Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 24, 2023 to Apr 30, 2023)

Last week, there were 77 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 40
Patched 37

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 65
High Severity 10
Critical Severity 2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 44
Cross-Site Request Forgery (CSRF) 9
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 8
Missing Authorization 7
URL Redirection to Untrusted Site (‘Open Redirect’) 3
Deserialization of Untrusted Data 2
Server-Side Request Forgery (SSRF) 2
Improper Neutralization of Formula Elements in a CSV File 1
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes 7
Mika 6
Yuki Haruma 5
qilin_99 4
Pavitra Tiwari 4
Erwan LR 4
Justiice 3
minhtuanact 3
László Radnai 3
Shreya Pohekar 3
thiennv 3
Nguyen Xuan Chien 2
Ramuel Gall 2
Abdi Pranata 2
Marco Wotschka 2
Ivy 2
Le Ngoc Anh 2
Nguyen Xuan Hoa 1
LEE SE HYOUNG 1
rezaduty 1
TomS 1
Pavak Tiwari 1
daniloalbuqrque 1
yuyudhn 1
Taurus Omar 1
qerogram 1
Felipe Restrepo Rodriguez 1
deokhunKim 1
Phạm Ngọc Khánh 1
Lucio Sá 1
Nguyen Duy Quoc Khanh 1
Trần Quốc Trường An 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AJAX Thumbnail Rebuild ajax-thumbnail-rebuild
Advanced Category Template advanced-category-template
Advanced Youtube Channel Pagination advanced-youtube-channel-pagination
Arconix Shortcodes arconix-shortcodes
Autoptimize autoptimize
BSK Forms Blacklist bsk-gravityforms-blacklist
Bit File Manager – 100% free file manager for WordPress file-manager
Booking Manager booking-manager
CM On Demand Search And Replace cm-on-demand-search-and-replace
CRM Memberships crm-memberships
Chronosly Events Calendar chronosly-events-calendar
ClickFunnels clickfunnels
Custom 404 Pro custom-404-pro
Customizer Export/Import customizer-export-import
Decon WP SMS decon-wp-sms
Depicter Slider – Responsive Image Slider, Video Slider & Post Slider depicter
Display custom fields in the frontend – Post and User Profile Fields shortcode-to-display-post-and-user-data
Dynamically Register Sidebars dynamically-register-sidebars
Easy Bet easy-bet
Elementor Website Builder elementor
Emails & Newsletters with Jackmail jackmail-newsletters
Extensions for Leaflet Map extensions-leaflet-map
Forms Ada – Form Builder forms-ada-form-builder
HTTP Headers http-headers
Image Optimizer by 10web – Image Optimizer and Compression plugin image-optimizer-wd
Inactive User Deleter inactive-user-deleter
Integration for Contact Form 7 HubSpot cf7-hubspot
Ko-fi Button ko-fi-button
Logo Scheduler – Great for holidays, events, and more logo-scheduler-great-for-holidays-events-and-more
Maintenance Switch maintenance-switch
Mass Email To users mass-email-to-users
NS Coupon To Become Customer ns-coupon-to-become-customer
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress ninja-forms
Orbit Fox by ThemeIsle themeisle-companion
Photo Gallery Slideshow & Masonry Tiled Gallery wp-responsive-photo-gallery
Plugins List plugins-list
Progress Bar progress-bar
Push Notifications for WordPress by PushAssist push-notification-for-wp-by-pushassist
REST API TO MiniProgram rest-api-to-miniprogram
Rating-Widget: Star Review System rating-widget
Recipe Maker For Your Food Blog from Zip Recipes zip-recipes
SEO ALert seo-alert
Shield Security – Smart Bot Blocking & Intrusion Prevention wp-simple-firewall
Simple Giveaways – Grow your business, email lists and traffic with contests giveasap
Stock Sync for WooCommerce stock-sync-for-woocommerce
Stream stream
Thumbnail Slider With Lightbox wp-responsive-slider-with-lightbox
Thumbs Rating thumbs-rating
Tiempo.com tiempocom
Tippy tippy
URL Params url-params
Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7
Updraft updraft
User IP and Location user-ip-and-location
Video XML Sitemap Generator video-xml-sitemap-generator
WP BrowserUpdate wp-browser-update
WP Directory Kit wpdirectorykit
WP Inventory Manager wp-inventory-manager
WP Page Numbers wp-page-numbers
WP Search Analytics search-analytics
WP Visitor Statistics (Real Time Traffic) wp-stats-manager
WP-CORS wp-cors
WooCommerce Multivendor Marketplace – REST API wcfm-marketplace-rest-api
Woocommerce Tip/Donation woo-tipdonation
XML for Google Merchant Center xml-for-google-merchant-center
YARPP – Yet Another Related Posts Plugin yet-another-related-posts-plugin
Zephyr Project Manager zephyr-project-manager
wordpress vertical image slider plugin wp-vertical-image-slider

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Arya Multipurpose arya-multipurpose
Mocho Blog mocho-blog
Viable Blog viable-blog

Vulnerability Details

Custom 404 Pro <= 3.7.2 – Unauthenticated SQL Injection

Affected Software: Custom 404 Pro
CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d22fb2e8-bb61-49bc-9fab-8f7c58339a69

WP Visitor Statistics (Real Time Traffic) <= 6.8.1 – Unauthenticated SQL Injection

Affected Software: WP Visitor Statistics (Real Time Traffic)
CVE ID: CVE-2023-0600
CVSS Score: 9.8 (Critical)
Researcher/s: Trần Quốc Trường An
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8e511ec-93d3-45f3-98ee-ffa7a79bf74e

Ultimate Addons for Contact Form 7 <= 3.1.23 – Authenticated (Subscriber+) SQL Injection via id

Affected Software: Ultimate Addons for Contact Form 7
CVE ID: CVE-2023-30495
CVSS Score: 8.8 (High)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5db5c5e0-f2ba-4082-b3eb-33cc0ce418e8

Easy Bet <= 1.0.2 – Authenticated(Contributor+) SQL Injection

Affected Software: Easy Bet
CVE ID: CVE-2023-31092
CVSS Score: 8.8 (High)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a833fe01-caf5-434a-82f9-8d3ac755a66f

YARPP – Yet Another Related Posts Plugin <= 5.30.2 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: YARPP – Yet Another Related Posts Plugin
CVE ID: CVE-2023-0579
CVSS Score: 8.8 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bda2f3f6-b036-4feb-bb38-1d4eaf965c24

Thumbnail Slider With Lightbox <= 1.0.17

Affected Software: Thumbnail Slider With Lightbox
CVE ID: CVE Unknown
CVSS Score: 8.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33b92a86-bb3e-4307-b2cb-7dfde56505cc

Orbit Fox by ThemeIsle <= 2.10.23 – Authenticated (Author+) Server-Side Request Forgery via URL

Affected Software: Orbit Fox by ThemeIsle
CVE ID: CVE Unknown
CVSS Score: 7.4 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c30b925-47ca-4e14-a418-d9524648db2a

Shield Security <= 17.0.17 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Shield Security – Smart Bot Blocking & Intrusion Prevention
CVE ID: CVE-2023-0992
CVSS Score: 7.2 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/162dff28-94ea-4a47-a6cb-a13317cf1a04

Bit File Manager <= 5.2.7 – Authenticated (Admin+) PHP Object Injection

Affected Software: Bit File Manager – 100% free file manager for WordPress
CVE ID: CVE-2022-47599
CVSS Score: 7.2 (High)
Researcher/s: rezaduty
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24458c37-ebcc-471b-9044-78f24667f7a6

BSK Forms Blacklist <= 3.6.2 – Authenticated (Administrator+) SQL Injection via ‘order’ and ‘orderby’

Affected Software: BSK Forms Blacklist
CVE ID: CVE-2023-30872
CVSS Score: 7.2 (High)
Researcher/s: TomS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4550681f-d115-4451-9839-7862b84714fe

Customizer Export/Import <= 0.9.5 – Authenticated (Administrator+) PHP Object Injection

Affected Software: Customizer Export/Import
CVE ID: CVE-2023-1347
CVSS Score: 7.2 (High)
Researcher/s: Nguyen Duy Quoc Khanh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd7312ec-9654-4ddc-aec6-71c7e684fac0

Inactive User Deleter <= 1.58 – Cross-Site Request Forgery via multiple functions

Affected Software: Inactive User Deleter
CVE ID: CVE-2023-27424
CVSS Score: 7.1 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f3c706f-fcce-4bcb-9773-ced011bf6407

HTTP Headers <= 1.18.9 – Authenticated(Administrator+) SQL Injection

Affected Software: HTTP Headers
CVE ID: CVE-2023-1207
CVSS Score: 6.6 (Medium)
Researcher/s: qerogram
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ea6b79c-2a09-4a6e-9b4b-a81f96e3bc12

Elementor <= 3.12.1 – Authenticated(Administrator+) SQL Injection via ‘replace_urls’

Affected Software: Elementor Website Builder
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7bd173c-dc61-4cc6-b42f-311acf728080

Display custom fields in the frontend – Post and User Profile Fields <= 1.2.0 – Missing Authorization via vg_display_data shortcode

Affected Software: Display custom fields in the frontend – Post and User Profile Fields
CVE ID: CVE-2023-31073
CVSS Score: 6.5 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cdf3b629-c1a2-4fdd-b7fc-d3550bd30857

ClickFunnels <= 3.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: ClickFunnels
CVE ID: CVE-2022-4782
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3daa3a7d-bb92-41c7-92ad-71f6ff0bb50a

Rating Widget <= 3.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes

Affected Software: Rating-Widget: Star Review System
CVE ID: CVE-2023-23831
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53577cf4-af87-41a2-9424-56a584b78cf3

Arconix Shortcodes <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Arconix Shortcodes
CVE ID: CVE-2023-23703
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7575e290-ad31-4c1b-9a89-eaa8b3eda6d1

Progress Bar <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via wppb shortcode

Affected Software: Progress Bar
CVE ID: CVE-2023-23699
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/790bd89d-3913-4b43-9b00-7d4de5c4227d

REST API TO MiniProgram <= 4.6.1 – Authenticated (Subscriber+) Media Attachment Deletion

Affected Software: REST API TO MiniProgram
CVE ID: CVE-2023-0551
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/941cf3f8-20a0-4d41-8fce-1554653d98da

URL Params <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: URL Params
CVE ID: CVE-2023-0274
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98e22884-f7d6-47df-9b1b-9232c48e3685

User IP and Location <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: User IP and Location
CVE ID: CVE-2023-30780
CVSS Score: 6.4 (Medium)
Researcher/s: deokhunKim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c557fc55-3c0d-43ff-8575-32f669299b39

Tippy <= 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via tippy shortcode

Affected Software: Tippy
CVE ID: CVE-2023-31079
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6460406-da83-4dad-97a5-fe961f0c46fc

Plugins List <= 2.5 – Authenticated (Author+) Stored Cross-Site Scripting via replace_plugin_list_tags

Affected Software: Plugins List
CVE ID: CVE-2023-31232
CVSS Score: 6.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9d42cc5-c213-454b-b05a-a57705e5c7e4

Booking Manager <= 2.0.28 – Authenticated (Subscriber+) Server-Side Request Forgery

Affected Software: Booking Manager
CVE ID: CVE-2023-1977
CVSS Score: 6.3 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9ee709d-6590-4c07-9788-6150733c1691

Updraft <= 0.6.1 – Reflected Cross-Site Scripting via ‘backup_timestamp’

Affected Software: Updraft
CVE ID: CVE-2023-26530
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Hoa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02bfc849-0f36-4647-9290-eddbacdb419b

WP BrowserUpdate <= 4.5 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WP BrowserUpdate
CVE ID: CVE-2023-28690
CVSS Score: 6.1 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d3fa716-6f11-428c-b2da-2bb768a92fe0

Mass Email To users <= 1.1.4 – Unauthenticated Reflected Cross-Site Scripting via ‘entrant’

Affected Software: Mass Email To users
CVE ID: CVE-2022-47600
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f218010-8429-4a8a-b7f6-e45945a2a1ba

XML for Google Merchant Center <= 3.0.1 – Reflected Cross-Site Scripting via page parameter

Affected Software: XML for Google Merchant Center
CVE ID: CVE-2023-30877
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16bd14a1-e69b-4b7d-8c0e-a294e120d2a6

Viable blog <= 1.1.4 – Cross-Site Scripting

Affected Software: Viable Blog
CVE ID: CVE-2023-27419
CVSS Score: 6.1 (Medium)
Researcher/s: László Radnai
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/262b5326-a5e6-4063-a345-59dedd14c3c2

Arya Multipurpose <= 1.0.5 – Unauthenticated Cross-Site Scripting

Affected Software: Arya Multipurpose
CVE ID: CVE-2023-27420
CVSS Score: 6.1 (Medium)
Researcher/s: László Radnai
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d5c4bf6-36f7-4e6d-a012-95594e3d93f8

Photo Gallery Slideshow & Masonry Tiled Gallery <= 1.0.13 – Reflected Cross-Site Scripting

Affected Software: Photo Gallery Slideshow & Masonry Tiled Gallery
CVE ID: CVE-2023-2402
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51a1c2de-56be-4487-874a-a916e8a6992a

Forms Ada <= 1.0 – Reflected Cross-Site Scripting via ‘p’ parameter

Affected Software: Forms Ada – Form Builder
CVE ID: CVE-2023-27613
CVSS Score: 6.1 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54e330e7-d305-4254-a9e9-4d7f2c54c51c

WP Inventory Manager <= 2.1.0.12 – Reflected Cross-Site Scripting via ‘message’

Affected Software: WP Inventory Manager
CVE ID: CVE-2023-2123
CVSS Score: 6.1 (Medium)
Researcher/s: daniloalbuqrque
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b168045-9b68-43a7-89ce-d00a88bf8acd

Logo Scheduler <= 1.2.0 – Reflected Cross-Site Scripting via page parameter

Affected Software: Logo Scheduler – Great for holidays, events, and more
CVE ID: CVE-2023-30875
CVSS Score: 6.1 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d853fbd-c615-4142-9ba9-9eef54d721da

Tiempo.com <= 0.1.2 – Reflected Cross-Site Scripting

Affected Software: Tiempo.com
CVE ID: CVE-2023-2272
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a5e3d82-4722-47ff-b66f-448cb2851c1f

Extensions for Leaflet Map <= 3.4.1 – Reflected Cross-Site Scripting

Affected Software: Extensions for Leaflet Map
CVE ID: CVE-2023-31074
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e332a52-071c-4725-99db-3cc10ee50230

Maintenance Switch <= 1.5.2 – Reflected Cross-Site Scripting

Affected Software: Maintenance Switch
CVE ID: CVE-2022-47590
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a81d3b09-b8dd-4697-ab43-c863e8d1e1d5

Stock Sync for WooCommerce <= 2.4.0 – Reflected Cross-Site Scripting via page parameter

Affected Software: Stock Sync for WooCommerce
CVE ID: CVE-2023-31094
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/adcaf2db-2026-46bb-8fbc-0400d7c1e296

wordpress vertical image slider plugin <= 1.2.16 – Reflected Cross-Site Scripting

Affected Software: wordpress vertical image slider plugin
CVE ID: CVE-2023-2289
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9983364-9b52-4acc-91d4-b352c6d24d52

Ninja Forms Contact Form <= 3.6.21 – Reflected Cross-Site Scripting via ‘title’

Affected Software: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
CVE ID: CVE-2023-1835
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf4e9b41-20e8-4dba-a51c-6e8f09232ffb

Image Optimizer WD <= 1.0.26 – Reflected Cross-Site Scripting

Affected Software: Image Optimizer by 10web – Image Optimizer and Compression plugin
CVE ID: CVE-2023-2122
CVSS Score: 6.1 (Medium)
Researcher/s: Phạm Ngọc Khánh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d50d8d51-3bb4-4556-95e3-06812a31d0d6

Zip Recipes <= 8.0.6 – Reflected Cross-Site Scripting via ‘s’ parameter

Affected Software: Recipe Maker For Your Food Blog from Zip Recipes
CVE ID: CVE-2023-31076
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd7d3afd-6648-4ffb-85a9-cd5a6096963e

Advanced Category Template <= 0.1 – Stored Cross-Site Scripting via Cross-Site Request Forgery in _form.php

Affected Software: Advanced Category Template
CVE ID: CVE-2023-31072
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e18ae7a9-7761-432f-a983-16ff1131c1e8

Mocho Blog <= 1.0.4 – Cross-Site Scripting

Affected Software: Mocho Blog
CVE ID: CVE-2023-27412
CVSS Score: 6.1 (Medium)
Researcher/s: László Radnai
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f10fd22e-a25b-4f16-ad65-a995559908e9

Push Notifications for WordPress by PushAssist <= 3.0.8 – Reflected Cross-Site Scripting

Affected Software: Push Notifications for WordPress by PushAssist
CVE ID: CVE-2023-0644
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4454376-7c18-4f0e-a192-80212a59d94b

Emails & Newsletters with Jackmail <= 1.2.22 – Authenticated (Subscriber+) CSV Injecton

Affected Software: Emails & Newsletters with Jackmail
CVE ID: CVE-2022-46821
CVSS Score: 6 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/084a209f-c67b-4df9-9f4b-c537ea065a50

Advanced Youtube Channel Pagination <= 1.0 – Cross-Site Request Forgery

Affected Software: Advanced Youtube Channel Pagination
CVE ID: CVE-2023-28693
CVSS Score: 5.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d858f96-7363-4098-af2d-f6f96fc80071

Advanced Youtube Channel Pagination <= 1.0 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Advanced Youtube Channel Pagination
CVE ID: CVE-2023-28693
CVSS Score: 5.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91898465-55fa-417c-8f00-ffe118232516

Woocommerce Tip/Donation <= 1.2 – Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings

Affected Software: Woocommerce Tip/Donation
CVE ID: CVE-2023-28783
CVSS Score: 5.5 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ec83425-c756-450e-ac46-c897ad72714c

WP Directory Kit <= 1.1.9 – Open Redirect

Affected Software: WP Directory Kit
CVE ID: CVE-2023-31229
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f01ee24-544b-45cb-9cf3-7db8263d8e54

Tiempo.com <= 0.1.2 – Cross-Site Request Forgery to Shortcode Deletion

Affected Software: Tiempo.com
CVE ID: CVE-2023-2271
CVSS Score: 5.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3dacef70-a881-400e-b9f7-c0a815cf624a

Tiempo.com <= 0.1.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Tiempo.com
CVE ID: CVE-2023-0058
CVSS Score: 5.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62ac2725-0071-4a7d-8561-256e6a232de3

Simple Giveaways <= 2.45.1 – Cross-Site Request Forgery

Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests
CVE ID: CVE-2023-31086
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8390ab61-197a-4eb7-a589-47bf46a0e123

WP Directory Kit <= 1.2.1 – Cross-Site Request Forgery to Plugin Settings Change/Delete, Demo Import, Directory Kit Modification/Deletion via admin_page_display

Affected Software: WP Directory Kit
CVE ID: CVE-2023-2279
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a7a6da3-d67c-42b3-8826-7e7fc9b938b4

Zephyr Project Manager <= 3.3.9 – Open Redirect

Affected Software: Zephyr Project Manager
CVE ID: CVE-2023-31237
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9af929a3-6e17-40c7-9fce-1ce0eb72bc7b

Thumbs Rating <= 4.1.0 – Race Condition

Affected Software: Thumbs Rating
CVE ID: CVE-2022-45809
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb1105fc-ed12-4a82-9cc4-4b45aa34cdc5

CRM Memberships <= 1.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: CRM Memberships
CVE ID: CVE-2023-27427
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07c3c8d9-64c9-4d16-9a35-8477b358123f

CM On Demand Search And Replace <= 1.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: CM On Demand Search And Replace
CVE ID: CVE-2023-31228
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3be9ffb4-5614-4a5f-bc2a-38ad626f8e3e

Dynamically Register Sidebars <= 1.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Dynamically Register Sidebars
CVE ID: CVE-2023-31091
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e6b39da-26d4-4615-b6c7-68909bdf0a61

WP-CORS <= 0.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP-CORS
CVE ID: CVE-2022-47606
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6d571dcc-74a4-4380-8961-890f10443b80

NS Coupon to Become Customer <= 1.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: NS Coupon To Become Customer
CVE ID: CVE-2023-27422
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70e227a5-fc33-4ff2-a843-ef9484707ae7

SEO ALert <= 1.5.9 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: SEO ALert
CVE ID: CVE-2023-2225
CVSS Score: 4.4 (Medium)
Researcher/s: Taurus Omar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a19b102-e097-46b3-9804-71edb91b3daa

WP Search Analytics <= 1.4.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Search Analytics
CVE ID: CVE-2022-47587
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/914d6f7a-053a-4555-9cbc-98bd0789bcd9

Ko-fi Button <= 1.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Ko-fi Button
CVE ID: CVE-2023-2254
CVSS Score: 4.4 (Medium)
Researcher/s: Felipe Restrepo Rodriguez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa13426a-2d4e-4268-bc0d-e496bc9e6f33

Autoptimize <= 3.1.6 – Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Rules

Affected Software: Autoptimize
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d16a3da0-9539-4555-8dfc-65cb4f4d7b4d

Decon WP SMS <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Decon WP SMS
CVE ID: CVE-2023-27416
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3bd7b0e-aae3-4ac9-b092-3101da441e1e

AJAX Thumbnail Rebuild <= 1.13 – Missing Authorization

Affected Software: AJAX Thumbnail Rebuild
CVE ID: CVE-2022-47604
CVSS Score: 4.3 (Medium)
Researcher/s: Justiice
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/039d2a35-fbd9-467b-ae98-2d47ff03fb2e

WP BrowserUpdate <= 4.4.1 – Cross-Site Request Forgery via wpbu_administration

Affected Software: WP BrowserUpdate
CVE ID: CVE-2023-31078
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/050ca18d-7596-4094-b24a-752857f5e478

WP Page Numbers <= 0.5 – Cross-Site Request Forgery via wp_page_numbers_settings

Affected Software: WP Page Numbers
CVE ID: CVE-2023-27623
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44a2e2f3-1902-43c5-8e3c-4174cb1ffa63

Chronosly Events Calendar <= 2.6.2 – Cross-Site Request Forgery via plugin_settings_page

Affected Software: Chronosly Events Calendar
CVE ID: CVE-2023-31093
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57580c2c-c3de-44a3-b586-f7092c06dc6b

Shield Security <= 17.0.17 – Missing Authorization

Affected Software: Shield Security – Smart Bot Blocking & Intrusion Prevention
CVE ID: CVE-2023-0993
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/674461ad-9b61-48c4-af2a-5dfcaeb38215

Video XML Sitemap Generator <= 1.0.0 – Cross-Site Request Forgery via video_sitemap_generate

Affected Software: Video XML Sitemap Generator
CVE ID: CVE-2023-31089
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9e11e1b5-dbba-4920-a65c-210600878861

Integration for Contact Form 7 HubSpot <= 1.2.8 – Open Redirect via state parameter

Affected Software: Integration for Contact Form 7 HubSpot
CVE ID: CVE-2023-31095
CVSS Score: 4.3 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a60a9981-c945-4438-a844-f7942b86c4c0

WooCommerce Multivendor Marketplace – REST API <= 1.5.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API

Affected Software: WooCommerce Multivendor Marketplace – REST API
CVE ID: CVE-2023-2275
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0520601-7e5c-412d-a8da-df1bf8ce28df

Stream <= 3.9.2 – Missing Authorization via load_alerts_settings

Affected Software: Stream
CVE ID: CVE-2022-43450
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d58e4317-8ad5-40d5-98b8-f8f07ab37e1f

Depicter Slider <= 1.9.0 – Missing Authorization

Affected Software: Depicter Slider – Responsive Image Slider, Video Slider & Post Slider
CVE ID: CVE-2022-47176
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed79e382-acb4-4348-9bc6-b44ec0d75fb5

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

No Comments