Wordfence Intelligence Weekly WordPress Vulnerability Report (August 14, 2023 to August 20, 2023)
Last week, there were 64 vulnerabilities disclosed in 67 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Avada <= 7.11.1 – Authenticated(Contributor+) Server Side Request Forgery
- Avada <= 7.11.1 – Authenticated(Author+) Arbitrary File Upload via Zip Extraction
- Post Grid <= 2.2.50 – Missing Authorization to Sensitive Information Exposure via REST API
- WAF-RULE-627, data redacted while we work with the developer to ensure this gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 24 |
Patched | 40 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 50 |
High Severity | 9 |
Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 26 |
Missing Authorization | 12 |
Cross-Site Request Forgery (CSRF) | 9 |
Improper Privilege Management | 2 |
Use of Less Trusted Source | 2 |
Information Exposure | 2 |
Deserialization of Untrusted Data | 1 |
Server-Side Request Forgery (SSRF) | 1 |
Improper Control of Generation of Code (‘Code Injection’) | 1 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
Improper Authorization | 1 |
Improper Access Control | 1 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 1 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Weak Password Recovery Mechanism for Forgotten Password | 1 |
Unrestricted Upload of File with Dangerous Type | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Abdi Pranata | 5 |
Marco Wotschka (Wordfence Vulnerability Researcher) |
4 |
Lana Codes (Wordfence Vulnerability Researcher) |
4 |
Mika | 4 |
minhtuanact | 3 |
thiennv | 3 |
David | 2 |
Truoc Phan | 2 |
Rio Darmawan | 2 |
LEE SE HYOUNG | 2 |
Yuki Haruma | 2 |
Muhammad Arsalan Diponegoro | 2 |
Jonatas Souza Villa Flor | 1 |
Ivy | 1 |
Random Robbie | 1 |
Nithissh S | 1 |
TomS | 1 |
NGÔ THIÊN AN | 1 |
Le Ngoc Anh | 1 |
Debangshu Kundu | 1 |
Arpeet Rathi | 1 |
Rafie Muhammad | 1 |
Utkarsh Agrawal | 1 |
Hung Duong | 1 |
Bartłomiej Marek | 1 |
Tomasz Swiadek | 1 |
Prasanna V Balaji | 1 |
Nguyen Xuan Chien | 1 |
Elliot | 1 |
Lokesh Dachepalli | 1 |
Rafshanzani Suhada | 1 |
Dmitrii Ignatyev | 1 |
Dmitrii | 1 |
Skalucy | 1 |
yuyudhn | 1 |
Francesco Carlucci | 1 |
Jonas Höbenreich | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
123.chat – 1:1 Live Video Chat Tool Plugin | 123-chat-videochat |
Accordion Slider | accordion-slider |
Accordion and Accordion Slider | accordion-and-accordion-slider |
Advanced File Manager | file-manager-advanced |
Album and Image Gallery plus Lightbox | album-and-image-gallery-plus-lightbox |
BigBlueButton | bigbluebutton |
Blog Designer – Post and Widget | blog-designer-for-post-and-widget |
CLUEVO LMS, E-Learning Platform | cluevo-lms |
CT Commerce | ct-commerce |
Carrrot | carrrot |
Cleverwise Daily Quotes | cleverwise-daily-quotes |
Comments Like Dislike | comments-like-dislike |
Contact form 7 Custom validation | cf7-field-validation |
Cookies and Content Security Policy | cookies-and-content-security-policy |
Cost Calculator Builder | cost-calculator-builder |
Countdown Timer Ultimate | countdown-timer-ultimate |
Custom Admin Login Page | WPZest | custom-admin-login-styler-wpzest |
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress | charitable |
Donations Made Easy – Smart Donations | smart-donations |
Doofinder WP & WooCommerce Search | doofinder-for-woocommerce |
Dynamic Pricing and Discount Rules for WooCommerce | woo-conditional-discount-rules-for-checkout |
Enhanced Ecommerce Google Analytics for WooCommerce | woo-ecommerce-tracking-for-google-and-facebook |
Event Tickets with Ticket Scanner | event-tickets-with-ticket-scanner |
GD Security Headers | gd-security-headers |
InfiniteWP Client | iwp-client |
JS Help Desk – Best Help Desk & Support Plugin | js-support-ticket |
Kanban Boards for WordPress | kanban |
Make Paths Relative | make-paths-relative |
Media from FTP | media-from-ftp |
Meta Slider and Carousel with Lightbox | meta-slider-and-carousel-with-lightbox |
Orders Tracking for WooCommerce | woo-orders-tracking |
Paid Memberships Pro CCBill Gateway | pmpro-ccbill |
Password Reset with Code for WordPress REST API | bdvs-password-reset |
Plausible Analytics | plausible-analytics |
Portfolio Gallery – Responsive Image Gallery | gallery-portfolio |
Portfolio and Projects | portfolio-and-projects |
Post Ticker Ultimate | ticker-ultimate |
Post grid and filter ultimate | post-grid-and-filter-ultimate |
Products Quick View for WooCommerce | woocommerce-products-quick-view |
Putler Connector for WooCommerce – Accurate Analytics and Reports for your WooCommerce Store | woocommerce-putler-connector |
RSVPMaker | rsvpmaker |
Schedule Posts Calendar | schedule-posts-calendar |
Serial Codes Generator and Validator with WooCommerce Support | serial-codes-generator-and-validator |
Simple Org Chart | simple-org-chart |
Simple Staff List | simple-staff-list |
Smart SEO Tool – SEO优化插件 | smart-seo-tool |
Stripe Payment Plugin for WooCommerce | payment-gateway-stripe-and-woocommerce-integration |
Tabs & Accordion | tabs |
Team Slider and Team Grid Showcase plus Team Carousel | wp-team-showcase-and-slider |
Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget | wp-testimonial-with-widget |
Timeline and History slider | timeline-and-history-slider |
Trending/Popular Post Slider and Widget | wp-trending-post-slider-and-widget |
Typing Effect | animated-typing-effect |
User Activity Log | user-activity-log |
User Submitted Posts – Enable Users to Submit Posts from the Front End | user-submitted-posts |
Video Gallery for YouTube Videos and WordPress | youtube-showcase |
Video gallery and Player | html5-videogallery-plus-player |
WP LINE Notify | wp-line-notify |
WP Remote Users Sync | wp-remote-users-sync |
WP VR – 360 Panorama and Virtual Tour Builder For WordPress | wpvr |
WP-PostRatings | wp-postratings |
WebLibrarian | weblibrarian |
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more | woo-pdf-invoice-builder |
WordPress Mortgage Calculator Estatik | estatik-mortgage-calculator |
fitness calculators plugin | fitness-calculators |
tagDiv Composer | td-composer |
wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin | wpdatatables |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Aapna | aapna |
Anand | anand |
Anfaust | anfaust |
Arendelle | arendelle |
Atlast Business | atlast-business |
Bazaar Lite | bazaar-lite |
Brain Power | brain-power |
BunnyPressLite | bunnypresslite |
Cafe Bistro | cafe-bistro |
College | college |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Kanban Boards <= 2.5.21 – Authenticated (Administrator+) Remote Code Execution
CVE ID: CVE-2023-40606
CVSS Score: 9.8 (Critical)
Researcher/s: TomS
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3adea276-6b55-422d-adc9-a767f569181c
Donation Forms by Charitable <= 1.7.0.12 – Unauthenticated Privilege Escalation
CVE ID: CVE-2023-4404
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/522ecc1c-5834-4325-9234-79cf712213f3
Contact form 7 Custom validation <= 1.1.3 – Unauthenticated SQL Injection via ‘post’
CVE ID: CVE-2023-40609
CVSS Score: 9.8 (Critical)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbfc52a4-6c9d-480b-9247-1513318ff84b
Password Reset with Code for WordPress REST API <= 0.0.15 – Weak Password Recovery Mechanism
CVE ID: CVE-2023-35039
CVSS Score: 9.8 (Critical)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f44b9e6d-2f84-45f6-9f74-3f23b03c5a49
WP Remote Users Sync <= 1.2.12 – Authenticated (Subscriber+) Server Side Request Forgery
CVE ID: CVE-2023-3958
CVSS Score: 8.5 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e78c759-4a54-4ee4-8eff-df91fe9dad46
InfiniteWP Client <= 1.11.1 – Authenticated (Subscriber+) Sensitive Information Exposure
CVE ID: CVE-2023-2916
CVSS Score: 7.5 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa157c80-447f-4406-9e49-9cc6208b7b19
User Submitted Posts <= 20230809 – Unauthenticated Stored Cross-Site Scripting via ‘user-submitted-content’
CVE ID: CVE-2023-4308
CVSS Score: 7.2 (High)
Researcher/s: NGÔ THIÊN AN
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bb4d37c-c4c2-4523-9b4e-73ffb7be81ea
tagDiv Composer <= 4.1 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-3169
CVSS Score: 7.2 (High)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6998cf4c-6086-402b-a95f-ee6a4980dffb
Cleverwise Daily Quotes <= 3.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-40335
CVSS Score: 7.2 (High)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71f7733a-1350-4e22-98d8-28be401aee69
GD Security Headers <= 1.6.1 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-40330
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ce32ecf-6995-4794-8559-2f84533ecf50
RSVPMarker <= 10.6.5 – Unauthenticated Stored Cross-Site Scripting via ’email’
CVE ID: CVE-2023-27616
CVSS Score: 7.2 (High)
Researcher/s: Muhammad Arsalan Diponegoro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aaf0e58c-0430-44fe-980f-8ea469802c86
Mortgage Calculator Estatik <= 2.0.7 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-40601
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb73e92b-b807-4406-b378-cef6cff9eb82
JS Help Desk – Best Help Desk & Support Plugin <= 2.7.7 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2023-25444
CVSS Score: 7.2 (High)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa75366a-651c-43d0-a32b-cdabf5b07b66
wpDataTables – Tables & Table Charts <= 2.1.65 – Authenticated(Administrator+) PHP Object Injection
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c458644-a799-4bea-abcb-06a946dc19df
Advanced File Manager <= 5.1 – Authenticated(Administrator+) Arbitrary File and Folder Access
CVE ID: CVE-2023-3814
CVSS Score: 6.6 (Medium)
Researcher/s: Dmitrii
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ceba35c3-16b0-4366-b33c-603bdc2c1006
Gallery Portfolio <= 1.4.6 – Missing Authorization via Multiple AJAX actions
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96112707-04ca-4647-9008-31954764486f
Event Tickets with Ticket Scanner <= 1.5.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ec40d89-9caa-44dc-8577-00fa6463348c
BigBlueButton <= 3.0.0-beta.4 – Authenticated (Author+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f829d21-5347-46ec-9218-2b3cbe7d7b95
Serial Codes Generator and Validator with WooCommerce Support <= 2.4.14 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4886822-3a05-45b3-ad1d-4d4a4f921817
Typing Effect <= 1.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-40605
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db12f986-580e-4e81-8bd2-124393e5d21b
Media from FTP <= 11.16 – Authenticated (Author+) Improper Privilege Management
CVE ID: CVE-2023-4019
CVSS Score: 6.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9764d402-b8a2-43d5-882a-bc3886078b7f
LINE Notify <= 1.4.4 – Reflected Cross-Site Scripting via ‘uid’
CVE ID: CVE-2023-30497
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b4e7c02-48d3-4271-a3bc-e7d3256b7217
Multiple Themes (Various Versions) – Reflected Cross-Site Scripting via Search Field
CVE ID: CVE-2023-2813
CVSS Score: 6.1 (Medium)
Researcher/s: Random Robbie
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32253923-ffec-4312-bcdf-06c5aed77d30
Plausible Analytics <= 1.3.3 – Reflected Cross-Site Scripting via page-url
CVE ID: CVE-2023-40553
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ed6d5e6-1094-46ec-afb9-43c142f334ed
WebLibrarian <= 3.5.8.1 – Reflected Cross-Site Scripting via multiple parameters
CVE ID: CVE-2023-29441
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b4b05a8-3a32-4fa9-9ff5-a2a62b11a05d
Donations Made Easy – Smart Donations <= 4.0.12 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-40664
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/799975aa-44fe-48dc-8ac9-469c89a03c67
WP VR <= 8.3.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-40663
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc08e4cf-3964-406e-9046-420e749df4b5
Fitness calculators plugin <= 2.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
CVE ID: CVE-2023-40552
CVSS Score: 5.5 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aafbdd50-c78b-4aad-a3e2-f1339d698e77
Smart SEO Tool-WordPress SEO优化插件 <= 4.0.1 – Cross-Sitquest Forgery via ‘wp_ajax_wb_smart_seo_tool’
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/078d06ad-555b-4de4-a032-d81440c7dfb5
Doofinder for WooCommerce <= 1.5.49 – Unauthenticated Open Redirect
CVE ID: CVE-2023-40602
CVSS Score: 5.4 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7414779e-7241-4ab2-9b1f-34c3e1acc66b
Cost Calculator Builder <= 3.1.42 – Improper Authorization
CVE ID: CVE-2023-40011
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94d60fcb-a542-41a9-b6ac-6ac2607068aa
WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking <= 3.7.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-40561
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3f7e1a4-88b2-4069-adb8-d51278b48234
Putler Connector for WooCommerce <= 2.12.0 – Missing Authorization via ‘putler_connector_sync_complete’
CVE ID: CVE-2023-40327
CVSS Score: 5.3 (Medium)
Researcher/s: David
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09a1388e-6c87-44cd-a137-4212b569423b
Multiple WPOnlineSupport Plugins <= (Various Versions) – Missing Authorization to Notice Dismissal
CVE ID: CVE-2023-40200
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2931fda2-edc8-44ea-9fff-ae9d94aa01bf
Paid Memberships Pro CCBill Gateway <= 0.3 – Insufficient Authorization
CVE ID: CVE-2023-40608
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47bb46df-3ed6-4331-8c05-c76331aa6995
Comments Like Dislike <= 1.2.0 – Missing Authorization to Authenticated (Subscriber+) Plugin Setting Reset
CVE ID: CVE-2023-3244
CVSS Score: 5.3 (Medium)
Researcher/s: Hung Duong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66019297-a8a8-4bbc-99db-4b47066f3e50
WP-PostRatings <= 1.91 – IP Spoofing
CVE ID: CVE-2023-40332
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6aed9434-1681-47d6-bbc1-0815db548a24
User Activity Log <= 1.6.6 – IP Address Spoofing
CVE ID: CVE-2023-4279
CVSS Score: 5.3 (Medium)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77462f1f-f7d8-4d11-aaf1-82395897fcfa
Cookies and Content Security Policy <= 2.15 – Sensitive Information Exposure
CVE ID: CVE-2023-40662
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79e68c5b-1f1a-4af3-acf4-1a38f2d72424
Simple Org Chart <= 2.3.4 – Missing Authorization
CVE ID: CVE-2023-40603
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c674ec32-7959-414a-8c31-3455bebb47bb
Stripe Payment Plugin for WooCommerce <= 3.7.9 – Missing Authorization to Arbitrary Order Status Modification
CVE ID: CVE-2023-4040
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef543c61-2acc-4b72-81ff-883960d4c7c3
123.chat <= 1.3.0 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-4298
CVSS Score: 4.4 (Medium)
Researcher/s: Jonatas Souza Villa Flor
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0a0ced4d-368d-4f12-9099-1f8c0b0fe245
tagDiv Composer <= 4.1 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-3170
CVSS Score: 4.4 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3861f675-1a26-4947-91ef-8ab04646704f
CT Commerce <= 2.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
CVE ID: CVE-2023-40007
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/399109be-7efe-428e-a9b8-7a68864b2790
Schedule Posts Calendar <= 5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
CVE ID: CVE-2023-40560
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c815c2-a5ea-431c-bfde-c08a4eb5fda6
WooCommerce PDF Invoice Builder <= 1.2.90 – Authenticated (Administrator+) Cross-Site Scripting
CVE ID: CVE-2023-4160
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a765360-8603-4ba1-a6db-dd0175ff3ddf
Carrot <= 1.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-40328
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77fa042d-1e4f-4344-bf5a-3860add7aae3
Custom Admin Login Page | WPZest <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-40329
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/906dcf2a-6be1-4966-9a70-1ef9a8f1017d
RSVPMarker <= 10.6.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
CVE ID: CVE-2023-27617
CVSS Score: 4.4 (Medium)
Researcher/s: Muhammad Arsalan Diponegoro
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfb27513-61ad-4cf0-a471-0ab7aeb0801b
Simple Staff List <= 2.2.3 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28790
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5880581-3505-4851-b32f-cd2873072f73
WooCommerce PDF Invoice Builder <= 1.2.89 – Missing Authorization to Sensitive Information Exposure
CVE ID: CVE-2023-4245
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/200fbfc1-df21-43b0-8eb1-b2ba0cc0c0df
WP Remote Users Sync <= 1.2.11 – Missing Authorization to Authenticated (Subscriber+) Log View
CVE ID: CVE-2023-4374
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e87cfc4-8e7c-47d6-80fc-9c293cdd8acb
Putler Connector for WooCommerce <= 2.12.0 – Missing Authorization via ‘send_resync_request’
CVE ID: CVE-2023-40326
CVSS Score: 4.3 (Medium)
Researcher/s: David
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38537f60-52f4-4007-b26f-6948b9263931
Products Quick View for WooCommerce <= 2.2.0 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39c9f055-2527-4678-bda1-27a29ab24acd
WooCommerce PDF Invoice Builder <= 1.2.90 – Cross-Site Request Forgery to Custom Field Creation
CVE ID: CVE-2023-4161
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b7aac1c-6962-49cf-850f-ab7b1d220090
Accordion Slider <= 1.9.6 – Missing Authorization to Notice Dismissal
CVE ID: CVE-2023-40331
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3dc69bba-39e0-46bd-8cdb-7cf1f7d36282
CLUEVO LMS, E-Learning Platform <= 1.10.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-40607
CVSS Score: 4.3 (Medium)
Researcher/s: Debangshu Kundu, Arpeet Rathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/414165a3-78f8-4254-ac24-2de177cad3dd
Schedule Posts Calendar <= 5.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-40556
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d4f490e-c86e-490e-8041-36c154b890aa
Make Paths Relative <= 1.3.0 – Cross-Site Request Forgery via ‘admin/class-make-paths-relative-admin.php’
CVE ID: CVE-2023-27433
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85317781-7e77-4a78-af67-0a1dce39364c
Simple Org Chart <= 2.3.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-28791
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8d413350-f520-4dd9-af7d-e776628aef1d
WooCommerce Dynamic Pricing and Discount Rules <= 2.4.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-40559
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d624f234-c57a-4a66-900d-362194a79d34
Video Gallery & Management <= 3.3.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-40558
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e226d75f-37b2-4af2-bba0-0fd3a96cc1a0
Tabs & Accordion <= 1.3.10 – Authenticated (Contributor+) Content Injection
CVE ID: CVE-2023-40557
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eaead805-b122-4418-a4a0-cf1b0925f3c3
Orders Tracking for WooCommerce <= 1.2.5 – Authenticated (Administrator+) Directory Traversal via ‘file_url’
CVE ID: CVE-2023-4216
CVSS Score: 2.7 (Low)
Researcher/s: Utkarsh Agrawal
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a62e8b2-7606-4842-8be5-dff8634539d0
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments