Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 24, 2023 to Apr 30, 2023)
Last week, there were 77 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 40 |
Patched | 37 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 65 |
High Severity | 10 |
Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 44 |
Cross-Site Request Forgery (CSRF) | 9 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 8 |
Missing Authorization | 7 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 3 |
Deserialization of Untrusted Data | 2 |
Server-Side Request Forgery (SSRF) | 2 |
Improper Neutralization of Formula Elements in a CSV File | 1 |
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Lana Codes | 7 |
Mika | 6 |
Yuki Haruma | 5 |
qilin_99 | 4 |
Pavitra Tiwari | 4 |
Erwan LR | 4 |
Justiice | 3 |
minhtuanact | 3 |
László Radnai | 3 |
Shreya Pohekar | 3 |
thiennv | 3 |
Nguyen Xuan Chien | 2 |
Ramuel Gall | 2 |
Abdi Pranata | 2 |
Marco Wotschka | 2 |
Ivy | 2 |
Le Ngoc Anh | 2 |
Nguyen Xuan Hoa | 1 |
LEE SE HYOUNG | 1 |
rezaduty | 1 |
TomS | 1 |
Pavak Tiwari | 1 |
daniloalbuqrque | 1 |
yuyudhn | 1 |
Taurus Omar | 1 |
qerogram | 1 |
Felipe Restrepo Rodriguez | 1 |
deokhunKim | 1 |
Phạm Ngọc Khánh | 1 |
Lucio Sá | 1 |
Nguyen Duy Quoc Khanh | 1 |
Trần Quốc Trường An | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AJAX Thumbnail Rebuild | ajax-thumbnail-rebuild |
Advanced Category Template | advanced-category-template |
Advanced Youtube Channel Pagination | advanced-youtube-channel-pagination |
Arconix Shortcodes | arconix-shortcodes |
Autoptimize | autoptimize |
BSK Forms Blacklist | bsk-gravityforms-blacklist |
Bit File Manager – 100% free file manager for WordPress | file-manager |
Booking Manager | booking-manager |
CM On Demand Search And Replace | cm-on-demand-search-and-replace |
CRM Memberships | crm-memberships |
Chronosly Events Calendar | chronosly-events-calendar |
ClickFunnels | clickfunnels |
Custom 404 Pro | custom-404-pro |
Customizer Export/Import | customizer-export-import |
Decon WP SMS | decon-wp-sms |
Depicter Slider – Responsive Image Slider, Video Slider & Post Slider | depicter |
Display custom fields in the frontend – Post and User Profile Fields | shortcode-to-display-post-and-user-data |
Dynamically Register Sidebars | dynamically-register-sidebars |
Easy Bet | easy-bet |
Elementor Website Builder | elementor |
Emails & Newsletters with Jackmail | jackmail-newsletters |
Extensions for Leaflet Map | extensions-leaflet-map |
Forms Ada – Form Builder | forms-ada-form-builder |
HTTP Headers | http-headers |
Image Optimizer by 10web – Image Optimizer and Compression plugin | image-optimizer-wd |
Inactive User Deleter | inactive-user-deleter |
Integration for Contact Form 7 HubSpot | cf7-hubspot |
Ko-fi Button | ko-fi-button |
Logo Scheduler – Great for holidays, events, and more | logo-scheduler-great-for-holidays-events-and-more |
Maintenance Switch | maintenance-switch |
Mass Email To users | mass-email-to-users |
NS Coupon To Become Customer | ns-coupon-to-become-customer |
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress | ninja-forms |
Orbit Fox by ThemeIsle | themeisle-companion |
Photo Gallery Slideshow & Masonry Tiled Gallery | wp-responsive-photo-gallery |
Plugins List | plugins-list |
Progress Bar | progress-bar |
Push Notifications for WordPress by PushAssist | push-notification-for-wp-by-pushassist |
REST API TO MiniProgram | rest-api-to-miniprogram |
Rating-Widget: Star Review System | rating-widget |
Recipe Maker For Your Food Blog from Zip Recipes | zip-recipes |
SEO ALert | seo-alert |
Shield Security – Smart Bot Blocking & Intrusion Prevention | wp-simple-firewall |
Simple Giveaways – Grow your business, email lists and traffic with contests | giveasap |
Stock Sync for WooCommerce | stock-sync-for-woocommerce |
Stream | stream |
Thumbnail Slider With Lightbox | wp-responsive-slider-with-lightbox |
Thumbs Rating | thumbs-rating |
Tiempo.com | tiempocom |
Tippy | tippy |
URL Params | url-params |
Ultimate Addons for Contact Form 7 | ultimate-addons-for-contact-form-7 |
Updraft | updraft |
User IP and Location | user-ip-and-location |
Video XML Sitemap Generator | video-xml-sitemap-generator |
WP BrowserUpdate | wp-browser-update |
WP Directory Kit | wpdirectorykit |
WP Inventory Manager | wp-inventory-manager |
WP Page Numbers | wp-page-numbers |
WP Search Analytics | search-analytics |
WP Visitor Statistics (Real Time Traffic) | wp-stats-manager |
WP-CORS | wp-cors |
WooCommerce Multivendor Marketplace – REST API | wcfm-marketplace-rest-api |
Woocommerce Tip/Donation | woo-tipdonation |
XML for Google Merchant Center | xml-for-google-merchant-center |
YARPP – Yet Another Related Posts Plugin | yet-another-related-posts-plugin |
Zephyr Project Manager | zephyr-project-manager |
wordpress vertical image slider plugin | wp-vertical-image-slider |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Arya Multipurpose | arya-multipurpose |
Mocho Blog | mocho-blog |
Viable Blog | viable-blog |
Vulnerability Details
Custom 404 Pro <= 3.7.2 – Unauthenticated SQL Injection
CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d22fb2e8-bb61-49bc-9fab-8f7c58339a69
WP Visitor Statistics (Real Time Traffic) <= 6.8.1 – Unauthenticated SQL Injection
CVE ID: CVE-2023-0600
CVSS Score: 9.8 (Critical)
Researcher/s: Trần Quốc Trường An
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8e511ec-93d3-45f3-98ee-ffa7a79bf74e
Ultimate Addons for Contact Form 7 <= 3.1.23 – Authenticated (Subscriber+) SQL Injection via id
CVE ID: CVE-2023-30495
CVSS Score: 8.8 (High)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5db5c5e0-f2ba-4082-b3eb-33cc0ce418e8
Easy Bet <= 1.0.2 – Authenticated(Contributor+) SQL Injection
CVE ID: CVE-2023-31092
CVSS Score: 8.8 (High)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a833fe01-caf5-434a-82f9-8d3ac755a66f
YARPP – Yet Another Related Posts Plugin <= 5.30.2 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-0579
CVSS Score: 8.8 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bda2f3f6-b036-4feb-bb38-1d4eaf965c24
Thumbnail Slider With Lightbox <= 1.0.17
CVE ID: CVE Unknown
CVSS Score: 8.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33b92a86-bb3e-4307-b2cb-7dfde56505cc
Orbit Fox by ThemeIsle <= 2.10.23 – Authenticated (Author+) Server-Side Request Forgery via URL
CVE ID: CVE Unknown
CVSS Score: 7.4 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c30b925-47ca-4e14-a418-d9524648db2a
Shield Security <= 17.0.17 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-0992
CVSS Score: 7.2 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/162dff28-94ea-4a47-a6cb-a13317cf1a04
Bit File Manager <= 5.2.7 – Authenticated (Admin+) PHP Object Injection
CVE ID: CVE-2022-47599
CVSS Score: 7.2 (High)
Researcher/s: rezaduty
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24458c37-ebcc-471b-9044-78f24667f7a6
BSK Forms Blacklist <= 3.6.2 – Authenticated (Administrator+) SQL Injection via ‘order’ and ‘orderby’
CVE ID: CVE-2023-30872
CVSS Score: 7.2 (High)
Researcher/s: TomS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4550681f-d115-4451-9839-7862b84714fe
Customizer Export/Import <= 0.9.5 – Authenticated (Administrator+) PHP Object Injection
CVE ID: CVE-2023-1347
CVSS Score: 7.2 (High)
Researcher/s: Nguyen Duy Quoc Khanh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd7312ec-9654-4ddc-aec6-71c7e684fac0
Inactive User Deleter <= 1.58 – Cross-Site Request Forgery via multiple functions
CVE ID: CVE-2023-27424
CVSS Score: 7.1 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f3c706f-fcce-4bcb-9773-ced011bf6407
HTTP Headers <= 1.18.9 – Authenticated(Administrator+) SQL Injection
CVE ID: CVE-2023-1207
CVSS Score: 6.6 (Medium)
Researcher/s: qerogram
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ea6b79c-2a09-4a6e-9b4b-a81f96e3bc12
Elementor <= 3.12.1 – Authenticated(Administrator+) SQL Injection via ‘replace_urls’
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7bd173c-dc61-4cc6-b42f-311acf728080
Display custom fields in the frontend – Post and User Profile Fields <= 1.2.0 – Missing Authorization via vg_display_data shortcode
CVE ID: CVE-2023-31073
CVSS Score: 6.5 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cdf3b629-c1a2-4fdd-b7fc-d3550bd30857
ClickFunnels <= 3.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2022-4782
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3daa3a7d-bb92-41c7-92ad-71f6ff0bb50a
Rating Widget <= 3.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes
CVE ID: CVE-2023-23831
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53577cf4-af87-41a2-9424-56a584b78cf3
Arconix Shortcodes <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-23703
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7575e290-ad31-4c1b-9a89-eaa8b3eda6d1
Progress Bar <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via wppb shortcode
CVE ID: CVE-2023-23699
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/790bd89d-3913-4b43-9b00-7d4de5c4227d
REST API TO MiniProgram <= 4.6.1 – Authenticated (Subscriber+) Media Attachment Deletion
CVE ID: CVE-2023-0551
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/941cf3f8-20a0-4d41-8fce-1554653d98da
URL Params <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-0274
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98e22884-f7d6-47df-9b1b-9232c48e3685
User IP and Location <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-30780
CVSS Score: 6.4 (Medium)
Researcher/s: deokhunKim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c557fc55-3c0d-43ff-8575-32f669299b39
Tippy <= 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via tippy shortcode
CVE ID: CVE-2023-31079
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6460406-da83-4dad-97a5-fe961f0c46fc
Plugins List <= 2.5 – Authenticated (Author+) Stored Cross-Site Scripting via replace_plugin_list_tags
CVE ID: CVE-2023-31232
CVSS Score: 6.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9d42cc5-c213-454b-b05a-a57705e5c7e4
Booking Manager <= 2.0.28 – Authenticated (Subscriber+) Server-Side Request Forgery
CVE ID: CVE-2023-1977
CVSS Score: 6.3 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9ee709d-6590-4c07-9788-6150733c1691
Updraft <= 0.6.1 – Reflected Cross-Site Scripting via ‘backup_timestamp’
CVE ID: CVE-2023-26530
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Hoa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02bfc849-0f36-4647-9290-eddbacdb419b
WP BrowserUpdate <= 4.5 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28690
CVSS Score: 6.1 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d3fa716-6f11-428c-b2da-2bb768a92fe0
Mass Email To users <= 1.1.4 – Unauthenticated Reflected Cross-Site Scripting via ‘entrant’
CVE ID: CVE-2022-47600
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f218010-8429-4a8a-b7f6-e45945a2a1ba
XML for Google Merchant Center <= 3.0.1 – Reflected Cross-Site Scripting via page parameter
CVE ID: CVE-2023-30877
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16bd14a1-e69b-4b7d-8c0e-a294e120d2a6
Viable blog <= 1.1.4 – Cross-Site Scripting
CVE ID: CVE-2023-27419
CVSS Score: 6.1 (Medium)
Researcher/s: László Radnai
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/262b5326-a5e6-4063-a345-59dedd14c3c2
Arya Multipurpose <= 1.0.5 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-27420
CVSS Score: 6.1 (Medium)
Researcher/s: László Radnai
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d5c4bf6-36f7-4e6d-a012-95594e3d93f8
Photo Gallery Slideshow & Masonry Tiled Gallery <= 1.0.13 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2402
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51a1c2de-56be-4487-874a-a916e8a6992a
Forms Ada <= 1.0 – Reflected Cross-Site Scripting via ‘p’ parameter
CVE ID: CVE-2023-27613
CVSS Score: 6.1 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54e330e7-d305-4254-a9e9-4d7f2c54c51c
WP Inventory Manager <= 2.1.0.12 – Reflected Cross-Site Scripting via ‘message’
CVE ID: CVE-2023-2123
CVSS Score: 6.1 (Medium)
Researcher/s: daniloalbuqrque
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b168045-9b68-43a7-89ce-d00a88bf8acd
Logo Scheduler <= 1.2.0 – Reflected Cross-Site Scripting via page parameter
CVE ID: CVE-2023-30875
CVSS Score: 6.1 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d853fbd-c615-4142-9ba9-9eef54d721da
Tiempo.com <= 0.1.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2272
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a5e3d82-4722-47ff-b66f-448cb2851c1f
Extensions for Leaflet Map <= 3.4.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-31074
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e332a52-071c-4725-99db-3cc10ee50230
Maintenance Switch <= 1.5.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2022-47590
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a81d3b09-b8dd-4697-ab43-c863e8d1e1d5
Stock Sync for WooCommerce <= 2.4.0 – Reflected Cross-Site Scripting via page parameter
CVE ID: CVE-2023-31094
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/adcaf2db-2026-46bb-8fbc-0400d7c1e296
wordpress vertical image slider plugin <= 1.2.16 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2289
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9983364-9b52-4acc-91d4-b352c6d24d52
Ninja Forms Contact Form <= 3.6.21 – Reflected Cross-Site Scripting via ‘title’
CVE ID: CVE-2023-1835
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf4e9b41-20e8-4dba-a51c-6e8f09232ffb
Image Optimizer WD <= 1.0.26 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2122
CVSS Score: 6.1 (Medium)
Researcher/s: Phạm Ngọc Khánh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d50d8d51-3bb4-4556-95e3-06812a31d0d6
Zip Recipes <= 8.0.6 – Reflected Cross-Site Scripting via ‘s’ parameter
CVE ID: CVE-2023-31076
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd7d3afd-6648-4ffb-85a9-cd5a6096963e
Advanced Category Template <= 0.1 – Stored Cross-Site Scripting via Cross-Site Request Forgery in _form.php
CVE ID: CVE-2023-31072
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e18ae7a9-7761-432f-a983-16ff1131c1e8
Mocho Blog <= 1.0.4 – Cross-Site Scripting
CVE ID: CVE-2023-27412
CVSS Score: 6.1 (Medium)
Researcher/s: László Radnai
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f10fd22e-a25b-4f16-ad65-a995559908e9
Push Notifications for WordPress by PushAssist <= 3.0.8 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-0644
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4454376-7c18-4f0e-a192-80212a59d94b
Emails & Newsletters with Jackmail <= 1.2.22 – Authenticated (Subscriber+) CSV Injecton
CVE ID: CVE-2022-46821
CVSS Score: 6 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/084a209f-c67b-4df9-9f4b-c537ea065a50
Advanced Youtube Channel Pagination <= 1.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-28693
CVSS Score: 5.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d858f96-7363-4098-af2d-f6f96fc80071
Advanced Youtube Channel Pagination <= 1.0 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28693
CVSS Score: 5.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91898465-55fa-417c-8f00-ffe118232516
Woocommerce Tip/Donation <= 1.2 – Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-28783
CVSS Score: 5.5 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ec83425-c756-450e-ac46-c897ad72714c
WP Directory Kit <= 1.1.9 – Open Redirect
CVE ID: CVE-2023-31229
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f01ee24-544b-45cb-9cf3-7db8263d8e54
Tiempo.com <= 0.1.2 – Cross-Site Request Forgery to Shortcode Deletion
CVE ID: CVE-2023-2271
CVSS Score: 5.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3dacef70-a881-400e-b9f7-c0a815cf624a
Tiempo.com <= 0.1.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2023-0058
CVSS Score: 5.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62ac2725-0071-4a7d-8561-256e6a232de3
Simple Giveaways <= 2.45.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-31086
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8390ab61-197a-4eb7-a589-47bf46a0e123
WP Directory Kit <= 1.2.1 – Cross-Site Request Forgery to Plugin Settings Change/Delete, Demo Import, Directory Kit Modification/Deletion via admin_page_display
CVE ID: CVE-2023-2279
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a7a6da3-d67c-42b3-8826-7e7fc9b938b4
Zephyr Project Manager <= 3.3.9 – Open Redirect
CVE ID: CVE-2023-31237
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9af929a3-6e17-40c7-9fce-1ce0eb72bc7b
Thumbs Rating <= 4.1.0 – Race Condition
CVE ID: CVE-2022-45809
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb1105fc-ed12-4a82-9cc4-4b45aa34cdc5
CRM Memberships <= 1.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-27427
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07c3c8d9-64c9-4d16-9a35-8477b358123f
CM On Demand Search And Replace <= 1.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-31228
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3be9ffb4-5614-4a5f-bc2a-38ad626f8e3e
Dynamically Register Sidebars <= 1.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-31091
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e6b39da-26d4-4615-b6c7-68909bdf0a61
WP-CORS <= 0.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2022-47606
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6d571dcc-74a4-4380-8961-890f10443b80
NS Coupon to Become Customer <= 1.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-27422
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70e227a5-fc33-4ff2-a843-ef9484707ae7
SEO ALert <= 1.5.9 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2225
CVSS Score: 4.4 (Medium)
Researcher/s: Taurus Omar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a19b102-e097-46b3-9804-71edb91b3daa
WP Search Analytics <= 1.4.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2022-47587
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/914d6f7a-053a-4555-9cbc-98bd0789bcd9
Ko-fi Button <= 1.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2254
CVSS Score: 4.4 (Medium)
Researcher/s: Felipe Restrepo Rodriguez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa13426a-2d4e-4268-bc0d-e496bc9e6f33
Autoptimize <= 3.1.6 – Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Rules
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d16a3da0-9539-4555-8dfc-65cb4f4d7b4d
Decon WP SMS <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-27416
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3bd7b0e-aae3-4ac9-b092-3101da441e1e
AJAX Thumbnail Rebuild <= 1.13 – Missing Authorization
CVE ID: CVE-2022-47604
CVSS Score: 4.3 (Medium)
Researcher/s: Justiice
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/039d2a35-fbd9-467b-ae98-2d47ff03fb2e
WP BrowserUpdate <= 4.4.1 – Cross-Site Request Forgery via wpbu_administration
CVE ID: CVE-2023-31078
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/050ca18d-7596-4094-b24a-752857f5e478
WP Page Numbers <= 0.5 – Cross-Site Request Forgery via wp_page_numbers_settings
CVE ID: CVE-2023-27623
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44a2e2f3-1902-43c5-8e3c-4174cb1ffa63
Chronosly Events Calendar <= 2.6.2 – Cross-Site Request Forgery via plugin_settings_page
CVE ID: CVE-2023-31093
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57580c2c-c3de-44a3-b586-f7092c06dc6b
Shield Security <= 17.0.17 – Missing Authorization
CVE ID: CVE-2023-0993
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/674461ad-9b61-48c4-af2a-5dfcaeb38215
Video XML Sitemap Generator <= 1.0.0 – Cross-Site Request Forgery via video_sitemap_generate
CVE ID: CVE-2023-31089
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9e11e1b5-dbba-4920-a65c-210600878861
Integration for Contact Form 7 HubSpot <= 1.2.8 – Open Redirect via state parameter
CVE ID: CVE-2023-31095
CVSS Score: 4.3 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a60a9981-c945-4438-a844-f7942b86c4c0
WooCommerce Multivendor Marketplace – REST API <= 1.5.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API
CVE ID: CVE-2023-2275
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0520601-7e5c-412d-a8da-df1bf8ce28df
Stream <= 3.9.2 – Missing Authorization via load_alerts_settings
CVE ID: CVE-2022-43450
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d58e4317-8ad5-40d5-98b8-f8f07ab37e1f
Depicter Slider <= 1.9.0 – Missing Authorization
CVE ID: CVE-2022-47176
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed79e382-acb4-4348-9bc6-b44ec0d75fb5
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments