVE-2023-1408
CVSS Score: 7.2 (High)
Researcher/s: zhangyunpei, Yeting Li VARAS@IIE
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b2d42ab-46c1-4c3e-b99a-1cdcade1b5bb
Help Desk WP <= 1.2.0 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1019
CVSS Score: 7.2 (High)
Researcher/s: Ameen Alkurdy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ec5173b-7b0d-4887-8c13-f48137aa8593
Booking calendar, Appointment Booking System <= 3.2.6 – Authenticated (Administrator+) SQL Injection via *_selected
CVE ID: CVE-2022-47428
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9c44b6e5-7fb2-402e-8c8c-79d811ff0e9a
NEX-Forms <= 8.3.3 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-2114
CVSS Score: 7.2 (High)
Researcher/s: Alexander Schmid
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d19be8b-3e0b-4d74-97e0-f17132d2d34c
Ebook Store <= 5.775 – Missing Authorization via ebook_store_export_orders
CVE ID: CVE-2023-22701
CVSS Score: 6.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4b17cce-bb52-4125-8c85-6da15517275f
f(x) TOC <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0490
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09479df1-ff7e-4df8-9aea-8c7622ecea4e
Easy Slider Revolution <= 1.0.0 – Authenticated (Author+) Stored Cross-Site Scripting via esrcpt_slider_allow_iframes_filter
CVE ID: CVE-2023-28622
CVSS Score: 6.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14a20f9c-cf5a-4d57-b723-ad29a12c8881
Button Builder – Buttons X <= 0.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-23867
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1aea8fe3-7c75-4d3a-847a-ce0d1f9700f1
Uji Popup <= 1.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via uji_popup_code shortcode
CVE ID: CVE-2023-23641
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e81208c-771f-409e-b665-b07def0ca774
WPJAM Basic <= 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-23709
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a5ccc0b-a80a-41df-991c-5c356eb10512
ActiveCampaign – Forms, Site Tracking, Live Chat <= 8.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0233
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47e25cfa-fedf-413a-bfe7-18a1de429bc3
Mail Subscribe List <= 2.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via smlsubform shortcode
CVE ID: CVE-2023-23657
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55b39859-b8a0-418b-ae7a-cd42d6e0bf00
BBSpoiler <= 2.01 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-23873
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/789497b1-36cf-4de2-bca0-52c0c2a08f72
Product Slider For WooCommerce Lite <= 1.1.7 – Authenticated(Contributor+) Stored Cross-Site Scripting via Meta Keys
CVE ID: CVE-2023-0537
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8159ee7c-69ac-4422-ba8b-664f1fee8e07
Wp-D3 <= 2.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-0536
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89409461-c87e-4882-bf53-cc789e459b4f
Social Share Boost <= 4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via ssboost shortcode
CVE ID: CVE-2023-23688
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9290532f-58d7-4e7d-9fa0-89c7f82b0466
WP Links Page <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-22720
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ef3297d-8686-44aa-ac73-793b644be3f2
WP-FormAssembly <= 2.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3b164e0-de2e-40d5-935e-31f5bebd87cf
Mega Addons For WPBakery Page Builder <= 4.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-0268
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a443b20e-1686-4519-890d-e6f1838fb05c
WP Popups – WordPress Popup builder <= 2.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1905
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9747cda-735c-4087-8c4d-9c445c6d1596
Ultimate Carousel For Elementor <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0280
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0e35280-0c2a-4fe1-bfbe-3321338ff1a5
Custom Post Type List Shortcode <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0542
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b702f507-475a-4d45-8bb1-635f5f377c88
File Gallery <= 1.8.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via file_gallery_shortcode
CVE ID: CVE-2023-23676
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c11be4ba-1bed-4234-b475-468394b7be90
Ultimate Carousel For WPBakery Page Builder <= 2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-0267
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c97fc289-1ee3-4401-a57e-b4c8d998259e
FormCraft <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via fcb shortcode
CVE ID: CVE-2023-22717
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf17a817-6f61-43d5-9da2-58fbbef458d9
Post Shortcode <= 2.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-0526
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3e1d66d-34cf-491c-8a07-0f9efd3c9669
Kaya QR Code Generator <= 1.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via qrCode attribute
CVE ID: CVE-2023-30784
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4f0bb58-d904-4bf4-9e15-4ee6289c2df4
vSlider Multi Image Slider <= 4.1.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-22672
CVSS Score: 6.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14376064-13c4-4874-afea-395af2a1933d
WP Docs <= 1.9.8 – Missing Authorization via multiple AJAX actions
CVE ID: CVE-2023-30873
CVSS Score: 6.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45a870f4-7ad1-447b-81ea-5d9e9b67b1bb
Membership Database <= 1.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-0514
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07ede585-c0d2-4643-9c36-7b5da5f721bd
CMS Tree Page View <= 1.6.7 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-30868
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19796773-3d5f-458d-aab1-743b6835c71b
Church Admin <= 3.7.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-30782
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2204017a-0363-4f2f-909a-e0826463477c
Update Image Tag Alt Attribute <= 2.4.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-27455
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25b13322-d305-45db-8ac7-20762398dc21
Charitable <= 1.7.0.10 – Reflected Cross-Site Scripting
CVE ID: CVE-2022-47441
CVSS Score: 6.1 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b3b9576-7c7d-4665-92d5-03aa292cdbbe
WCP Contact Form <= 3.1.0 – Reflected Cross-Site Scripting via tab parameter
CVE ID: CVE-2023-22703
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33fd4542-0a46-4779-be02-d713dcbc8f96
Google Analytics Top Content Widget <= 1.5.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2015-10101
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4522480a-dfbf-4ff4-93c2-68b8cc15367c
RapidExpCart <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2023-0520
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52fde632-f3a4-48d5-8c2c-c42b9d20dcb7
ChatBot <= 4.4.4 – Unauthenticated Stored Cross-Site Scripting via Cross-Site Request Forgery
CVE ID: CVE-2023-1011
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/56fad8de-6646-4305-83a9-0ed443c3aa7d
WooCommerce Easy Duplicate Product <= 0.3.0.0 – Reflected Cross-Site Scripting via wedp_duplicated
CVE ID: CVE-2023-30747
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b06d68e-153d-4cee-94d5-cbeac7468665
Tablesome <= 1.0.8 – Reflected Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8d769308-6273-4ed2-b64a-d9f065de4cce
YellowPencil Visual CSS Style Editor <= 7.5.8 – Reflected Cross-Site Scripting liveLink
CVE ID: CVE-2022-33961
CVSS Score: 6.1 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/967ff273-33f3-4580-928a-7764583429aa
Sloth Logo Customizer <= 2.0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2023-0603
CVSS Score: 6.1 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/974f14e8-1a59-4ba5-8806-b4d8b135315e
Modal Dialog <= 3.5.14 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-31071
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99140d47-88bb-48a1-863a-93a558541800
Thumbnail carousel slider <= 1.1.9 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-1915
CVSS Score: 6.1 (Medium)
Researcher/s: Chien Vuong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99711f41-d21b-4725-acc8-9542283daf12
Yml for Yandex Market <= 3.10.7 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-30473
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a823a21e-78b5-4186-bb67-88799509970d
Woocommerce Email Report <= 2.4 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-27627
CVSS Score: 6.1 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abdbee50-b8c3-4254-a828-37629a798c92
Stock Exporter for WooCommerce <= 1.1.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-30871
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b65184e6-8072-4dd7-8291-c92817e55beb
Query Wrangler <= 1.5.51 – Reflected Cross-Site Scripting via page parameter
CVE ID: CVE-2023-30779
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c79d781e-4c11-43e9-8c5f-aa89e8fbf635
Video Grid <= 1.21 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-30785
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c92e166d-2ede-4280-a875-d30c0cf6f467
RapidExpCart <= 1.0 – Authenticated (Level 8/Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0520
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc1e480c-577a-467a-8297-747512286a39
Video Grid <= 1.21 – Reflected Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db5247ad-dbbf-4d8e-92f5-3a673b97d080
Responsive Filterable Portfolio <= 1.0.19 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2119
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e67dfe0f-ac1c-4a78-bfc9-0cfd6c3040d4
Japanized For WooCommerce <= 2.5.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-0948
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea7d643c-3388-469f-b4a9-5c68341e2af0
PropertyHive <= 1.5.48 – Reflected Cross-Site Scripting via date_post_id
CVE ID: CVE-2023-22706
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea82e978-a653-4ae3-94aa-bc77b94a176c
Thumbnail carousel slider <= 1.1.9 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2120
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4bf4e12-5cbb-45bc-938e-62163baaa15d
ARMember <= 4.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2022-47140
CVSS Score: 6.1 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd22babc-f1a9-4f50-9756-fe692105dca3
WP Responsive Tabs horizontal vertical and accordion Tabs <= 1.1.15 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2184
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fe54c37f-1421-48aa-b502-045847d13ae3
Themify Portfolio Post <= 1.2.2 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2022-32970
CVSS Score: 5.5 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f3c3629-b7a9-4f83-a821-64119ed662ce
TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2168
CVSS Score: 5.5 (Medium)
Researcher/s: Ivan Kuzymchak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c051bfd-2754-4faf-8062-91752555166c
TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2169
CVSS Score: 5.5 (Medium)
Researcher/s: Ivan Kuzymchak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52574d99-1ffe-4152-bf13-9cdd11d7300a
YourChannel <= 1.2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1869
CVSS Score: 5.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a81d5615-0b96-4d89-a525-7e80a10a9317
TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2170
CVSS Score: 5.5 (Medium)
Researcher/s: Ivan Kuzymchak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e98ed932-4e4c-4127-ae72-500e2a34f371
Motors – Car Dealer & Classified Ads <= 1.4.4 – Cross-Site Request Forgery via Multiple Functions
CVE ID: CVE-2022-38716
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0ca9e920-3c7a-4991-8c24-2e55c4f4767c
LearnPress – Export/Import Courses <= 4.0.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-30487
CVSS Score: 5.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1322e229-5e0b-4c3d-ae96-e211a2831842
PowerPress <= 10.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-30778
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c40c28f-554f-42d0-9f6d-a899d8f61519
Smart WooCommerce Search <= 2.5.0 – Missing Authorization
CVE ID: CVE-2023-30783
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59931266-766f-42d2-bcde-04d694a444b0
ShopEngine <= 4.1.1 – Cross-Site Request Forgery
CVE ID: CVE-2022-45371
CVSS Score: 5.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94abb34a-4451-4f41-ba23-d2a723e5a2e7
Freshdesk (official) <= 1.7 – Open Redirect
CVE ID: CVE-2015-10102
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6f20fc3-41e5-4220-ac8b-54eb11719f07
Locatoraid Store Locator <= 3.9.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-2031
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dba0a90b-f13c-4914-b6b7-278227ffc122
Active Directory Integration / LDAP Integration <= 4.1.0 – Unauthenticated Information Disclosure
CVE ID: CVE-2023-0812
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2568018b-29f3-4261-ae0d-658ca9d96846
CMP – Coming Soon & Maintenance <= 4.1.7 – Maintenance Mode Bypass
CVE ID: CVE-2023-2159
CVSS Score: 5.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af955f69-b18c-446e-b05e-6a57a5f16dfa
Helpie FAQ <= 1.9.6 – Reflected Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f389f4bf-ffff-4862-b4e2-4465ca0556ef
Formilla Live Chat <= 1.3.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaID’
CVE ID: CVE-2023-23727
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/044e110d-2435-41b8-8aec-917c329b944c
Dave’s WordPress Live Search <= 4.8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-30876
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/046ecbe5-4b2f-40d3-8585-4d4230ba33f0
Yatra <= 2.1.13 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2022-47436
CVSS Score: 4.4 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07372843-f7d3-4ae4-96b4-ef3f475504ff
Ebook Store <= 5.775 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-22690
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/097f6887-e15f-4e35-ab12-1115630e13cc
WP Original Media Path <= 2.4.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-23674
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/277eb517-c949-41e9-becf-af056fd32f35
Verified Reviews (Avis Vérifiés) <= 2.3.13 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23720
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3044dbfc-e12d-47e0-a297-67ff0510eded
Login Page Styler <= 6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2022-46861
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d70cd0a-5c30-4a9b-81e8-e465d1e8f2b0
WP Custom Author URL <= 1.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1614
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f3a57ce-eead-4631-93da-ba1a0a33ec2d
Formilla Edge <= 1.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaPluginID’
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59f7a1b2-f718-40e7-8030-b9212edf71b7
Captcha Them All <= 1.3.3 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-30786
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e2c83b6-3444-4cd1-82ec-567937c563b9
WP Login Box <= 2.0.2 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0544
CVSS Score: 4.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66c58d4c-8c36-40af-827d-0e86f2110e3c
Subscribers – Free Web Push Notifications <= 1.5.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-22684
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66e78219-b3fd-40e9-a58c-8e27ef3c5e4a
Pretty Url <= 1.5.4 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2009
CVSS Score: 4.4 (Medium)
Researcher/s: Shezad Master
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f54fb59-03c1-45e9-a498-1fa1409c4466
Flyzoo Chat <= 2.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2022-46817
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74ea8f1e-d6ff-4a32-b8bf-5d4c8e69433e
Robokassa payment gateway for Woocommerce <= 1.4.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75824b96-8674-4340-9e56-b0cb0f52503d
White Label Branding for Elementor Page Builder <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-23683
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e187b71-860e-4404-bbe2-193c6ecfd485
Category Specific RSS feed Subscription <= v2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-22685
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ac9c146-5065-46fc-b2ae-20b820a8016b
Formilla Chat and Marketing Automation <= 1.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaToolsID’
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5436d14-cbb5-420f-9f3a-698ce59c1e1e
Semalt Blocker <= 1.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23794
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a658d150-bcd5-4334-b07a-e09b3995169d
SparkPost <= 3.2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-23654
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab86ddc9-9b43-4949-b150-7b944bc40558
EZP Maintenance Mode <= 1.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-23682
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac1239c9-72a6-44d8-911f-70a528c66c62
Redirect After Login <= 0.1.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-27624
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad1a79f3-274f-4a33-a752-669c09c2d47d
GPS Plotter <= 5.1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-30874
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca449d15-b05e-4341-99b0-472a14cab8f4
WP-dTree <= 4.4.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2022-47423
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cde92185-d63a-47b3-a17e-3f2b2b20270c
Panorama – WordPress Project Management Plugin <= 1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23810
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d131115b-e2c9-42c6-9262-a19272944652
Continuous announcement scroller <= 13.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2022-46819
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d88eb628-09c9-451c-b5ae-f26a93514447
ApexChat <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-28414
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbe8d164-85c7-444d-80ad-4d03151b939b
Simple Tooltips <= 2.1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-25958
CVSS Score: 4.4 (Medium)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc7e4235-5f40-48c2-8474-cf57af5e35bd
Cab Grid <= 1.5.15 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28533
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e09c629b-9908-4548-b828-9e6140ff5670
Image Optimizer WD <= 1.0.26 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5eea72d-f10b-460b-be00-bb5b1c4a1a62
BizLibrary <= 1.1 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0892
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee7513d9-e76c-4da4-919b-ba376f0c4022
Easy Ad Manager <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-25460
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7750f70-e79c-45fb-b792-ba6a4da59964
eRocket <= 1.2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28174
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb9b8f3a-6f49-455d-99c6-cdf5671af49d
Ninja Tables <= 4.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2022-47137
CVSS Score: 4.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc296c70-358e-4908-be49-5ffae83aca9b
GDPR Compliance & Cookie Consent <= 1.2 – Cross-Site Request Forgery
CVE ID: CVE-2022-45815
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/052b345a-7b71-4de5-9bf8-8b81cc1b4e77
Image Optimizer by 10web <= 1.0.25 – Directory Traversal to Information Exposure
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b4a0dff-1054-4f50-8ff5-e3cc2b45d77b
Essential Blocks <= 4.0.6 – Missing Authorization via get
CVE ID: CVE-2023-2084
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0be8c668-0f1c-4f83-8a71-49c8bb9b67ae
Album Gallery – WordPress Gallery <= 1.4.9 – Cross-Site Request Forgery via album-gallery-column-settings.php
CVE ID: CVE-2023-23646
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f3df75e-cf2f-4076-b5ff-b8540408044a
Layer Slider <= 1.1.9.6 – Cross-Site Request Forgery via save_slide_ajax
CVE ID: CVE-2023-23671
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ad366f1-2369-4fb2-aeda-301c85cf6801
Enable/Disable Auto Login when Register <= 1.1.0 Cross-Site Request Forgery
CVE ID: CVE-2023-0522
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1fa45fa7-b1da-42f0-945b-2a6b0db5ba91
Zendesk Support for WordPress <= 1.8.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-23716
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/212b7da7-bd3e-42df-8b50-a3eb472cf440
LIQUID SPEECH BALLOON <= 1.1.8 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE-2023-27889
CVSS Score: 4.3 (Medium)
Researcher/s: Ryo Sato
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23980e13-b632-43ec-938e-8171884cb87b
Ninja Tables <= 4.3.4 – Cross-Site Request Forgery
CVE ID: CVE-2022-47136
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/338158b5-bbda-4cd8-b4ea-97a3926a0989
Clock In Portal <= 2.1 – Cross-Site Request Forgery To Staff Deletion
CVE ID: CVE-2023-0761
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51ce7b71-0a19-48ef-8748-3848742c542b
Clock In Portal <= 2.1 – Cross-Site Request Forgery to Holidays Deletion
CVE ID: CVE-2023-0763
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c852fa1-698b-4e72-b781-095e2a98df81
WP Docs <= 1.9.8 – Cross-Site Request Forgery to folder management
CVE ID: CVE-2023-30873
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6003b1bf-b176-4ca9-9de2-58133259e0f6
Pearl <= 1.3.4 – Cross-Site Request Forgery via stm_hb_save_settings
CVE ID: CVE-2022-38356
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6058da9e-8ca3-4966-bb10-e5da526e8c7e
WooCommerce Order Status Change Notifier <= 1.1.0 – Authenticated (Subscriber+) Arbitrary Order Status Update
CVE ID: CVE-2023-2179
CVSS Score: 4.3 (Medium)
Researcher/s: WPScanTeam
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66bc83f5-0f6c-425f-a560-e79e777b76ca
Woocommerce Product Designer <= 4.3.3 – Cross-Site Request Forgery
CVE ID: CVE-2022-46856
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70d168a4-a659-4354-889e-7907215351a2
Kodex Posts likes <= 2.4.3 – Cross-Site Request Forgery
CVE ID: CVE-2022-46814
CVSS Score: 4.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77d56f61-7e45-405e-878d-fa3d53acede0
Reservation.Studio widget <= 1.0.9 – Cross-Site Request Forgery via plugin settings
CVE ID: CVE-2023-25468
CVSS Score: 4.3 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/783e5794-0d74-4b7a-a1cd-2b834a50c50c
BadgeOS <= 3.7.1.6 – Cross-Site Request Forgery
CVE ID: CVE-2022-41987
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7bb1be6d-5af9-4b58-a641-05a913548fe7
Essential Blocks <= 4.0.6 – Missing Authorization via template_count
CVE ID: CVE-2023-2086
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9efc782a-ec61-4741-81fd-a263a2739e16
Gallery Metabox <= 1.5 – Cross-Site Request Forgery via gallery_remove
CVE ID: CVE-2022-47134
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f8b1103-71b2-421e-bcbe-f2716b59e367
Essential Blocks <= 4.0.6 – Missing Authorization via templates
CVE ID: CVE-2023-2085
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad2c1ab6-5c78-4317-b5e7-c86e2eebeb4f
SiteAlert (Formerly WP Health) <= 1.9.7 – Cross-Site Request Forgery
CVE ID: CVE-2022-46857
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1870c6e-23b6-4f3b-adba-72633d62dfd0
OoohBoi Steroids for Elementor <= 2.1.4 – Missing Authorization leading to Authenticated (Subscriber+) Image Upload
CVE ID: CVE-2023-1169
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c56ed896-9267-49e6-a207-fe5362fe18cd
Clock In Portal <= 2.1 – Cross-Site Request Forgery To Designation Deletion
CVE ID: CVE-2023-0762
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c6b17e90-42df-47ed-9e92-f5f1b990f921
Form Block <= 1.0.1 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb18d6d8-28e5-4125-9209-a71403f678f0
Clock In Portal <= 2.1 – Cross-Site Request Forgery to Designation Deletion
CVE ID: CVE-2023-0762
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc97109c-187f-43b7-b5ed-5afeec5ea8fd
Essential Blocks <= 4.0.6 – Cross-Site Request Forgery via save
CVE ID: CVE-2023-2087
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d38d41c7-8786-4145-9591-3e24eff3b79c
Clock In Portal <= 2.1 – Cross-Site Request Forgery to Staff Deletion
CVE ID: CVE-2023-0761
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d8ec03c6-6ea9-4017-915a-e10b757d98ff
Clock In Portal <= 2.1 – Cross-Site Request Forgery To Holiday Deletion
CVE ID: CVE-2023-0763
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddc0261d-56ed-47a6-a0b2-0ab5f9dee815
Simple Share Buttons Adder <= 8.4.6 – Cross-Site Request Forgery
CVE ID: CVE-2022-47178
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e57bfae5-4cc0-4d97-9431-4c8ebb2f0882
Stream <= 3.9.2 – Cross-Site Request Forgery
CVE ID: CVE-2022-43490
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7203b5c-5753-453c-8fc2-26fcebdeea5b
Essential Blocks <= 4.0.6 – Missing Authorization via save
CVE ID: CVE-2023-2083
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8bf0933-1c97-4374-b323-c55b91fe4d27
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments