Wordfence Intelligence Weekly WordPress Vulnerability Report (June 26, 2023 to July 2, 2023)
Last week, there were 66 vulnerabilities disclosed in 56 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates
- WP Post Author <= 3.3.0 – Privilege Escalation
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 26 |
Patched | 40 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 52 |
High Severity | 9 |
Critical Severity | 5 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Cross-Site Request Forgery (CSRF) | 22 |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 17 |
Missing Authorization | 8 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
Authorization Bypass Through User-Controlled Key | 3 |
Authentication Bypass Using an Alternate Path or Channel | 2 |
Information Exposure | 2 |
Server-Side Request Forgery (SSRF) | 2 |
Improper Neutralization of Formula Elements in a CSV File | 2 |
Improper Privilege Management | 1 |
Incorrect Privilege Assignment | 1 |
Use of Hard-coded Cryptographic Key | 1 |
Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Lana Codes (Wordfence Vulnerability Researcher) |
6 |
Cat | 5 |
Erwan LR | 4 |
Rafie Muhammad | 4 |
Rafshanzani Suhada | 3 |
Dave Jong | 2 |
Marco Wotschka (Wordfence Vulnerability Researcher) |
2 |
Dipak Panchal | 1 |
NeginNrb | 1 |
emad | 1 |
Ravi Dharmawan | 1 |
Justiice | 1 |
Marc-Alexandre Montpas | 1 |
Lukas Kinneberg | 1 |
Kenichiro Ito | 1 |
coogee86 | 1 |
Muhammad Daffa | 1 |
Mika | 1 |
Elliot | 1 |
Chris Shultz | 1 |
Le Ngoc Anh | 1 |
Hoang Van Hiep | 1 |
FearZzZz | 1 |
Felipe Restrepo Rodriguez | 1 |
Edison Poveda | 1 |
yuyudhn | 1 |
Etan Imanol Castro Aldrete | 1 |
Abdi Pranata | 1 |
qilin_99 | 1 |
Taurus Omar | 1 |
Luca Greeb | 1 |
Andreas Krüger | 1 |
Abu Hurayra | 1 |
Rafael B. | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AN_GradeBook | an-gradebook |
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
Active Directory Integration / LDAP Integration | ldap-login-for-intranet-sites |
ApplyOnline – Application Form Builder and Manager | apply-online |
Autochat Automatic Conversation | auyautochat-for-wp |
AutomateWoo | automatewoo |
Booked – Appointment Booking for WordPress | booked |
Caldera Forms Google Sheets Connector | gsheetconnector-caldera-forms |
Catalyst Connect Zoho CRM Client Portal | catalyst-connect-client-portal |
Duplicate Post Page Menu & Custom Post Type | duplicate-post-page-menu-custom-post-type |
Easy Accordion FAQ and Knowledge Base Software for WordPress | knowledge-center |
Editorial Calendar | editorial-calendar |
Email download link | email-download-link |
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor | embedpress |
Enhanced Text Widget | enhanced-text-widget |
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty | chaty |
Form Builder | Create Responsive Contact Forms | contact-form-add |
Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor | front-editor |
Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite | image-map-pro-lite |
Image Regenerate & Select Crop | image-regenerate-select-crop |
Layer Slider | slider-slideshow |
LearnDash LMS | sfwd-lms |
LiquidPoll – Advanced Polls for Creators and Brands | wp-poll |
Login Configurator | login-configurator |
Login/Signup Popup ( Inline Form + Woocommerce ) | easy-login-woocommerce |
My Content Management | my-content-management |
NEX-Forms – Ultimate Form Builder – Contact forms and much more | nex-forms-express-wp-form-builder |
NOO Timetable | noo-timetable |
POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress | post-smtp |
Poll Maker – Best WordPress Poll Plugin | poll-maker |
Post Hit Counter | post-hit-counter |
Post to CSV by BestWebSoft | post-to-csv |
Quiz Expert – Easy Quiz Maker, Exam and Test Manager | quiz-expert |
Request a Quote | request-a-quote |
SP Project & Document Manager | sp-client-document-manager |
SW Product Bundles | sw-product-bundles |
Salon booking system | salon-booking-system |
Short URL | shorten-url |
Subscribe2 – Form, Email Subscribers & Newsletters | subscribe2 |
TrustProfile and reviews for WordPress | trustprofile |
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | ultimate-member |
WP Abstracts | wp-abstracts-manuscripts-manager |
WP Job Board | wpjobboard |
WP Post Author – The Ideal Author Box for WordPress Posts, Co-Authors and Guest Authors with Author Login and Registration Form Builder | wp-post-author |
WP Social AutoConnect | wp-fb-autoconnect |
WPFactory Helper | wpcodefactory-helper |
WPGraphQL | wp-graphql |
Waitlist Woocommerce ( Back in stock notifier ) | waitlist-woocommerce |
Web3 – Crypto wallet Login & NFT token gating | web3-authentication |
WebwinkelKeur: Webshop keurmerk & reviews for WordPress | webwinkelkeur |
WooCommerce Google Sheet Connector | wc-gsheetconnector |
WooCommerce Pre-Orders | woocommerce-pre-orders |
WooCommerce Ship to Multiple Addresses | woocommerce-shipping-multiple-addresses |
Woocommerce Order Barcodes | woocommerce-order-barcodes |
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) | miniorange-login-openid |
houzez-crm | houzez-crm |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
The7 — Website and eCommerce Builder for WordPress | dt-the7 |
Vulnerability Details
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.6.4 – Authentication Bypass
CVE ID: CVE-2023-2982
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66
WP Post Author <= 3.2.3 – Privilege Escalation
CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/155e3de1-e115-4683-bb4d-a0c5667dc3d3
Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates
CVE ID: CVE-2023-3460
CVSS Score: 9.8 (Critical)
Researcher/s: Marc-Alexandre Montpas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b0e763e-f03e-41fb-8c6c-4de5d3acae00
WPJobBoard <= 5.9.0 – Unauthenticated SQL Injection
CVE ID: CVE-2023-36525
CVSS Score: 9.8 (Critical)
Researcher/s: FearZzZz
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8cd1d385-001c-4c84-9a80-553315336a63
Web3 – Crypto wallet Login & NFT token gating <= 2.6.0 – Authentication Bypass
CVE ID: CVE-2023-3249
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e30b62de-7280-4c29-b882-dfa83e65966b
LearnDash LMS <= 4.6.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
CVE ID: CVE-2023-3105
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2318b3e1-268d-45fa-83bf-c6e88f1b9013
Houzez CRM <= 1.3.3 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-36529
CVSS Score: 8.8 (High)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54c14f04-32ec-4d05-b47b-3ff5e70c4daf
AN_GradeBook <= 5.0.1 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-2636
CVSS Score: 8.8 (High)
Researcher/s: Lukas Kinneberg
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60d59753-5b6b-4f3e-8faf-8053750ae05d
SP Project & Document Manager <= 4.67 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
CVE ID: CVE-2023-3063
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6dc2e720-85d9-42d9-94ef-eb172425993d
Short URL <= 1.6.4 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2022-46860
CVSS Score: 8.8 (High)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86908097-a5b2-427a-85c9-fbe29b519883
Form Builder <= 1.9.9.0 – Unauthenticated CSV Injection
CVE ID: CVE-2023-23796
CVSS Score: 8.3 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/432807d0-64d8-49b1-a4ab-33aa8fbc5189
Active Directory Integration / LDAP Integration <= 4.1.5 – Authenticated (Subscrber+) LDAP Injection
CVE ID: CVE-2023-3447
CVSS Score: 7.6 (High)
Researcher/s: Luca Greeb, Andreas Krüger
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd7553e8-e43d-4740-b2ee-e3d8dc351e53
Post to CSV by BestWebSoft <= 1.4.0 – Authenticated (Author+) CSV Injection
CVE ID: CVE-2023-36527
CVSS Score: 7.4 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74f0af24-e4d9-4b89-b91e-c6ec3e3918e7
Autochat Automatic Conversation <= 1.1.7 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-3041
CVSS Score: 7.2 (High)
Researcher/s: Rafael B.
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9ad533d-4ec0-42a0-99fc-75fc59498c94
Email download link <= 3.7 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-36523
CVSS Score: 6.5 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/29d6df4e-eaf6-42ec-8cd9-7cf86908f4ef
POST SMTP Mailer <= 2.5.6 – Cross-Site Request Forgery to Account Compromise
CVE ID: CVE-2023-3179
CVSS Score: 6.5 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ca16602-52e6-4d14-99a5-ca4e26b9f377
Booked <= 2.4 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2022-36399
CVSS Score: 6.5 (Medium)
Researcher/s: coogee86
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f917973-e207-4ba3-b61b-e562e884fe0f
Image Regenerate & Select Crop <= 7.1.0 – Missing Authorization on multiple AJAX actions
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0eb165f-c979-4318-8362-ca47500ed845
AutomateWoo <= 5.7.5 – Missing Authorization
CVE ID: CVE-2023-36512
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb51383f-03c8-4e81-bfed-40fd9f5c4d20
Image Regenerate & Select Crop <= 7.1.0 – Cross-Site Request Forgery on multiple AJAX actions
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8596412-53d5-45ed-998a-49799bd269d0
Front User Submit | Front Editor <= 3.8.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5bc03b4a-f7ec-4827-b914-0560b9268b6f
NOO Timetable <= 2.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2022-45821
CVSS Score: 6.4 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5fab1ae8-2aa4-452a-a594-64088c92b5c3
Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite <= 1.0.0 – Missing Authorization to Stored Cross-Site Scripting
CVE ID: CVE-2023-3412
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b58403df-af09-4d74-88e6-140e3f2f291b
Layer Slider <= 1.1.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23798
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5ac3714-27f1-4258-a1ab-12b969b31793
Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite <= 1.0.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2023-3411
CVSS Score: 6.1 (Medium)
Researcher/s: Kenichiro Ito
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63e108f4-5d9d-4bcf-aef9-aa856f4241ea
WPFactory Helper <= 1.5.2 – Reflected Cross-Site Scripting via item_slug
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c77259a-cdf3-4fa0-b468-9e98645293fe
WooCommerce Pre-Orders <= 2.0.1 – Reflected Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Chris Shultz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f73d0a6-2eae-4d85-96ce-db5902bd6e3a
Login Configurator <= 2.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-1893
CVSS Score: 6.1 (Medium)
Researcher/s: Taurus Omar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb148264-c75e-4e73-95d7-3a06cdd8990e
WPGraphQL <= 1.14.5 – Authenticated (Editor+) Server-Side Request Forgery
CVE ID: CVE-2023-23684
CVSS Score: 5.5 (Medium)
Researcher/s: Ravi Dharmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38efd6d6-b931-41a7-b55d-b98cdeef4145
Waitlist Woocommerce ( Back in stock notifier ) <= 2.5.2 – Cross-Site Request Forgery via reset_settings
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69cc2fd1-b576-49f6-8afc-54f00058de8c
Editorial Calendar <= 3.7.12 – Authenticated (Contributor+) Insecure Direct Object Reference
CVE ID: CVE-2023-36520
CVSS Score: 5.4 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f01ad95-7a51-408c-917f-4350dbeabb2b
Salon Booking System <= 8.4.6 – Cross-Site Request Forgery to Admin Role Change to Customer, User Meta Update via save_customer
CVE ID: CVE-2023-3427
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93875f19-d9b9-4e33-bba9-afc75cf26bf2
EmbedPress <= 3.7.3 – Sensitive Information Exposure
CVE ID: CVE-2023-3371
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1033b4d-82a0-4484-aebf-f35d6a2a9a13
NEX-Forms – Ultimate Form Builder <= 8.4.3 – Authenticated Stored Cross-Site Scripting via Form Name
CVE ID: CVE-2023-0439
CVSS Score: 4.8 (Medium)
Researcher/s: Felipe Restrepo Rodriguez, Edison Poveda
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a333d5b4-cedf-40ac-8da9-f4965d2a397a
Poll Maker <= 4.6.2 – Authenticated (Admin+) Server-Side Request Forgery
CVE ID: CVE-2023-34013
CVSS Score: 4.7 (Medium)
Researcher/s: Abu Hurayra
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e55ba61d-6fd0-4269-8ee9-3b8645d52e1d
Floating Chat Widget – Chaty <= 3.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-3245
CVSS Score: 4.4 (Medium)
Researcher/s: Dipak Panchal
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0a158653-f80c-48a3-840e-20ee7e85925a
SP Project & Document Manager <= 4.67 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-36530
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37eb77ed-0b2e-46ea-806d-8041742eab5d
Knowledge Center <= 2.7 – Authenticated (Admin+) Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6309c706-f84a-4997-9a9b-1bd8cf8f711a
Catalyst Connect Zoho CRM Client Portal <= 2.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2022-44629
CVSS Score: 4.4 (Medium)
Researcher/s: Hoang Van Hiep
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88cea535-1042-4011-aee9-684d7661e193
My Content Management <= 1.7.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fc18fee-5813-4134-8c4d-44710665857a
ApplyOnline – Application Form Builder and Manager <= 2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24391
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5dbcc22-ab2e-4114-a7d7-bac01a5c5b3f
Short URL <= 1.6.4 – Authenticated(Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1602
CVSS Score: 4.4 (Medium)
Researcher/s: Etan Imanol Castro Aldrete
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5f29f35-da79-4389-a0a5-a1be0b0b8996
ARMember <= 4.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2022-47421
CVSS Score: 4.4 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa2ed43b-cd8f-4d09-8576-d215c835a684
NOO Timetable <= 2.1.3 – Cross-Site Request Forgery
CVE ID: CVE-2022-45828
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13046019-f390-48ae-bf08-53293c41f178
Waitlist Woocommerce ( Back in stock notifier ) <= 2.5.2 – Cross-Site Request Forgery to Settings Reset
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20910787-b99d-475e-acc9-cc2bb669aa56
TrustProfile <= 3.24 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/296f15eb-0782-4351-a2c5-c8ef6f005352
Quiz Expert – Easy Quiz Maker, Exam and Test Manager <= 1.5.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-36522
CVSS Score: 4.3 (Medium)
Researcher/s: NeginNrb
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32ee3eb8-18b7-47da-b4f9-cb252ffabc71
Login/Signup Popup <= 2.3 – Cross-Site Request Forgery to Settings Reset
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3fa62b8f-1c2f-4bc9-9f2a-8b9765c2d30d
Post Hit Counter <= 1.3.2 – Missing Authorization
CVE ID: CVE-2023-36518
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4049f8fb-ad81-4f09-97b3-39ac6a9275d6
Duplicate Post Page Menu & Custom Post Type <= 2.3.1 – Missing Authorization
CVE ID: CVE-2023-36526
CVSS Score: 4.3 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44e84fd9-bc83-4780-ab7a-8898a8c5c78a
The7 <= 11.6.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-32123
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f481478-5dc9-4b11-ba3e-1942882a9f43
WP Social AutoConnect <= 4.6.1 – Cross-Site Request Forgery via jfb_admin_page
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50f69182-66c0-4d3a-aabe-015b72937f3e
Enhanced Text Widget <= 1.5.7 – Missing Authorization
CVE ID: CVE-2023-23823
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7487f72c-9852-4651-a848-239d4882bbf8
Subscribe2 <= 10.40 – Cross-Site Request Forgery
CVE ID: CVE-2023-3407
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92b4d800-2895-4f7b-8b3b-ee6df75a7908
Request a Quote <= 2.3.10 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9854d09a-2fab-46e6-9fc1-ff6d68df2662
WebwinkelKeur <= 3.24 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a077e95f-7912-4b94-89f3-54f37adfcd8e
AutomateWoo <= 5.7.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-36513
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a33c8a80-e11e-403d-9eb0-e1c5b59204b0
LiquidPoll – Advanced Polls for Creators and Brands <= 3.3.68 – Missing Authorization via activate_addon
CVE ID: CVE-2023-36531
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa154536-9f9f-48c3-96c7-4091991e4f6c
SW Product Bundles <= 2.0.15 – Missing Authorization
CVE ID: CVE-2023-36519
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0ceff94-e312-41da-acec-15d550aba792
POST SMTP Mailer <= 2.5.6 – Cross-Site Request Forgery to Arbitrary Log Deletion
CVE ID: CVE-2023-3178
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1af4be1-a9d6-4f44-91b3-22cf3130cc34
Caldera Forms Google Sheets Connector <= 1.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-2330
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b5ec03e9-06bb-4677-b480-4ebdb33acd08
WooCommerce Ship to Multiple Addresses <= 3.8.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-36514
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bda44801-6599-459d-a70c-164f563bf158
Subscribe2 <= 10.40 – Missing Authorization
CVE ID: CVE-2023-1844
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c34ce601-5cf9-433f-bc9d-5c705eba6b08
WP Abstracts <= 2.6.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-36517
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5b74908-65ed-4b6f-856f-e95cfd64f998
WooCommerce Order Barcodes <= 1.6.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-36511
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cefa38d0-7da1-48dd-98d7-fe2f36e19d7c
WooCommerce Google Sheet Connector <= 1.3.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-2329
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e30e64e7-5de9-4eb3-914f-457daa6f3fe5
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments