Wordfence Intelligence Weekly WordPress Vulnerability Report (October 2, 2023 to October 8, 2023)
Last week, there were 92 vulnerabilities disclosed in 88 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Individuals and Enterprises can use the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 57 |
Patched | 35 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 80 |
High Severity | 11 |
Critical Severity | 0 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 37 |
Cross-Site Request Forgery (CSRF) | 30 |
Missing Authorization | 11 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 7 |
Information Exposure | 3 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
Unrestricted Upload of File with Dangerous Type | 1 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Guessable CAPTCHA | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Mika | 19 |
Rio Darmawan | 7 |
yuyudhn | 5 |
Lana Codes (Wordfence Vulnerability Researcher) |
5 |
Abdi Pranata | 5 |
Rafie Muhammad | 3 |
Vladislav Pokrovsky | 2 |
Taihei Shimamine | 2 |
minhtuanact | 2 |
spacecroupier | 2 |
Prasanna V Balaji | 2 |
Le Ngoc Anh | 2 |
deokhunKim | 2 |
Alex Thomas (Wordfence Vulnerability Researcher) |
2 |
LEE SE HYOUNG | 2 |
BuShiYue | 1 |
Phd | 1 |
TomS | 1 |
OZ1NG (TOOR, LISA) | 1 |
thiennv | 1 |
konagash | 1 |
Robert DeVore | 1 |
qilin_99 | 1 |
Jonas Höbenreich | 1 |
NeginNrb | 1 |
emad | 1 |
Joshua Chan | 1 |
An Đặng | 1 |
Emili Castells | 1 |
resecured.io | 1 |
Marco Wotschka (Wordfence Vulnerability Researcher) |
1 |
Nguyen Anh Tien | 1 |
n0paew | 1 |
Ravi Dharmawan | 1 |
Truoc Phan | 1 |
Yebin Lee | 1 |
Nithissh S | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AI ChatBot | chatbot |
AI Content Writing Assistant (Content Writer, GPT 3 & 4, ChatGPT, Image Generator) All in One | ai-content-writing-assistant |
Abandoned Cart Lite for WooCommerce | woocommerce-abandoned-cart |
Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress | advanced-page-visit-counter |
AmpedSense – AdSense Split Tester | ampedsense-adsense-split-tester |
Automated Editor | automated-editor |
Blog Filter – Advanced Post Filtering with Categories Or Tags, Post Portfolio Gallery, Blog Design Template, Post Layout | blog-filter |
Blog Manager Light | blog-manager-light |
Bold Timeline Lite | bold-timeline-lite |
Booster for WooCommerce | woocommerce-jetpack |
Bulk NoIndex & NoFollow Toolkit | bulk-noindex-nofollow-toolkit-by-mad-fish |
Captcha/Honeypot (CF7, Avada, Elementor, Comments, WPForms) – GDPR ready | captcha-for-contact-form-7 |
Category Meta plugin | wp-category-meta |
Comment Reply Email | comment-reply-email |
Complete Open Graph | complete-open-graph |
Connect to external APIs – WPGetAPI | wpgetapi |
Contact Form by Supsystic | contact-form-by-supsystic |
Contact form Form For All – Easy to use, fast, 37 languages. | formforall |
Copy or Move Comments | copy-or-move-comments |
Customer Reviews for WooCommerce | customer-reviews-woocommerce |
Dropshipping & Affiliation with Amazon | wp-amazon-shop |
Export All Posts, Products, Orders, Refunds & Users | wp-ultimate-exporter |
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | form-maker |
Fotomoto | fotomoto |
Geo Controller | cf-geoplugin |
GoodBarber | goodbarber |
Gumroad | gumroad |
Hitsteps Web Analytics | hitsteps-visitor-manager |
Hotjar | hotjar |
IRivYou – Add reviews from AliExpress and Amazon to woocommerce | wooreviews-importer |
Image vertical reel scroll slideshow | image-vertical-reel-scroll-slideshow |
Instagram for WordPress | instagram-for-wordpress |
Interactive World Map | interactive-world-map |
LeadSquared Suite | leadsquared-suite |
MStore API | mstore-api |
Mailrelay | mailrelay |
Marker.io – Visual Website Feedback | marker-io |
Media Library Assistant | media-library-assistant |
Mendeley Plugin | mendeleyplugin |
OPcache Dashboard | opcache |
Open User Map | open-user-map |
Optimize Database after Deleting Revisions | rvg-optimize-database |
Order auto complete for WooCommerce | order-auto-complete-for-woocommerce |
POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress | post-smtp |
Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | wp-user-avatar |
Permalinks Customizer | permalinks-customizer |
Pinpoint Booking System – #1 WordPress Booking Plugin | booking-system |
Podcast Subscribe Buttons | podcast-subscribe-buttons |
Post View Count | wp-simple-post-view |
Pressference Exporter | pressference-exporter |
Product Category Tree | product-category-tree |
Profile Extra Fields by BestWebSoft | profile-extra-fields |
Publish Confirm Message | publish-confirm-message |
Redirection for Contact Form 7 | wpcf7-redirect |
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | custom-registration-form-builder-with-submission-manager |
SendPulse Free Web Push | sendpulse-web-push |
Seriously Simple Stats | seriously-simple-stats |
Sharkdropship for AliExpress Dropship and Affiliate | wooshark-aliexpress-importer |
Short URL | shorten-url |
ShortCodes UI | shortcodes-ui |
Simple SEO | cds-simple-seo |
Smart Cookie Kit | smart-cookie-kit |
Social Feed | Custom Feed for Social Media Networks | wp-social-feed |
Social Metrics | social-metrics |
Social proof testimonials and reviews by Repuso | social-testimonials-and-reviews-widget |
Sp*tify Play Button for WordPress | spotify-play-button-for-wordpress |
Stout Google Calendar | stout-google-calendar |
Timely Booking Button | timely-booking-button |
Urvanov Syntax Highlighter | urvanov-syntax-highlighter |
User Location and IP | user-location-and-ip |
Video Gallery – Best WordPress YouTube Gallery Plugin | gallery-videos |
WOLF – WordPress Posts Bulk Editor and Manager Professional | bulk-editor |
WP Bing Map Pro | api-bing-map-2018 |
WP Content Pilot – Autoblogging & Affiliate Marketing Plugin | wp-content-pilot |
WP Custom Widget area | wp-custom-widget-area |
WP Forms Puzzle Captcha | wp-forms-puzzle-captcha |
WP Mail SMTP Pro | wp-mail-smtp-pro |
WP Power Stats | wp-power-stats |
WP Responsive header image slider | responsive-header-image-slider |
WP User Frontend – Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission Plugin | wp-user-frontend |
WhitePage | white-page-publication |
WooCommerce Login Redirect | woo-login-redirect |
WooODT Lite – WooCommerce Order Delivery or Pickup with Date Time Location | byconsole-woo-order-delivery-time |
WordPress Popular Posts | wordpress-popular-posts |
WordPress Simple HTML Sitemap | wp-simple-html-sitemap |
YouTube Playlist Player | youtube-playlist-player |
affiliate-toolkit – WordPress Affiliate Plugin | affiliate-toolkit-starter |
canvasio3D Light | canvasio3d-light |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Dropshipping & Affiliation with Amazon <= 2.1.2 – Authenticated (Subscriber+) Arbitrary File Upload
CVE ID: CVE-2023-31215
CVSS Score: 8.8 (High)
Researcher/s: spacecroupier
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17240c75-4e2a-45d2-8114-414c7e81af87
Advanced Page Visit Counter <= 7.1.1 – Authenticated (Contributor+) SQL Injection
CVE ID: CVE-2023-45074
CVSS Score: 8.8 (High)
Researcher/s: TomS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1810cea5-cfca-4699-bf09-0e474d04acb6
MStore API <= 4.0.6 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-45055
CVSS Score: 8.8 (High)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a8b10d0c-e2fc-47a3-9df9-8df58eee964c
Copy Or Move Comments <= 5.0.4 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-28748
CVSS Score: 8.8 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2b020c3-0eb9-4ff1-b94e-e32452695b5d
Sharkdropship for AliExpress Dropship and Affiliate <= 2.2.3 – Missing Authorization
CVE ID: CVE-2023-30870
CVSS Score: 7.3 (High)
Researcher/s: spacecroupier
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8812cfe-4bbe-44ba-9513-7f81bad68d11
Form Maker by 10Web <= 1.15.18 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-45071
CVSS Score: 7.2 (High)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05b434f7-6bce-4ad0-bd12-db5b01f14953
AmpedSense – AdSense Split Tester <= 4.68 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-25476
CVSS Score: 7.2 (High)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/266bbcab-7d41-4c38-b136-24da61728977
Post SMTP <= 2.6.0 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3816a6cf-8157-4ad9-83f6-93c9b6c6275f
Seriously Simple Stats <= 1.5.0 – Authenticated (Podcast manager+) SQL Injection via order_by
CVE ID: CVE-2023-45001
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46150f65-e662-4539-ae99-eaee297a2608
Video Gallery – YouTube Gallery <= 2.0.2 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-45069
CVSS Score: 7.2 (High)
Researcher/s: Ravi Dharmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a8382051-ae17-4719-94b5-3cfb0b5e82b1
Pressference Exporter <= 1.0.3 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-45046
CVSS Score: 7.2 (High)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c12ba39f-03bc-4a45-b2f4-368f48c0a57b
YouTube Playlist Player <= 4.6.7 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-45049
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02cffe63-dad2-4f6b-9530-7f494e3071d7
Podcast Subscribe Buttons <= 1.4.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5308
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17dbfb82-e380-464a-bfaf-2d0f6bf07f25
Instagram for WordPress <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5357
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3991d8d0-57a8-42e7-a53c-97508f7e137f
WP Responsive header image slider <= 3.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5334
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6953dea2-ca2d-4283-97c2-45c3420d9390
User Location and IP <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-31217
CVSS Score: 6.4 (Medium)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e501592-4411-4c0a-aa67-e2d0a29d5d35
Smart Cookie Kit <= 2.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-45608
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9b726e21-ff76-43ea-beb1-f68e94d3b7a4
Media Library Assistant <= 3.11 – Authenticated (Author+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24385
CVSS Score: 6.4 (Medium)
Researcher/s: n0paew
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a1603dc9-7f5e-47e1-8a81-27bb4df1aa4f
WordPress Popular Posts <= 6.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-45607
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a91e8713-a760-4acd-9987-2a6b11dbdd56
Contact form Form For All <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5337
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abe2f596-b2c3-49d3-b646-0f4b64f15674
Blog Filter <= 1.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5291
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b95c1bf7-bb05-44d3-a185-7e38e62b7201
Gumroad <= 3.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-45059
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd2abab4-f93c-454d-928d-128a490da0e2
WP Simple HTML Sitemap <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-45067
CVSS Score: 6.4 (Medium)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fca6d469-60e7-4866-a53c-d207817c9204
WPGetAPI 2.1.0 – 2.2.1 – Authenticated (Subscriber+) Arbitrary Options Update
CVE ID: CVE Unknown
CVSS Score: 6.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39003835-80df-49c7-982a-346bf328565c
Bulk NoIndex & NoFollow Toolkit <= 1.42 – Reflected Cross-Site Scripting via ‘s’
CVE ID: CVE-2023-45065
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e4f6305-d003-478e-a8ef-0b254084f56f
Form Maker by 10Web <= 1.15.18 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-45070
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b1db6b8-f005-488f-b2cc-667acc700b0a
RegistrationMagic <= 5.2.4.1 – Reflected Cross-Site Scripting via section_id
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d010e55-d57a-49f7-a991-76b676b88f1e
Fotomoto <= 1.2.8 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-45007
CVSS Score: 6.1 (Medium)
Researcher/s: OZ1NG (TOOR, LISA)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fbeee6b-cbc0-462e-96ba-2fd4f54786b0
Download canvasio3D Light <= 2.4.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-45062
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39b8f6d8-bca2-4bf2-93ab-868270df8752
Product Category Tree <= 2.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-45054
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e03ecc0-5ca1-4d64-a6d7-257325bcc5cb
Seriously Simple Stats <= 1.5.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-45005
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92734acf-2021-4217-8cdd-a9d269198db3
OPcache Dashboard <= 0.3.1 – Reflected Cross-Site Scripting via ‘page’
CVE ID: CVE-2023-45064
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3d6104b-eb2d-4e7e-98bd-6a46bd69ef5c
WooODT Lite <= 2.4.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-45006
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ede4b8ad-3c12-4ed8-9eda-806afa580bad
Social Feed <= 2.2.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-45003
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f124b5a0-b58b-45ff-bd22-7a09a9abd9bd
Simple SEO <= 2.0.23 – Cross-Site Request Forgery via multiple admin_post functions
CVE ID: CVE-2023-45269
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/053b72c6-07bb-4e9f-ae25-da4bce91ae6e
Post View Count <= 1.8.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-44996
CVSS Score: 5.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/114cf149-e923-4e21-9eb0-e38941799304
WP Forms Puzzle Captcha <= 4.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-44997
CVSS Score: 5.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c75edd2-fc38-48b1-b58c-1d19c95c3db8
Urvanov Syntax Highlighter <= 2.8.33 – Cross-Site Request Forgery via init_ajax
CVE ID: CVE-2023-45106
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c85fa64-4761-4b92-bd4f-7c220cf18288
Social proof testimonials and reviews by Repuso <= 5.00 – Cross-Site Request Forgery
CVE ID: CVE-2023-45048
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/526aa2e5-06bd-4b4c-a331-315f8ab37858
LeadSquared Suite <= 0.7.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-45047
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8da42003-f2d8-4837-84b2-e0e7171fa3fe
Customer Reviews for WooCommerce <= 5.36.0 – Missing Authorization in Reviews Exporter
CVE ID: CVE-2023-45101
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d60f3da1-1184-4629-880c-ce3893fb55a5
Pinpoint Booking System <= 2.9.9.4.0 – Cross-Site Request Forgery via initBackEndAJAX
CVE ID: CVE-2023-45270
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4dfb4b5-b2a5-40bd-9dfb-863baa563d06
Optimize Database after Deleting Revisions <= 5.0.110 – Missing Authorization via ‘odb_csv_download’
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09050c1e-26e0-46e7-b5f0-ebaff4066b0a
Captcha/Honeypot for Contact Form 7 <= 1.11.3 – Captcha Bypass
CVE ID: CVE-2023-45009
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60e9351a-302b-4a31-8a9c-c0a0b6ee3fcd
WP Ultimate Exporter <= 2.2 – Unauthenticated Information Disclosure
CVE ID: CVE-2023-2487
CVSS Score: 5.3 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61f7e01e-c9ce-47f6-96d0-de908ce7e90c
ProfilePress <= 4.13.2 – Information Disclosure via Debug Log
CVE ID: CVE-2023-44150
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f5357e0-1e1b-4090-a6ae-9587c6a8d290
Profile Extra Fields by BestWebSoft <= 1.2.7 – Missing Authorization to Sensitive Information Exposure
CVE ID: CVE-2023-4469
CVSS Score: 5.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/916c73e8-a150-4b35-8773-ea0ec29f7fd1
Redirection for Contact Form 7 <= 2.9.2 – Missing Authorization
CVE ID: CVE-2023-39920
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9cf17c08-25b7-450d-acd9-963a1f79e495
WP Mail SMTP Pro <= 3.8.0 – Missing Authorization to Information Dislcosure via is_print_page
CVE ID: CVE-2023-3213
CVSS Score: 5.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a813251b-a4c1-4b23-ad03-dcc1f4f19eb9
ChatBot <= 4.7.8 – Cross-Site Request Forgery via qc_wp_latest_update_check
CVE ID: CVE-2023-44993
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be9522c8-3561-48fe-89ef-62e0fcb085b0
Open User Map | Everybody can add locations <= 1.3.26 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-45056
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08593415-bbc9-4159-b5d5-84e4dde6c2c9
Complete Open Graph <= 3.4.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-45010
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f3303db-9ba6-4638-ba96-151cf91db85b
Timely Booking Button <= 2.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44987
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2eb3b568-8689-4184-8091-0b84aa6b472d
Abandoned Cart Lite for WooCommerce <= 5.15.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44986
CVSS Score: 4.4 (Medium)
Researcher/s: Robert DeVore
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/524e9ec1-9c7c-4b06-915c-8122ea6c3601
Geo Controller <= 8.5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6faf7e36-52d7-4578-bb71-2b64a761692b
Mendeley <= 1.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-45073
CVSS Score: 4.4 (Medium)
Researcher/s: NeginNrb
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b56c684-90f6-4e8b-86fc-355a13b5368c
WOLF <= 1.0.7.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44990
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85b439ea-08f9-4b4e-80da-7c5f80bc2818
Image vertical reel scroll slideshow <= 9.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-45051
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91b06d7d-7e92-49f0-b161-9b25318edfeb
Order auto complete for WooCommerce <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-45072
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9521ad5b-83c3-487e-a69e-ca057777bc9e
Hotjar <= 1.0.15 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1259
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9c640bcb-b6bf-4865-b713-32ca846e4ed9
Social Metrics <= 2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44263
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3267339-2f28-40b9-b6ff-fdfe0d67bdc8
Comment Reply Email <= 1.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-45008
CVSS Score: 4.4 (Medium)
Researcher/s: Yebin Lee
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba7d0ab4-55a5-47f4-b66e-27e963ab2268
Hitsteps Web Analytics <= 5.86 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-45057
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f68a386b-544f-4aa2-8ae5-4d57ddd07b63
Publish Confirm Message <= 1.3.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-32124
CVSS Score: 4.3 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05c2707c-c737-4f95-83e0-b0a4e0883d4b
Sp*tify Play Button for WordPress <= 2.10 – Cross-Site Request Forgery
CVE ID: CVE-2023-41131
CVSS Score: 4.3 (Medium)
Researcher/s: BuShiYue
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b82fae0-4eec-41ea-90e2-9d08258805b3
Contact Form by Supsystic <= 1.7.27 – Cross-Site Request Forgery
CVE ID: CVE-2023-45068
CVSS Score: 4.3 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16dc1927-2171-4234-805b-6e4eed99fa90
WhitePage <= 1.1.5 – Cross-Site Request Forgery via params_api_form.php
CVE ID: CVE-2023-45109
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b377236-bb56-4d31-837a-c5064d46a6c6
Automated Editor <= 1.3 – Cross-Site Request Forgery via admin menu pages
CVE ID: CVE-2023-45276
CVSS Score: 4.3 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/27799988-cb2b-41c7-ad9a-aade59d31fa3
Stout Google Calendar <= 1.2.3 – Cross-Site Request Forgery via sgc_plugin_options
CVE ID: CVE-2023-45273
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33efcbb4-2bb9-4414-bc95-55bedb92c551
WP Content Pilot – Autoblogging & Affiliate Marketing Plugin <= 1.3.3 – Authenticated (Contributor+) Content Injection
CVE ID: CVE-2023-45053
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/373c10df-0d9c-4f76-8d1f-cad6bcfed141
Blog Manager Light <= 1.20 – Cross-Site Request Forgery via bml_settings
CVE ID: CVE-2023-45102
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38307432-399e-4887-867c-9eb2a0d90d70
Mailrelay <= 2.1.1 – Cross-Site Request Forgery via render_admin_page
CVE ID: CVE-2023-45108
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c07a2fe-97b1-45ec-bbd9-9353d679ed49
AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One <= 1.1.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-45063
CVSS Score: 4.3 (Medium)
Researcher/s: konagash
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3de1bcd7-24a8-4566-819b-d6653344e132
IRivYou <= 2.2.1 – Cross-Site Request Forgery via saveOptionsReviewsPlugin
CVE ID: CVE-2023-45267
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5607cc07-5104-45d0-8279-ba0ef3ebcbe9
GoodBarber <= 1.0.22 – Cross-Site Request Forgery via admin_options
CVE ID: CVE-2023-45107
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57774f93-e6c0-46e6-8019-eab00b2b48ff
WP Bing Map Pro <= 4.1.4 – Cross-Site Request Forgery via AJAX actions
CVE ID: CVE-2023-45052
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5abc627d-2d8e-44e6-8e8e-ad9f55cbb0d8
Interactive World Map <= 3.2.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-45060
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b559a48-3c8b-4f8a-9627-c4f838d20af3
WP Custom Widget area <= 1.2.5 – Missing Authorization
CVE ID: CVE-2023-45045
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64559d37-0c6b-45f5-8a2a-6e70cb5e423c
SendPulse Free Web Push <= 1.3.1 – Cross-Site Request Forgery via sendpulse_config
CVE ID: CVE-2023-45274
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/654727e0-6129-47c7-94f3-10567b1a42d4
Hitsteps Web Analytics <= 5.86 – Cross-Site Request Forgery via hst_optionpage
CVE ID: CVE-2023-45268
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7252075f-9326-4f04-bdd9-b244609c9cd3
WP User Frontend <= 3.6.8 – Missing Authorization via AJAX actions
CVE ID: CVE-2023-45002
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e8e967f-f627-4c0c-ac0f-0a66ae25c602
ShortCodes UI <= 1.9.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-44994
CVSS Score: 4.3 (Medium)
Researcher/s: An Đặng
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/90e69e43-597c-4c18-b581-d99dacefb9b8
Short URL <= 1.6.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-45058
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95c5a219-0b04-424c-a3dd-d705b1b41ddc
Bold Timeline Lite <= 1.1.9 – Missing Authorization to Admin Notice Dismissal
CVE ID: CVE-2023-45110
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9bbabf5e-dbfc-4b01-94ae-0e8fd6b3cc26
Booster for WooCommerce <= 7.1.1 – Authenticated (Subscriber+) Information Disclosure via Shortcode
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a1426809-b245-4868-be87-c96b3c5c05f9
WP Power Stats <= 2.2.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-45011
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a86a694b-5e45-4e94-a22c-2c5faa7172a2
WooCommerce Login Redirect <= 2.2.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-44995
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a8b0d708-4f74-4e6d-9581-f65caf976d45
Permalinks Customizer <= 2.8.2 – Cross-Site Request Forgery via post_settings
CVE ID: CVE-2023-45103
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf1f402d-98d7-42d7-8d8d-ff74a65e5293
Category Meta <= 1.2.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-44998
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf2ddc42-9910-40e5-9546-89f229b852da
Marker.io <= 1.1.6 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c49b3841-370b-42ed-9545-e69c2544642d
Customer Reviews for WooCommerce <= 5.36.0 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5429fb1-7072-4a00-8fb3-48d4f876417f
affiliate-toolkit – WordPress Affiliate Plugin <= 3.3.9 – Open Redirect via atkpout.php
CVE ID: CVE-2023-45105
CVSS Score: 3.4 (Low)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06b332de-4f94-47dc-a573-53514adaf5c0
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments