Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 27, 2023 to Apr 2, 2023)
Last week, there were 82 vulnerabilities disclosed in 70 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Elementor Pro <= 3.11.6 - Authenticated(Subscriber+) Privilege Escalation via update_page_option
- Filebird <= 5.1.4 - Missing Authorization via resAdminPermissionsCheck
- Themeflection Numbers <= 1.8.1 - Authenticated(Subscriber+) Privilege Escalation via tf_numb_save_licenses
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 21 |
Patched | 61 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 65 |
High Severity | 14 |
Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 37 |
Cross-Site Request Forgery (CSRF) | 23 |
Missing Authorization | 11 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 7 |
Information Exposure | 2 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
Deserialization of Untrusted Data | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Lana Codes | 9 |
Rio Darmawan | 8 |
thiennv | 5 |
Erwan LR | 4 |
yuyudhn | 4 |
Dave Jong | 3 |
MyungJu Kim | 3 |
dc11 | 3 |
Mika | 2 |
minhtuanact | 2 |
TEAM WEBoB of BoB 11th | 2 |
Juampa Rodríguez | 1 |
nlpro | 1 |
Abdi Pranata | 1 |
muhga | 1 |
Shreya Pohekar | 1 |
Muhammad Daffa | 1 |
Cat | 1 |
Junsu Yeo | 1 |
Jerome Bruandet | 1 |
Kunal Sharma | 1 |
Daniel Krohmer | 1 |
Le Ngoc Anh | 1 |
Alex Sanford | 1 |
Joshua Martinelle | 1 |
Marco Wotschka | 1 |
Jeong Seong Ho | 1 |
Phd | 1 |
qilin_99 | 1 |
pilvar | 1 |
Alex Thomas | 1 |
Rafshanzani Suhada | 1 |
Justiice | 1 |
Yuki Haruma | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AI ChatBot | chatbot |
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
Advanced Local Pickup for WooCommerce | advanced-local-pickup-for-woocommerce |
Advanced Page Visit Counter – Advanced WordPress Visit Counter | advanced-page-visit-counter |
Advanced Shipment Tracking for WooCommerce | woo-advanced-shipment-tracking |
Affiliates Manager | affiliates-manager |
Albo Pretorio On line | albo-pretorio-on-line |
Conditional cart fee / Extra charge rule for WooCommerce extra fees | conditional-extra-fees-for-woocommerce |
Configurable Tag Cloud (CTC) | configurable-tag-cloud-widget |
Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress | contest-gallery |
Continuous Image Carousel With Lightbox | continuous-image-carousel-with-lightbox |
Coupon Affiliates – WooCommerce Affiliate Plugin | woo-coupon-usage |
Custom More Link Complete | custom-more-link-complete |
Custom Post Type UI | custom-post-type-ui |
Custom Post Type and Taxonomy GUI Manager | custom-post-type-cpt-cusom-taxonomy-ct-manager |
Direct checkout, Add to cart redirect, Quick purchase button, Buy now button, Quick View button for WooCommerce | add-to-cart-direct-checkout-for-woocommerce |
Easy Forms for Mailchimp | yikes-inc-easy-mailchimp-extender |
Easy Media Replace | easy-media-replace |
Easy Quiz Maker | n-media-wp-simple-quiz |
Elementor Website Builder Pro | elementor-pro |
Enhanced WP Contact Form | enhanced-wordpress-contactform |
Feed Them Social – Page, Post, Video, and Photo Galleries | feed-them-social |
FileBird – WordPress Media Library Folders & File Manager | filebird |
Full Width Banner Slider Wp | full-width-responsive-slider-wp |
GMAce | gmace |
Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress | gallery-plugin |
Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) | gift-voucher |
HT Menu – WordPress Mega Menu Builder for Elementor | ht-menu-lite |
Happy Addons for Elementor | happy-elementor-addons |
HappyFiles Pro | happyfiles-pro |
Health Check & Troubleshooting | health-check |
JustTables – WooCommerce Product Table | just-tables |
LionScripts: IP Blocker Lite | ip-address-blocker |
MS-Reviews | ms-reviews |
Maps Widget for Google Maps | google-maps-widget |
Mega Main Menu | mega_main_menu |
Mobile Banner | mobile-banner |
Newsletter – Send awesome emails from WordPress | newsletter |
Order date, Order pickup, Order date time, Pickup Location, delivery date for WooCommerce | pi-woocommerce-order-date-time-and-type |
Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin | pagination |
Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | wp-user-avatar |
PixFields | pixfields |
Popup Anything – A Marketing Popup and Lead Generation Conversions | popup-anything-on-click |
Premmerce Redirect Manager | premmerce-redirect-manager |
Product Specifications for Woocommerce | product-specifications |
Quick Paypal Payments | quick-paypal-payments |
Really Simple Google Tag Manager | really-simple-google-tag-manager |
Responsive Vertical Icon Menu | wpdevart-vertical-menu |
Review Stream | review-stream |
Simple Author Box | simple-author-box |
Slimstat Analytics | wp-slimstat |
Social Proof (Testimonial) Slider | social-proof-testimonials-slider |
Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) | swatchly |
Themeflection Numbers – Number Counter and Animated Numbers | tf-numbers-number-counter-animaton |
Trending/Popular Post Slider and Widget | wp-trending-post-slider-and-widget |
Video Central for WordPress | video-central |
WC Fields Factory | wc-fields-factory |
WP Image Carousel | wp-image-carousel |
WP Meta SEO | wp-meta-seo |
WP VR – 360 Panorama and Virtual Tour Builder For WordPress | wpvr |
WPMobile.App — Android and iOS Mobile Application | wpappninja |
Weaver Show Posts | show-posts |
Welcome Bar | intelly-welcome-bar |
WishSuite – Wishlist for WooCommerce | wishsuite |
Woocommerce Custom Checkout Fields Editor With Drag & Drop | woo-custom-checkout-fields |
WordPress Contact Forms by Cimatti | contact-forms |
Wp Ultimate Review | wp-ultimate-review |
Zippy | zippy |
affiliate-toolkit – WordPress Affiliate Plugin | affiliate-toolkit-starter |
iThemes Security | better-wp-security |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Viral Mag | viral-mag |
Vulnerability Details
ARMember <= 3.4.11 – Unauthenticated SQL Injection
CVE ID: CVE-2022-46808
CVSS Score: 9.8 (Critical)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ff230b0-c186-41fc-93a5-2ed90e8aab4d
Gift Cards (Gift Vouchers and Packages) <= 4.3.1 – Unauthenticated SQL Injection
CVE ID: CVE-2023-28662
CVSS Score: 9.8 (Critical)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a10a3f01-082d-4a94-89c6-b5b46891aa4d
Elementor Pro <= 3.11.6 – Authenticated(Subscriber+) Privilege Escalation via update_page_option
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Jerome Bruandet
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/570474f2-c118-45e1-a237-c70b849b2d3c
WC Fields Factory <= 4.1.5 – Authenticated(Subscriber+) SQL Injection
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c51f55f-6e8c-467c-999b-4e6a1a6f7bbc
GMAce <= 1.5.2 – Cross-Site Request Forgery to Arbitrary File Modification (Creation/Overwrite/Deletion)
CVE ID: CVE-2023-1509
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/826b3913-9a37-4e15-80fd-b35cefb51af8
Advanced Page Visit Counter <= 6.4.2 – Authenticated (Contributor+) SQL Injection
CVE ID: CVE-2023-28788
CVSS Score: 8.8 (High)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/871e5091-bb20-4a53-83e2-85ed6f26247a
WP Meta SEO <= 4.5.4 – Authenticated (Author+) PHAR Deserialization
CVE ID: CVE-2023-1381
CVSS Score: 8.8 (High)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f07d76e-1973-4ea7-b448-666466cd688f
Slimstat Analytics <= 4.9.3.3 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af075ffe-553a-4351-a696-5c678788f3b9
Gallery by BestWebSoft <= 4.6.9 – Authenticated (Author+) SQL Injection
CVE ID: CVE-2023-0765
CVSS Score: 8.8 (High)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbfbb06c-f048-4912-9ff7-59aa10bc96bd
Themeflection Numbers <= 1.8.1 – Authenticated(Subscriber+) Privilege Escalation via tf_numb_save_licenses
CVE ID: CVE-2023-0889
CVSS Score: 8.8 (High)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db6616b5-4c4e-4cc7-83eb-22fac94f47f2
Easy Media Replace <= 0.1.3 – Authenticated (Author+) Arbitrary File Deletion
CVE ID: CVE-2022-46850
CVSS Score: 8.1 (High)
Researcher/s: Jeong Seong Ho
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abb4af63-37fe-49b7-8f70-ac9c7e47e939
WC Fields Factory <= 4.1.5 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-0277
CVSS Score: 7.2 (High)
Researcher/s: Kunal Sharma, Daniel Krohmer
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70ca7ad4-6848-4f87-ae2d-4b9c2ffa668e
Easy Quiz Maker <= 1.5 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8566a5ad-df8a-4843-82c9-05da9d44582d
Coupon Affiliates <= 5.4.3 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-28992
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0d93ee4-63e1-4fa7-9346-f56354124b9a
WordPress Contact Forms by Cimatti <= 1.5.4 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-28781
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4b2587a-e84e-4149-b9ac-ecf36451f815
ProfilePress <= 4.5.3 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2022-47444
CVSS Score: 7.2 (High)
Researcher/s: pilvar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8416840-c022-40a1-bcd3-17b34df11d95
WP Image Carousel WordPress – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-0589
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f4bb514-80bd-4d66-a60f-0a6a287af5de
Easy Forms for MailChimp <= 6.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1325
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1be5da88-723a-4386-a73e-3fe90eefb6ba
MS-Reviews <= 1.5 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0424
CVSS Score: 6.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68fd5e6f-9883-4e8f-9c4f-5905b487629a
Video Central for WordPress <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0418
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/87eb6644-fd70-42a1-b05d-b166cb89c45c
Gallery by BestWebSoft <= 4.6.9 – Authenticated (Author+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0764
CVSS Score: 6.4 (Medium)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94868d48-2d36-49f1-9da1-7965ecaeae3c
Weaver Show Posts <= 1.6 – Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name
CVE ID: CVE-2023-1404
CVSS Score: 6.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8647c44-4879-4895-bd07-19f7d62a7326
PixFields <= 0.7.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2022-46844
CVSS Score: 6.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7f86396-2f3f-4cd6-b3d4-e518b074a579
HappyFiles Pro <= 1.8.1 – Missing Authorization to Arbitrary File Deletion
CVE ID: CVE-2023-25446
CVSS Score: 6.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7bfabeb4-c57d-412a-b27b-a6387d30081f
HappyFiles Pro <= 1.8.1 – Missing Authorization
CVE ID: CVE-2023-25445
CVSS Score: 6.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d293f35a-a42f-441f-b521-da0ba9887c45
Health Check & Troubleshooting <= 1.5.1 – Cross-Site Request Forgery via health_check_troubleshoot_get_captures
CVE ID: CVE Unknown
CVSS Score: 6.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8d75eb6-2a9f-4c33-9e15-db7db037b67e
Continuous Image Carousel With Lightbox <= 1.0.15 – Reflected Cross-Site Scripting via search_term, order_by and order_pos
CVE ID: CVE-2023-28792
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b4651d8-dad7-4f6f-a47d-2095b9d2bdca
Custom Post Type and Taxonomy GUI Manager <= 1.1 – Cross-Site Request Forgery to Cross-Site Scripting
CVE ID: CVE-2023-0420
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26c75a0a-8590-4ac7-814e-29e0c2d0822e
Contest Gallery <= 21.1.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-28784
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dbd3b23-cebc-4212-bcae-c6f23031c040
Product Specifications for Woocommerce <= 0.6.0 – Unauthenticated Reflected Cross-Site Scripting via Arbitrary Query String Parameter
CVE ID: CVE-2022-46858
CVSS Score: 6.1 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/916d4f2f-769b-4902-9464-f55d8f64c9d2
Responsive Vertical Icon Menu <= 1.5.8 – Reflected Cross-Site Scripting via 'id'
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a999044-5d4a-4415-a3b9-28c564e63a25
Woocommerce Custom Checkout Fields Editor With Drag & Drop <= 0.1 – Reflected Cross-Site Scripting via 'tab'
CVE ID: CVE-2022-46864
CVSS Score: 6.1 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9e3899d8-170e-481f-8c80-90addc66eb41
Albo Pretorio Online <= 4.6 – Reflected Cross-Site Scripting via 'Errore'
CVE ID: CVE-2023-28750
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad8f8c41-a3b9-4287-b6b2-489fb77b7553
Contact Forms by Cimatti <= 1.5.4 – Reflected Cross-Site Scripting via 'form-field-id', 'edit-fid', 'id', 'name', 'type', 'description' Parameters
CVE ID: CVE-2023-28789
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b512f9a9-6c83-416c-bacc-ee3bba8dfe29
Easy Forms for MailChimp <= 6.8.7 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-1324
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c30d517b-e051-408c-a022-4399c3d62390
Full Width Banner Slider Wp <= 1.1.7 – Reflected Cross-Site Scripting via search_term and setacrionpage
CVE ID: CVE-2023-24392
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb4bb127-360d-4f17-9da9-f7be17140ff3
affiliate-toolkit – WordPress Affiliate Plugin <= 3.3.3 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23786
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8dda7b14-c341-434b-85f1-029f384c65d6
Mega Main Menu <= 2.2.2 – Authenticated (Administrator+) Cross-Site Scripting
CVE ID: CVE-2023-1575
CVSS Score: 5.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a44ce6a3-0a9d-4bce-9251-f3a38b000645
Continuous Image Carousel With Lightbox <= 1.0.15 – Reflected Cross-Site Scripting via search_term, order_by and order_pos
CVE ID: CVE-2023-28776
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a196177-2786-4f6d-8076-f0232e4d5a5d
IP Blocker Lite <= 11.1.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-23993
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45d3f82b-9e19-4678-8995-7fe265606fd2
AI ChatBot <= 4.4.7 – Missing Authorization on openai_settings_option_callback
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b33bf55c-0397-44a2-8c18-ea5f8f1e2ec9
Filebird <= 5.1.4 – Missing Authorization via resAdminPermissionsCheck
CVE ID: CVE-2023-25966
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d5a6e9f4-dbc3-4af0-b9e4-4c9ad7b5fe9f
Custom Post Type UI <= 1.13.4 – Cross-Site Request Forgery to Sensitive Information Exposure
CVE ID: CVE-2023-1623
CVSS Score: 5.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f28afb93-b72a-4a56-994b-144124202147
JustTables – WooCommerce Product Table <= 1.4.9 – Cross-Site Request Forgery via plugin_activation()
CVE ID: CVE-2023-23803
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2b795d8-3cab-4d81-a016-b4498315ddf4
iThemes Security <= 8.1.4 – Open Redirection via redirect_to_https
CVE ID: CVE-2023-28786
CVSS Score: 4.7 (Medium)
Researcher/s: nlpro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/047cd34e-f2a1-4643-a1c5-3ead926b83ca
Newsletter <= 7.6.8 – Reflected Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa49346c-726e-41f9-8a74-adaa4a8fa5d9
WPMobile.App <= 11.20 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28932
CVSS Score: 4.4 (Medium)
Researcher/s: Juampa Rodríguez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02b5aefe-ba27-4273-927c-7779df83eb18
Quick Paypal Payments <= 5.7.26.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a507489-f337-4b47-9506-daea1b426798
Review Stream <= 1.6.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28774
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b645d0e-daee-4926-af47-05cacf811fbf
Conditional cart fee / Extra charge rule for WooCommerce extra fees <= 1.0.96 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-29093
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/797840ba-5589-42d6-9d50-52bf8c131d6e
Enhanced WP Contact Form <= 2.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23812
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e91a6bd-05ae-4088-8c1f-bc5598545606
Custom More Link Complete <= 1.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23788
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/698079d0-b539-431c-98c3-c69d0352d214
Direct checkout, Add to cart redirect for Woocommerce <= 2.1.48 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28988
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6cc218fb-6c2a-4676-b2d7-86abe01c1530
Enhanced WP Contact Form <= 2.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71548a7f-43a5-4f71-8add-45f675e8aa66
Premmerce Redirect Manager <= 1.0.9 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23789
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2e8f9b7-1fce-46be-8198-eeff58a563c6
Wp Ultimate Review <= 2.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28751
CVSS Score: 4.4 (Medium)
Researcher/s: qilin_99
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c198008f-271e-431e-beb9-3a9f93cbbf8e
Social Proof (Testimonial) Slider <= 2.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24389
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e324cd49-beaf-44bf-8890-5377731f0cc5
Order date time for WooCommerce <= 3.0.19 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28991
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f19006a0-6848-467b-90ed-33b3ebd2c7ba
Pagination by BestWebSoft <= 1.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28778
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ffbb85c5-e949-4c0f-8c02-2c022b802e05
Maps Widget for Google Maps <= 4.23 – Cross-Site Request Forgery via dismiss_notice
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0472804e-00cc-4c4c-97aa-86f433f65782
Feed Them Social <= 4.0.7 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/057ab824-8071-4c3c-9a57-f9a0043a9ad5
Advanced Local Pickup for WooCommerce <= 1.5.2 – Missing Authorization
CVE ID: CVE-2022-40702
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05ff8080-59e5-4d48-a69b-275a89eef758
Configurable Tag Cloud <= 5.2 – Cross-Site Request Forgery via ctc_options_page()
CVE ID: CVE-2023-28995
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0775b36b-d543-41f9-a20d-f629b40c70d7
Advanced Local Pickup for WooCommerce <= 1.5.2 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b3fa78c-d97f-43bf-b3e9-47d6aa41b458
WP OnlineSupport, Essential Plugin Popup Anything <= 2.2.1 – Cross Site Request Forgery
CVE ID: CVE-2022-38077
CVSS Score: 4.3 (Medium)
Researcher/s: muhga
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11ea3e40-8802-43ea-9816-973a15d7904d
Happy Addons for Elementor <= 3.8.2 – Cross-Site Request Forgery via handle_optin_optout()
CVE ID: CVE-2023-28989
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/27439d44-f2ff-4c20-965f-25d12c83781c
Viral Mag <= 1.0.9 – Missing Authorization to Arbitrary Plugin Activation
CVE ID: CVE-2023-28990
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/48aa5be8-a5d9-4f5e-ba30-d6afb3f0fee0
Trending/Popular Post Slider and Widget <= 1.5.7 – Cross-Site Request Forgery via wtpsw_post_view_count
CVE ID: CVE-2022-46846
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a0cffca-94d8-46b8-8b84-57e76a5bfd94
Zippy <= 1.6.1 – Authenticated (Contributor+) Sensitive Information Disclosure
CVE ID: CVE-2023-26533
CVSS Score: 4.3 (Medium)
Researcher/s: Junsu Yeo
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c306428-8880-483f-be3a-6f6b87e55eef
WP VR <= 8.2.9 – Missing Authorization
CVE ID: CVE-2023-1414
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54b495e8-f641-444d-a3d4-a54bb0836c40
Premmerce Redirect Manager <= 1.0.9 – Cross-Site Request Forgery via deleteRedirect()
CVE ID: CVE-2023-23787
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6d84fa60-f780-41e2-96dc-57057c646e01
Welcome Bar <= 2.0.3 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/82a26836-44fc-47cf-ad09-bd3d264e8635
Wp Ultimate Review <= 2.0.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-28987
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/892372c9-380c-43b2-b928-b5964574c414
Welcome Bar <= 2.0.3 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98730677-200b-4b1a-8568-7af8b2b0e94b
WishSuite <= 1.3.3 – Cross-Site Request Forgery via plugin_activation()
CVE ID: CVE-2023-23731
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a2f3fcd1-6dff-409b-b8c1-46c5485980ee
Advanced Shipment Tracking for WooCommerce <= 3.5.2 – Cross-Site Request Forgery via paginate_shipping_provider_list and filter_shipping_provider_list
CVE ID: CVE-2022-41635
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b55a80ed-5e27-4087-a792-e78066a41399
Really Simple Google Tag Manager <= 1.0.6 – Cross-Site Request Forgery via plugin_activation
CVE ID: CVE-2023-23801
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c579825b-e92e-48d2-925e-d1fc81374c4a
Affiliates Manager <= 2.9.20 – Cross-Site Request Forgery via process_bulk_action()
CVE ID: CVE-2023-28986
CVSS Score: 4.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1a6bdc8-ae74-4d0b-9c47-f4bf69158a44
HT Menu <= 1.2.1 – Cross-Site Request Forgery via plugin_activation
CVE ID: CVE-2023-23791
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/deb2544f-75ac-4d6c-bec7-9f35cfe0028d
Mobile Banner <= 1.5 – Cross-Site Request Forgery leading to Plugin Settings Changes
CVE ID: CVE-2023-28930
CVSS Score: 4.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e98aa389-9113-4997-8b96-1ca03cdfc235
Simple Author Box <= 2.50 – Cross-Site Request Forgery via save_user_profile
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f670b93e-da2e-43e7-a28a-6cacba4df3a1
Swatchly – WooCommerce Variation Swatches for Products <= 1.1.9 – Cross-Site Request Forgery via plugin_activation
CVE ID: CVE-2023-23792
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa73c2a0-a692-47db-99ca-7e7159fc96aa
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments