Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Last week, there were 90 vulnerabilities disclosed in 77 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 – Arbitrary File Upload in File Manager
- ReviewX <= 1.6.13 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
- WAF-RULE-600 – Data redacted while we work with the developer to ensure the vulnerability gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 26 |
Patched | 64 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 67 |
High Severity | 16 |
Critical Severity | 6 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 35 |
Cross-Site Request Forgery (CSRF) | 23 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 11 |
Missing Authorization | 6 |
Unrestricted Upload of File with Dangerous Type | 3 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
Deserialization of Untrusted Data | 2 |
Authentication Bypass Using an Alternate Path or Channel | 2 |
Authorization Bypass Through User-Controlled Key | 1 |
Information Exposure | 1 |
Improper Authorization | 1 |
Creation of Emergent Resource | 1 |
Client-Side Enforcement of Server-Side Security | 1 |
Guessable CAPTCHA | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Rafie Muhammad | 16 |
Lana Codes (Wordfence Vulnerability Researcher) |
11 |
Alex Thomas (Wordfence Vulnerability Researcher) |
6 |
Rio Darmawan | 4 |
Mika | 4 |
yuyudhn | 3 |
LEE SE HYOUNG | 3 |
Marco Wotschka (Wordfence Vulnerability Researcher) |
3 |
thiennv | 3 |
Nguyen Xuan Chien | 3 |
Chien Vuong | 2 |
Hao Huynh | 2 |
Skalucy | 2 |
Erwan LR | 2 |
Cat | 2 |
Le Ngoc Anh | 2 |
dc11 | 2 |
WON JOON HWANG | 2 |
Muhammad Daffa | 2 |
Nguyen Anh Tien | 1 |
Bob Matyas | 1 |
Marco Frison | 1 |
My Le | 1 |
Nithissh S | 1 |
Emili Castells | 1 |
Yuki Haruma | 1 |
NGO VAN TU | 1 |
Abdi Pranata | 1 |
MyungJu Kim | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AI ChatBot | chatbot |
Abandoned Cart Lite for WooCommerce | woocommerce-abandoned-cart |
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | woo-bulk-editor |
Bubble Menu – circle floating menu | bubble-menu |
Button Generator – easily Button Builder | button-generation |
Calculator Builder | calculator-builder |
Conditional Menus | conditional-menus |
Contact Form Entries – Contact Form 7, WPforms and more | contact-form-entries |
Counter Box – WordPress plugin for countdown, timer, counter | counter-box |
Custom Post Type Generator | custom-post-type-generator |
Custom Twitter Feeds (Tweets Widget) | custom-twitter-feeds |
Download Theme | download-theme |
Duplicator Pro | duplicator-pro |
Easy Admin Menu | easy-admin-menu |
Easy Captcha | easy-captcha |
Easy Google Maps | google-maps-easy |
Elementor Website Builder – More than Just a Page Builder | elementor |
EventPrime – Modern Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
File Renaming on Upload | file-renaming-on-upload |
Flickr Justified Gallery | flickr-justified-gallery |
Float menu – awesome floating side menu | float-menu |
Floating button | profit-button |
Front End Users | front-end-only-users |
Go Pricing – WordPress Responsive Pricing Tables | go_pricing |
Google Map Shortcode | google-map-shortcode |
Herd Effects – fake notifications and social proof plugin | mwp-herd-effect |
IP Metaboxes | ip-metaboxes |
Integration for Contact Form 7 and Zoho CRM, Bigin | cf7-zoho |
JetFormBuilder — Dynamic Blocks Form Builder | jetformbuilder |
LearnDash WordPress Plugin | sfwd-lms |
Leyka | leyka |
MStore API | mstore-api |
MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder | mailchimp-subscribe-sm |
Multiple Page Generator Plugin – MPG | multiple-pages-generator-by-porthas |
Novelist | novelist |
OAuth Single Sign On – SSO (OAuth Client) | miniorange-login-with-eve-online-google-facebook |
Popup Box – new WordPress popup plugin | popup-box |
Product Gallery Slider for WooCommerce | woo-product-gallery-slider |
Product Vendors | woocommerce-product-vendors |
QuBot – Chatbot Builder with Templates | qubotchat |
QueryWall: Plug’n Play Firewall | querywall |
Recently Viewed Products | recently-viewed-products |
Responsive Tabs For WPBakery Page Builder (formerly Visual Composer) | responsive-tabs-for-wpbakery |
SIS Handball | sis-handball |
SKU Label Changer For WooCommerce | woo-sku-label-changer |
Shopping Cart & eCommerce Store | wp-easycart |
Side Menu Lite – add sticky fixed buttons | side-menu-lite |
SlideOnline | slideonline |
Slider Revolution | revslider |
Sticky Buttons – floating buttons builder | sticky-buttons |
SupportCandy – Helpdesk & Support Ticket System | supportcandy |
This Day In History | this-day-in-history |
Tutor LMS – eLearning and online course solution | tutor |
UTM Tracker | utm-tracker |
Uncanny Automator – Automate everything with the #1 no-code Automation tool for WordPress | uncanny-automator |
Unite Gallery Lite | unite-gallery-lite |
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | unlimited-elements-for-elementor |
Upload Resume | resume-upload-form |
User Activity Log | user-activity-log |
Video Contest WordPress Plugin | video-contest |
WIP Custom Login | wip-custom-login |
WP Coder – add custom html, css and js code | wp-coder |
WP Tiles | wp-tiles |
WP-Hijri | wp-hijri |
WP-Matomo Integration (WP-Piwik) | wp-piwik |
WS Form LITE – Drag & Drop Contact Form Builder for WordPress | ws-form |
WooCommerce Product Categories Selection Widget | woocommerce-product-category-selection-widget |
WooCommerce Shipping & Tax | woocommerce-services |
WordPress Backup & Migration | wp-migration-duplicator |
WordPress File Upload | wp-file-upload |
WordPress File Upload Pro | wordpress-file-upload-pro |
Wow Skype Buttons | mwp-skype |
Yoast SEO: Local | wpseo-local |
YouTube Playlist Player | youtube-playlist-player |
seo-by-rank-math-pro | seo-by-rank-math-pro |
woocommerce-follow-up-emails | woocommerce-follow-up-emails |
woocommerce-warranty | woocommerce-warranty |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 – Arbitrary File Upload in File Manager
CVE ID: CVE-2023-31090
CVSS Score: 9.9 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a09102c-391e-4057-b883-3d2eef1671ce
WooCommerce Follow-Up Emails <= 4.9.40 – Authenticated Arbitrary File Upload in Template Editing
CVE ID: CVE-2023-33318
CVSS Score: 9.9 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a169934d-17ce-4d34-be00-c5ac0b488066
Leyka <= 3.30 – Privilege Escalation via Admin Password Reset
CVE ID: CVE-2023-33327
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0152bcc9-6d24-4475-848d-71fe88aa7e2a
Recently Viewed Products <= 1.0.0 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-34027
CVSS Score: 9.8 (Critical)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46f31a60-0a0e-449d-a10a-3cafd0492a9c
MStore API <= 3.9.1 – Authentication Bypass
CVE ID: CVE-2023-2734
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5881d16c-84e8-4610-8233-cfa5a94fe3f9
MStore API <= 3.9.2 – Authentication Bypass
CVE ID: CVE-2023-2732
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f00761a7-fe24-49a3-b3e3-a471e05815c1
LearnDash LMS <= 4.5.3 – Authenticated (Contributor+) SQL Injection
CVE ID: CVE-2023-28777
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/40a57493-b99b-4e71-8603-e668c6283a5a
Contact Form Entries <= 1.3.0 – Authenticated (Contributor+) SQL Injection via shortcode
CVE ID: CVE-2023-31212
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b475ada-3b31-40a3-9a81-5a7b1a1e190a
OAuth Single Sign On – SSO (OAuth Client) <= 6.23.3 – Missing Authorization
CVE ID: CVE-2022-34155
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d166a77-d57b-4827-96ca-b8eb423861f0
SupportCandy <= 3.1.6 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-2719
CVSS Score: 8.8 (High)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1d2b6bd-a75a-4a07-b2f0-8ec206d41211
Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Authenticated (Subscriber+) PHP Object Injection
CVE ID: CVE-2023-2500
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7686b11-97a8-4f09-bbfa-d77120cc35b7
Easy Captcha <= 1.0 – Missing Authorization via easy_captcha_update_settings
CVE ID: CVE-2023-33324
CVSS Score: 7.5 (High)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8efe2ccf-33cb-4db3-bc3d-ead826adb7d0
Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.2.3 – Authenticated (Admin+) SQL Injection
CVE ID: CVE-2023-2527
CVSS Score: 7.2 (High)
Researcher/s: Chien Vuong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b4e6dae-f38c-4f5b-ae1d-cf998946c675
QueryWall <= 1.1.1 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-2492
CVSS Score: 7.2 (High)
Researcher/s: Chien Vuong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/306c98ad-0d42-4ad5-b82a-bf4579865aa9
Slider Revolution <= 6.6.12 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2023-2359
CVSS Score: 7.2 (High)
Researcher/s: Marco Frison
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fa00dae-c51d-4586-81da-b568cd6d8124
SupportCandy <= 3.1.6 – Authenticated (Admin+) SQL Injection
CVE ID: CVE-2023-2805
CVSS Score: 7.2 (High)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75f01eb4-5d53-441d-9bee-e97857dadaf9
SIS Handball <= 1.0.45 – Authenticated (Administrator+) SQL Injection via ‘orderby’
CVE ID: CVE-2023-33924
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cabdc9db-2d1c-4390-a4b7-65648ef9f16a
Multiple Page Generator Plugin – MPG <= 3.3.19 – Authenticated (Administrator+) SQL Injection in projects_list and total_projects
CVE ID: CVE-2023-33927
CVSS Score: 7.2 (High)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d18d800b-647f-4706-9ec1-a8ea4e643965
WooCommerce Follow-Up Emails <= 4.9.50 – Authenticated (Follow-up emails manager+) SQL Injection
CVE ID: CVE-2023-33330
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc5276e2-e9de-4409-bbe0-4d0b37244367
WooCommerce Product Vendors <= 2.1.76 – Authenticated (Vendor admin+) SQL Injection
CVE ID: CVE-2023-33331
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed8f8984-bea6-44aa-9bde-5b40b455767f
WooCommerce Warranty Requests <= 2.1.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33317
CVSS Score: 7.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1665fda6-005d-42ba-883d-2e3ad7abe0ba
Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Improper Authorization to Arbitrary File Upload
CVE ID: CVE-2023-2496
CVSS Score: 7.1 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/477c6fa2-16a8-4461-b4d4-d087e13e3ca7
User Activity Log <= 1.6.1 – Authenticated(Administrator+) SQL Injection via txtsearch
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17a787da-5630-42ec-b5b0-47435db765a7
WIP Custom Login <= 1.2.9 – Cross-Site Request Forgery via save_option
CVE ID: CVE-2023-33313
CVSS Score: 6.5 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15b93e63-5ef2-4fb1-8c6b-28fcfab8e34d
BEAR <= 1.1.3.1 – Cross-Site Request Forgery via Multiple Functions
CVE ID: CVE-2023-33314
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7e3818c-883f-4633-a460-a8c0446edffc
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_bulk_delete_product
CVE ID: CVE-2023-2892
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b36e94e4-b1e8-4803-9377-c4d710b029de
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_delete_product
CVE ID: CVE-2023-2891
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bcca7ade-8b35-4ba1-a8b4-b1e815b025e3
Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-2498
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c3d4c96-63a7-4f3b-a9ac-095be241f840
Google Map Shortcode <= 3.1.2 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-2899
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f6656e2-35f5-41d8-a330-7904c296ba29
Contact Form Entries <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via vx-entries shortcode
CVE ID: CVE-2023-33311
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51986a76-933b-4c25-af79-d0c3f9e1d513
SlideOnline <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0489
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/778e2191-d764-44a1-9f52-9698e9183fd2
Yoast SEO: Local <= 14.9 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28785
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb6457ea-6353-4a69-ad72-cd5acd47ed8c
Responsive Tabs For WPBakery Page Builder <= 1.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-0368
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1c3ddae-046a-4080-ac2b-90fb89fbff7b
Duplicator Pro <= 4.5.11 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33309
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1426bebe-d3c4-4f83-9b50-fae8c2373209
EventPrime <= 2.8.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33326
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22479c6a-83ea-4c09-b192-4384ffbdcbf7
WooCommerce Follow-Up Emails <= 4.9.40 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33319
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4487391e-baa4-4320-a23d-b52a42e2de90
This Day In History <= 3.10.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34026
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b88a8a9-d3e1-4c21-a4e8-d9afa34d7a2e
Conditional Menus <= 1.2.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2654
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57d3506c-8db8-4e1b-9587-7f2bdb632890
WP-Hijri <= 1.5.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33320
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/67aaf9fa-e92b-42f2-94ac-f27c5d073002
Multiple Wow-Company Plugins (Various Versions) — Reflected Cross-Site Scripting via ‘page’ parameter
CVE ID: CVE-2023-2362
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a95af34-559c-4644-9941-7bd1551aba33
WooCommerce Product Categories Selection Widget <= 2.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33925
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f68c70b-9fde-43a6-8a7c-00938aa0e109
WooCommerce Product Vendors <= 2.1.76 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33332
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a93c0dd4-8341-438d-8730-470e9a230d97
Rank Math SEO PRO <= 3.0.35 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-32800
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4ec9001-c4aa-4db3-b7d7-29afa243f78a
Leyka <= 3.30 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33325
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/baf54eb2-0b29-4718-a994-f722cefd7317
Easy Captcha <= 1.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33312
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd73cf64-289d-4401-bef7-9a4398a85055
Front End Users <= 3.2.25 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-33322
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e076e054-6a0b-4c08-b0cc-bd3a5b0751e5
IP Metaboxes <= 2.1.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-30753
CVSS Score: 6.1 (Medium)
Researcher/s: WON JOON HWANG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f611d609-97c5-4b77-9657-c8d9d10e786a
WooCommerce Shipping & Tax <= 2.2.4 – Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 5.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57156ebc-2858-4295-ba08-57bcab6db229
Easy Google Maps <= 1.11.7 – Cross-Site Request Forgery via AJAX action
CVE ID: CVE-2023-2526
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4ea4ca00-185b-4f5d-9c5c-f81ba4edad05
Elementor <= 3.13.2 Authenticated(Contributor+) Arbitrary Post Type Creation via save_item
CVE ID: CVE-2023-33922
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/525cb51c-23f1-446f-a247-0f69ec5029d8
IP Metaboxes <= 2.1.1 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-30745
CVSS Score: 5.4 (Medium)
Researcher/s: WON JOON HWANG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9163861b-735b-4007-97f7-8f9095d93ec9
Uncanny Automator <= 4.14 – Cross-Site Request Forgery via update_automator_connect
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd0d8661-4725-41dd-88ce-8e94e285d5b8
Tutor LMS <= 2.1.10 – Missing Authorization via multiple AJAX actions
CVE ID: CVE-2023-25799
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf16617d-cec2-4943-bd20-7ade31878714
Easy Google Maps <= 1.11.7 – Cross-Site Request Forgery
CVE ID: CVE-2023-33926
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee52c6c0-c69e-46c4-9e4b-94aa69c00737
EventPrime <= 2.8.6 – Sensitive Information Exposure
CVE ID: CVE-2023-33321
CVSS Score: 5.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1fdd0a4c-ce47-44bc-b9a5-a8f2af12da85
Download Theme <= 1.0.9 – Cross-Site Request Forgery via dtwap_download()
CVE ID: CVE-2022-38062
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50ca7cf8-bb47-42ea-badc-8bfe0328cbb0
SKU Label Changer For WooCommerce <= 3.0 – Missing Authorization
CVE ID: CVE-2023-29174
CVSS Score: 5.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/793594f7-6325-4561-ad74-a08aebc20c53
Button Generator – easily Button Builder <= 2.3.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-25443
CVSS Score: 5.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af803612-96ae-41ee-8ad3-8f9319b147e8
WS Form LITE <= 1.9.117 – CAPTCHA Bypass
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d99f81ea-1e74-4b67-a6c5-3dbc7865a68a
Upload Resume <= 1.2.0 – Captcha Bypass via resume_upload_form
CVE ID: CVE-2023-2751
CVSS Score: 5.3 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc0acff9-6852-4ecb-84f9-98a15dd30fc6
Unite Gallery Lite <= 1.7.59 – Authenticated(Administrator+) Local File Inclusion via ‘view’ parameter
CVE ID: CVE-2023-33310
CVSS Score: 5 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c2925c1-f5c6-45b9-bc61-96f325c0372f
WordPress File Upload / WordPress File Upload Pro <= 4.19.1 – Authenticated (Administrator+) Path Traversal
CVE ID: CVE-2023-2688
CVSS Score: 4.9 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abd6eeac-0a7e-4762-809f-593cd85f303d
Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Missing Authorization to Limited Privilege Granting
CVE ID: CVE-2023-2494
CVSS Score: 4.6 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5779914a-a168-4835-8aea-e0ab2b3be4f6
AI ChatBot <= 4.5.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2811
CVSS Score: 4.4 (Medium)
Researcher/s: Hao Huynh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/114bd025-74c5-40a2-82e8-5947497fc836
WordPress File Upload / WordPress File Upload Pro <= 4.19.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2767
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23334d94-e5b8-4c88-8765-02ad19e17248
Custom Post Type Generator <= 2.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-33329
CVSS Score: 4.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23a2b1ac-2183-48ae-8376-fb950fe83fd9
QuBotChat <= 1.1.5 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2401
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45f98c00-0bfd-405e-a6b3-581841d803de
File Renaming on Upload <= 2.5.1 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2684
CVSS Score: 4.4 (Medium)
Researcher/s: Hao Huynh, My Le
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/550c3f56-d188-4be1-82cd-db076c09cf61
WP-Piwik <= 1.0.27 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Display Name
CVE ID: CVE-2023-33211
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68a520bb-261a-43f0-993d-de208035afe5
Novelist <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Book Information Fields
CVE ID: CVE-2023-32958
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b8f64ed-abf8-4a8b-b32f-75afeaccea5c
Video Contest WordPress Plugin <= 3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2022-45827
CVSS Score: 4.4 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86079059-11c7-4545-b254-6bf524367b46
MailChimp Subscribe Forms <= 4.0.9.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-33328
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86f6e8b8-ebfd-4d9f-a285-9d0aa2e961ff
AI ChatBot <= 4.5.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2811
CVSS Score: 4.4 (Medium)
Researcher/s: NGO VAN TU
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9df97805-b425-49b1-86c1-e66213dacd2b
Easy Admin Menu <= 1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-33929
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fefab999-12e0-4866-a5a2-60f8faa64f89
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_bulk_activate_product
CVE ID: CVE-2023-2895
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02fd8469-cd99-42dc-9a28-c0ea08512bb0
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_duplicate_product
CVE ID: CVE-2023-2896
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/041830b8-f059-46f5-961b-3ba908d161f9
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_deactivate_product
CVE ID: CVE-2023-2893
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1268604c-08eb-4d86-8e97-9cdaa3e19c1f
YouTube Playlist Player <= 4.6.4 – Cross-Site Request Forgery in ytpp_settings
CVE ID: CVE-2023-33931
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39aed7e9-05c6-4251-b489-de7a33ed2c2e
WooCommerce Follow-Up Emails <= 4.9.40 – Cross-Site Request Forgery
CVE ID: CVE-2023-33316
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fee61cd-7359-4193-8cf2-86e0527a8ef1
WP Tiles <= 1.1.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-25482
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52876909-3d2a-480d-9c47-39e96d088ff3
Video Contest WordPress Plugin <= 3.2 – Cross-Site Request Forgery
CVE ID: CVE-2022-45823
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/597fe53e-769e-4edd-b0b9-2bd2cff50da6
Flickr Justified Gallery <= 3.5 – Cross-Site Request Forgery via fjgwpp_settings()
CVE ID: CVE-2023-25473
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76a1d39e-8d69-4507-b75c-d376a2122d15
Abandoned Cart Lite for WooCommerce <= 5.14.1 – Cross-Site Request Forgery via delete_expired_used_coupon_code
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a1e51a99-f5d4-47d4-bead-00ca1f5f72c2
Custom Twitter Feeds (Tweets Widget) <= 1.8.4 – Cross-Site Request Forgery
CVE ID: CVE-2022-33974
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5a5f8c2-3fd6-4d31-a3b5-60bdb8c18491
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_bulk_deactivate_product
CVE ID: CVE-2023-2894
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a68b8df9-9b50-4617-9308-76a2a9036d7a
WordPress Backup & Migration <= 1.4.0 – Missing Authorization via wt_delete_schedule
CVE ID: CVE-2023-33928
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce978334-42e1-4334-a2d1-c3966339e4fc
Product Gallery Slider for WooCommerce <= 2.2.8 – Cross-Site Request Forgery
CVE ID: CVE-2022-45372
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/df911497-8504-424e-8717-42d0bb6c90f1
Abandoned Cart Lite for WooCommerce <= 5.14.1 – Cross-Site Request Forgery via ts_reset_tracking_setting
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e743e656-2dd9-43ed-a190-b03af7c75c54
JetFormBuilder <= 3.0.6 – Cross-Site Request Fogery via ‘do_admin_action’
CVE ID: CVE-2023-33212
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f37c4b2c-6f41-46b5-8427-b1883b39322e
UTM Tracker <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23822
CVSS Score: 3.3 (Low)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/077ec165-edd3-4c2c-b1ea-01ca5b80f779
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments